Sneakily Hide WP Versions

If somebody wants to hack your site, knowing the WordPress version you’re running saves a lot of time. This plugin denies potential attackers that information.

First: a few comments about security through obscurity. As the WordPress Hardening guide points out, this is correctly, usually seen as a security anti-feature: if something is secure, it shouldn’t matter what an attacker knows about it. This principle works well in certain situations: cryptography, open source code, anything where the implementation is public. However, it doesn’t work well in situations where implementations are not public: for example, the behind-the-scenes implementation, infrastructure and source code of your own website. Unless you intend to expose all that for public review – something true in a very limited number of cases – then “what configuration your WordPress site has” isn’t something that should be publicly knowable. Given your website configuration is being kept private already, it only helps an attacker, and potentially hurts you, to expose information that doesn’t benefit your business. Again, the WordPress Hardening Guide says “However, there are areas in WordPress where obscuring information might help with security.” Obscuring the WordPress version number(s) is arguably one of those areas: one of the most common types of attacks against WordPress is “sending specially crafted HTTP requests [that exploit] … specific vulnerabilities.” Often these specific vulnerabilities rely on knowing the WordPress version, or the version of other plugins or themes. And information gathering, finding out the details of target websites and systems in advance of an attack, is part of penetration testing methodology for a reason: actual attackers use it. You don’t want them using it against your site. Another way to look at this is: what is your threat model? What threats to your website and business are realistic and worth defending against? Vulnerabilities in WordPress core are threats worth taking seriously, because even if they’re fixed in a later release, there’s still a window of opportunity for attackers, and they’ll want to know if your site is up to date – by checking the WordPress version. So is this security through obscurity? No. The security of your WordPress site comes from what’s elsewhere: keep your core and plugins up to date, using security plugins, using a Web Application Firewall, and all the other security best practices. Our plugin hides information, making it unavailable to attackers, and making their life more difficult: an important part of having a secure website.

Yes.

Hide WP Version generates a random number and uses that as a fake WordPress version number. This is because WordPress uses the version number on the end of URLs for “cache busting” – forcing browsers to load a new version of a file. Generating and using a fake version number hides the real version number without breaking this aspect of WordPress’s functionality.

Yes, but not to anything you choose. To update the fake version number, log in to your WordPress site as an Administrator and select Ruminative WP > Hide WP Version from the menu. There’s a button to bump the fake version.

No, because what happens when WordPress core is upgraded to a new version and this value needs to change? For simple values like “1” this could work, but then why bother specifying a custom value? If it’s not a simple value like “1”, but something like “pomegranate”, what should the new value be? You’d need to update the value manually every time WordPress core updates, and that’s annoying. Let the plugin handle this.

Respectively – yes, it’s necessary, because WordPress attaches extra meaning to version numbers, in its handling of static assets; and “it depends,” if you want to secure your site as much as possible, then it might not be excessive.

No, currently this isn’t blocked, because WordPress.org knowing your WP version isn’t generally a security risk.