I talked a couple of weeks ago about the importance of always upgrading your WordPress install, as old WordPress installations are often vulnerable. One thing I don’t think people realize is that a hacker can easily find vulnerable WordPress blogs because most standard WordPress themes will actually tell them what version you are using.
If you open up the header.php file of your theme, you should notice some code that looks something like this:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave this for stats -->
In order to protect your WordPress installation, I recommend people completely remove this code from their header.php file for all of their WordPress blogs.
Now, this obviously isn’t going to make your WordPress blog hack proof, but what it will do is make it so hackers can’t easily locate your blog if it is using a vulnerable WordPress installation.
Update: Thanks to a tip from Leland, it looks like WordPress 2.5+ now generates the meta link anyway via the wp_head hook, which is something you can’t remove. With that said, if you care about your security, you can still remove the meta generator. It looks like Ian of ThemeShaper has provided a couple methods, including a WordPress plugin to remove the meta generator information from your WordPress blog.
Friday, July 25th, 2008 at 3:15 am
But then again.. if someone really wanted to hackyour WordPress site, they could easily figure it out thru other investigative ways that you run a WordPress site couldn’t they.
Friday, July 25th, 2008 at 3:18 am
The point is that they won’t know what version you are running and so they have a harder time trying out known exploits for that version.
Friday, July 25th, 2008 at 3:27 am
I know, but all I am saying if a real hacker wanted to, he could .. regardless. Either way, best solution to me is to still try and update asap!
Friday, July 25th, 2008 at 4:33 am
I did both: Updated WP and removed the code. Thanks for the tip, I found it useful.
Friday, July 25th, 2008 at 7:27 am
Very useful tip thank you
Friday, July 25th, 2008 at 8:04 am
Short separation examples:
WP 2.3.3 and less -> missing HTTP header field X-Pingback
WP 2.5.x -> request files from wp-include/text directly return status 404
WP 2.6 -> request files from wp-include/text directly return status 200
I think, cloaking the version is useless, because those outside, who want’s to know your version, do have any time to figure out a better separation strategy as shown above. So version could be always detected somehow.
Friday, July 25th, 2008 at 8:09 am
Usefull tip Kyle, but it doesnt look like you follow your own advice. A look at your page source shows that code is still in place. How come?
Friday, July 25th, 2008 at 8:26 am
I believe ever since WordPress 2.5, it automatically added the code to the header via the wp_head() hook. So you may even have the “generator” code twice if you don’t remove this code from your theme. Some more tips I found are here.
Friday, July 25th, 2008 at 8:42 am
As I emphasized in the above post, this isn’t going to prevent your site from being hacked. What it was intended to do was make it so people couldn’t easily figure out which version of WordPress you are using. These are not hackers that target your blog, instead they search for blogs using X version of WordPress (that they know how to exploit) and then go hack them. This is what happened on my original blog and I was lucky the attacker only did so to remind me to upgrade, rather than having a malicious intent. Not everyone is so “lucky.”
@ Frank - I have double checked my header.php file and the code is not there. See Leland’s comment below yours. It may be that WordPress now adds it anyway via the wp_head hook.
I know WordPress likes getting the information so they can see how many sites are using each version of WordPress. I guess this enforces the important of always having an upgraded WordPress installation.
Friday, July 25th, 2008 at 10:37 am
This suggestion is not helpful. There are two main problems with with it: one, it assumes that there aren’t other ways to determine (or at least narrow) down which version of WordPress you are using. Two, it assumes that folks attacking blogs actually care what version of WordPress you’re running. The second one is the biggie, there are so many automated bots and attack scripts out there that will attempt various attacks, no matter what version of WordPress you are running.
Since there is virtually no cost for them to try the attack anyway they don’t bother to find out what version of WordPress you are running. Hence your suggesting removing something that is not usually checked for anyway.
Friday, July 25th, 2008 at 2:39 pm
@ Joseph - I appreciate your well written response, but I disagree. I’m not sure if people are misunderstanding, and maybe that is my fault for not explaining it properly in the post.
If there is a vulnerability discovered in WordPress 2.3.1 (for example) to discover someones password, which is later fixed in WordPress 2.3.2+, then someone who is looking for password information can search for WordPress 2.3.1, WordPress 2.3.0, etc. and grab these passwords.
Of course these hacks are not targeting someone specifically, but having this information available on your blog could be a problem, which is why I suggested people remove it. It isn’t needed for anything so there is no harm in removing it.
Joseph - Both of your “problems” with my logic are based upon someone targeting a specific blog. That was not the intent. This post was written regarding random attacks on blogs based upon their WordPress version, where hackers only find your site because it shows up in a search as using an old version of WordPress.
