狗爺語錄

Yesterday I came across this “Replace WP-Version” WordPress plugin (english translation), which tries to mangle or simply hide WordPress version declaration in feeds and web pages.

For example, such HTML is usually found in blog header:

<meta name="generator" content="WordPress 2.6.5" />

Broadcasting version is generally believed to be a sore point in blog security — it invited crackers to determine easily which blog is exploitable, thus the existance of such plugins. It reminds me about a plugin I have written for myself before, for similar purpose. But on second thought, I didn’t publish and advertise it. Why?

Version can be decided though other means

Since recent WordPress releases (not very recent though), WordPress also emit versions in javascript links. Take my own blog for example:

<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/prototype.js?ver=1.6'></script>
<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/scriptaculous/wp-scriptaculous.js?ver=1.8.0'></script>
<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/scriptaculous/effects.js?ver=1.8.0'></script>
<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/jquery/jquery.js?ver=1.2.6'></script>

With javascript versioning, WordPress version can be approximately determined. Even worse, these declarations can’t be disabled. That means just hiding WordPress version is not effective anymore, regardless of other reasons.

Exploits are generic enough to ignore any versioning

While WordPress fanboys are retarded enough to declare any security measure as “obscurity”, this one is probably right. Version hiding is very likely defenceless against most exploits, which simply tries every possible attack method. This renders version hiding pointless.

It affects functionality of other plugins

Some other plugins do check WordPress version in order to behave differently. Take a look at the comment of bs-wp-noversion plugin (which is yet another version hiding plugin). WordPress rendered broken is a possibility if version is changed or hidden.