Linux 软件免费装

Sneakily Hide WP Versions

开发者 ruminativewp
更新时间 2021年10月18日 12:01
捐献地址: 去捐款
PHP版本: 7.0 及以上
WordPress版本: 5.8.1
版权: GPLv2 or later
版权网址: 版权信息

标签

hide version remove version remove generator hide generator sneakily hide wp versions

下载

1.0.6

详情介绍:

Hides the WordPress version everywhere it’s displayed, including feed generator tags, static asset URLs, load-styles.php and load-scripts.php, and in /wp-admin/install.php and /wp-admin/upgrade.php. Some plugins hide the WordPress version, but not everywhere, and that’s as good as not hiding it at all. This plugin hides all occurrences of the WordPress core version. This version hiding doesn't break the cache-busting that WordPress does using the version number in static assets URLs.

安装:

  1. Ensure your setup meets the Requirements, above
  2. Install from the Plugin Directory or manually download and unpack the zip file
  3. Activate plugin using WordPress admin
  4. Depending on your configuration, you might need to update the web server configuration (.htaccess / Apache config / nginx config) and restart your web server

升级注意事项:

1.0.4 Initial Plugin Directory release

常见问题:

Why bother hiding the WordPress version?

If somebody wants to hack your site, knowing the WordPress version you’re running saves a lot of time. This plugin denies potential attackers that information.

Isn’t this Security Through Obscurity?

First: a few comments about security through obscurity. As the WordPress Hardening guide points out, this is correctly, usually seen as a security anti-feature: if something is secure, it shouldn’t matter what an attacker knows about it. This principle works well in certain situations: cryptography, open source code, anything where the implementation is public. However, it doesn’t work well in situations where implementations are not public: for example, the behind-the-scenes implementation, infrastructure and source code of your own website. Unless you intend to expose all that for public review – something true in a very limited number of cases – then “what configuration your WordPress site has” isn’t something that should be publicly knowable. Given your website configuration is being kept private already, it only helps an attacker, and potentially hurts you, to expose information that doesn’t benefit your business. Again, the WordPress Hardening Guide says “However, there are areas in WordPress where obscuring information might help with security.” Obscuring the WordPress version number(s) is arguably one of those areas: one of the most common types of attacks against WordPress is “sending specially crafted HTTP requests [that exploit] … specific vulnerabilities.” Often these specific vulnerabilities rely on knowing the WordPress version, or the version of other plugins or themes. And information gathering, finding out the details of target websites and systems in advance of an attack, is part of penetration testing methodology for a reason: actual attackers use it. You don’t want them using it against your site. Another way to look at this is: what is your threat model? What threats to your website and business are realistic and worth defending against? Vulnerabilities in WordPress core are threats worth taking seriously, because even if they’re fixed in a later release, there’s still a window of opportunity for attackers, and they’ll want to know if your site is up to date – by checking the WordPress version. So is this security through obscurity? No. The security of your WordPress site comes from what’s elsewhere: keep your core and plugins up to date, using security plugins, using a Web Application Firewall, and all the other security best practices. Our plugin hides information, making it unavailable to attackers, and making their life more difficult: an important part of having a secure website.

Does Hide WP Version work correctly when WordPress updates to a new version?

Yes.

Why do my CSS and Javascript URLs still have a version at the end?

Hide WP Version generates a random number and uses that as a fake WordPress version number. This is because WordPress uses the version number on the end of URLs for “cache busting” – forcing browsers to load a new version of a file. Generating and using a fake version number hides the real version number without breaking this aspect of WordPress’s functionality.

Can I change the fake version number?

Yes, but not to anything you choose. To update the fake version number, log in to your WordPress site as an Administrator and select Ruminative WP > Hide WP Version from the menu. There’s a button to bump the fake version.

Can I use a specific value for the fake version number?

No, because what happens when WordPress core is upgraded to a new version and this value needs to change? For simple values like “1” this could work, but then why bother specifying a custom value? If it’s not a simple value like “1”, but something like “pomegranate”, what should the new value be? You’d need to update the value manually every time WordPress core updates, and that’s annoying. Let the plugin handle this.

Is this much code really necessary to hide WordPress versions? Isn’t it excessive?

Respectively – yes, it’s necessary, because WordPress attaches extra meaning to version numbers, in its handling of static assets; and “it depends,” if you want to secure your site as much as possible, then it might not be excessive.

Does this block the sending of my version to WordPress.org?

No, currently this isn’t blocked, because WordPress.org knowing your WP version isn’t generally a security risk.

更新日志:

1.0.4 1.0.3 1.0.2 1.0.1 1.0.0 0.1.2 0.1.0 0.0.5 0.0.4 0.0.3 0.0.2 0.0.1