There is no way to 100% prevent your WordPress blog from being hacked unfortunately, especially when someone is specifically targeting you instead of running across you randomly. However, the WordPress team does a great job of minimizing these risks and fixing them right away when they are discovered. This is why it is important for someone to always upgrade their blogs, even if that means upgrading 70+ WordPress installations, like I do each time there is a release.
Friday, July 25th, 2008 at 3:12 pm
From what I’ve seen, attackers don’t “search for WordPress 2.3.1″, they simply attack the blog. Doesn’t matter what the version number is. I see old attacks launched against blogs running the current version of WordPress all the time.
I do agree that the best thing to do is keep your install up to date. I highly recommend checking it out from the Subversion repository, makes updates very easy.
Friday, July 25th, 2008 at 3:33 pm
Just adding <?php remove_action(’wp_head’, ‘wp_generator’); ?> to your functions.php should do the trick.
Friday, July 25th, 2008 at 3:47 pm
Actually, this is how my first blogged was hacked. Someone found my original blog in a search for WordPress 2.0.7 (if I remember correctly). I believe the WordPress 2.1 branch was already out and I hadn’t upgraded yet. After hacking my blog, he contacted me and let me know that was how he found out and said simply upgrading WordPress would prevent others who had malicious intent from doing the same thing. That is how I know it does happen. Unfortunately, my personal experience proves it.
After that happened, I researched the issue and found the fix I wrote about above. As others have mentioned above, there are other methods as well.
@ Abhijeet - Thanks for the tip. I think that is one of the methods mentioned in Ian’s post I linked to above.
Sunday, July 27th, 2008 at 4:39 pm
I disagree. The problem with people hacking WP installs isn’t because of an obvious version number (which is more than often replicated in the footer of many free themes as well).
The problem is people never upgrading their WP installation. Quite frankly, this is the kind of useless tip that gives homage to the enemy. If we really want to make the world safe from hackers, we ought to send messages to those running old versions of WordPress harassing them into upgrading. And while that wouldn’t do any less to keep hackers at bay than removing the version meta data as suggested here, we at least would be occasionally accomplishing something, rather than giving people the false confidence that their outdated installation is now “secure” by deleting a line of code in header.php. A few extra minutes should be devoted to upgrading.
Having said that, the real problem is that although cPanel and other self-installing scripts push the latest version of WP pretty quickly, Automattic needs to find a way to cooperate with the major U.S. hosting services to force them to force their customers to upgrade. In other words, cPanel ought to also “lock” (flat-file) a WP-install once Automattic determines it is inherently unsafe to use anymore. Thus, their blog would still be up (as flat HTML files), but the Admin panel would be inaccessible and replaced with an admonition that an upgrade to version X.X is required to use WordPress.
It would be in Hosts best interest to do this. Although people will scream bloody murder (because they are lazy self-absorbed idiots who think the open-source world owes them a living), they will scream a lot louder once they get hacked, particularly if they lose data, and nagging at their host to fix all their problems. Better the first option than the second - plus the first option deters and deflates the egos of script-kiddies, a plus in my book. Also, the whining anti-upgrade crowd won’t be able to blog about it, at least not until they upgrade, so the noise level will be relatively diminished.
Sunday, February 15th, 2009 at 2:25 am
Do not remove your wp_head action!
Yes the latest versions of wordpress do add the version to the page via the wp_head call in numerous locations but this makes it easy to remove the version. Look in wp-includes/version.php and change the version number there and it will propogate throughout the system because all calls to bloginfo(’version’) read from this string in this file.
I change mine to:
/**
* The WordPress version string
*
* @global string $wp_version
*/
$wp_version = ‘(version removed for security)’;
Thursday, May 21st, 2009 at 7:02 pm
Well, I’ve tried all the above methods for removing traces of my WordPress version from public viewing and none have worked.
I used a FireFox plugin for website info which leads to http://www.wmtips.com/tools/info/ and they still have my current WordPress version listed under “generator.”
I removed the generator/generated string from my theme header, removed WordPress from my footer, protected my version.php, tried
adding to functions.php
and
@global string $wp_version
*/
$wp_version = ‘(version removed for security)’;
Yet the above website still displays my current WordPress version.
Friday, May 22nd, 2009 at 9:04 am
@ Lea - This changed after this post was published with a later release of WordPress. See the above comments for an explanation!
Trackbacks/Pingbacks
Leave A Comment
Become one of our
Featured Sites
Recent Trackbacks
Contributing Authors
Archives
Extras
WordPress Hacks Copyright © 2007-2009 | An Apricot Media Website
Template by StudioPress | Custom Design by Kyle Eslick and Blog Design Studio
RSS Feed Email RSS