Archive for the ‘Security’ Category

WordPress and security

Saturday, November 8th, 2008

This won’t be a ground-breaking or revealing post of any sort, but as I just stumbled upon a page where the author had done an “autopsy” on an infected WordPress blog, concluding that the tools available to infect a blog are so simple to use nowadays that one would really have to pay attention.

The tools, he continued, automatically look for WordPress installations of a specific, vulnerable, version, and the, again automatically, apply one attack or another, to infect the installation.

Which reminded me that I really should remove the version string from that meta tag in the source code. I actually have a somewhat hard time understanding why it is put there in the first place. My browser experience, as a user is not diminished by the removal of said version string. Maybe I am missing something, but if I am not, the only purpose that string has, is to let users know (the ones who browse the source) which version of WordPress that is currently installed. (And of course, making those automated scripts find vulnerable versions easier)

Naturally, the safest bet is always to keep the installation up to date with the newest version always installed, but even so, why print the version number?

So, down to the nitty gritty. In your wordpress directory, there will be a directory called wp-includes, in which, among other files, you will find general-template.php. At the end of that file, there is a function which output the version string in a couple of different formats, xhtml, rss etc.

You will want to modify each of these strings, so that none of them can be used to reveal the version.


The html option, for instance, looks like this:

$gen = '<meta name="generator" content="WordPress ' . get_bloginfo( 'version' ) . '">' . "\n";

which would have to be modified by removing the call to get_bloginfo(), leaving:

$gen = '<meta name="generator" content="WordPress">' . "\n";

Once these lines are modified it should be, at least in theory, harder for an attacker to make an automated attack against your blog.