[Defender] Hide the Wordpress Version Generator

Hey guys,
Just wondering if it would be possible to add in the feature to hide the version of wordpress that is displayed as <meta name="generator" content="WordPress 4.9.7" /> in our source code.

Since wpcheckup flags this as a vulnerability I just think it should be added in to a security plugin like Defender to 'automate' it like much of the rest of the security tweaks it does upon installation.

I am aware of how to remove it manually by editing my functions file but just think I shouldn't have to.

Thanks

      • Tony G
        • Mr. LetsFixTheWorld

        Respectfully, I disagree with that. Yes, this is commonly noted as a security issue. Realistically however, hackers can easily recognize a WordPress site with any number of fingerprints and signatures all across a site, including:

        - Core class names
        - Core names and IDs in the login form like "name=loginform id=loginform", or submit "name=wp-submit"
        - References to wpmucdn from Hummingbird
        - Comments added by Hummingbird about cache
        - The sitemap.xml created by SmartCrawl which includes "/wp-content/plugins/wpmu-dev-seo"
        - References to "/wp-content/themes"
        - References to "/wp-includes/wlwmanifest.xml" (useless file)
        - Stylesheet .css files that have a very specific WordPress pattern

        That's just a small sampling that doesn't include anything added by non-Dev plugins. My conclusion on that is to recognize that bad guys know what toolkit we use - there's no question about that. Changing this one detail won't help at all. Security through obscurity is not a valid pursuit in our case. Our admin time would be better spent defending specific, known vectors of abuse, rather than trying to hide them.

        As to the convenience of having some number of features in a single plugin, I also disagree with that. I will publishing a note soon on this concept.

        • Baldafrican
          • Made in Africa

          Tony G
          I agree with what you have said.

          I am not asking for a tool that will completely hackproof my site or even hide any evidence of wordpress being used, but only asking that if your scanning tool (WPCheckup) highlights an issue, surely your provided plugin (in this particular case - Defender) should address it without the need to install multiple plugins.

          • Tony G
            • Mr. LetsFixTheWorld

            Just being conversational here, no intent to discourage the requests...

            if your scanning tool (WPCheckup) highlights an issue, surely your provided plugin (in this particular case - Defender) should address it

            But it seems we've agreed that the WPCheckup scanning tool is flagging an invalid concern. At that point I think this would become a request to WPMU DEV to reconsider flagging that specific security concern - given the wealth of evidence that this specific metric is invalid. In other words, the problem is not that Defender doesn't allow you to fix a security issue, the problem is that WPCheckup is inaccurately reporting that you have an issue.

            I'll tell you what just horrified me about WPCheckup - it enumerates and displays user IDs from our sites. The checkup tool itself is exposing a vulnerability. Now THAT is something to which I strongly object.

            That said, it kicks me in the butt to go find out where my site is exposing that information because obviously I provided that data for the scan. *sigh*

          • Baldafrican
            • Made in Africa

            I'll tell you what just horrified me about WPCheckup - it enumerates and displays user IDs from our sites. The checkup tool itself is exposing a vulnerability. Now THAT is something to which I strongly object.

            Perhaps that should be a thread on its own in the features and feedback section to bring more awareness to it?

          • Tony G
            • Mr. LetsFixTheWorld

            While my normal sentiment is complete agreement, I find myself posting too many notes on this site to report issues. I simply don't have the time to do extensive QA for free. So when WPMU DEV finds tidbits about product issues in these forums, I hope they will take the initiative to note them internally. I'll continue to do what I can too of course. So to respond to your suggestion - I may or may not report that one. Maybe someone else will if they care...

          • James Morris
            • WordPress Enthusiast

            Hello Tony G

            Be assured, we're paying attention and taking notes of all the suggestions our members provide. Your feedback is priceless and it helps us provide better products and services to meet your needs. We greatly appreciate it! :slight_smile:

            That being said, a workaround to block enumeration of ?author=# on your WordPress site, you can add the following to your .htaccess. Update the domain as needed, of course.

            # Block User ID Phishing Requests
            <IfModule mod_rewrite.c>
                RewriteCond %{QUERY_STRING} ^author=([0-9]*)
                RewriteRule .* https://YOURDOMAIN.TLD/? [L,R=302]
            </IfModule>

            I've tested this with pretty permalinks and plain permalinks. Works great and it also blocks WP Checkup from enumerating users. :slight_smile:

            Hope this helps!

            James Morris

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.