The WordPress Fix WordPress Doesn’t Want You To Know About

Sep 5th, 2009 | By | Category: General, Podcasting Software

wordpress-logoA major WordPress hack has been creating headaches for bloggers, podcasters and anyone else using WordPress for their content management system.

If you’re using anything other than the most recent version of WordPress, your site is apparently ripe for the plucking by hackers. If you haven’t already, update to the most recent version now.

WordPress creator Matt Mullenweg explains the vulnerability like this:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

Unfortunately, WordPress makes it easy for hackers to find vulnerable installs, by embedding an advertisement of your vulnerability on every page of your site.

If you view source on a page at a WordPress-based site, you’ll see something like this:

<meta name="generator" content="WordPress 2.8.4" />

This is there, presumably, to make it easy for WordPress to identify WordPress-based sites, and also to see what version you are using.

The problem is, the same meta tag makes it a no-brainer for crawlers to automatically find sites that are vulnerable.

Here’s how you can fix this problem in about 1 minute.

Removing the WordPress Generator Metatag

Check the HTML of your site and see if your site is advertising its WordPress version. If so, removing the WordPress generator metatag is pretty easy:

  1. Go to the Admin area of your WordPress install. Navigate to the Theme Editor.
  2. Find Theme Functions (functions.php) and edit it.
  3. Add this to functions.php and save:
    function rm_generator_filter() { return ''; }
    add_filter('the_generator', 'rm_generator_filter');

Check the source again, and the generator line should be eliminated.

See Christian Schenk’s site for more details on this fix.

Update: A lot of people (see the comments) consider the idea that there’s a benefit to removing information about your software and version number to be “snake oil”. Others, like me, see no value in sharing this information with the world, and possible risks.

Tags: ,

23 Responses to “The WordPress Fix WordPress Doesn’t Want You To Know About”

  1. [...] anything other than the most recent version of WordPress, your site is apparently ripe … Read Full Article (No Ratings Yet)  Loading … Word [...]

  2. Matt says:

    Did you read my post? That doesn’t actually fix anything — it’s snake oil.

  3. James Lewin says:

    Matt

    Thanks for your comment.

    You clearly disagree with a lot of people’s thoughts on advertising your backend to the world.

  4. I wouldn’t be so harsh to say the tip above is snake oil, but it is an ill-advised security precaution that gives users a false sense of security. It certainly doesn’t not cause harm to make the change to hide your version of WordPress in your theme/feeds, but it does not stop worms from trying to infect your site or make a hacker to give up.

    There are a number of ways to see what version of WordPress someone is using. Just take a look at the readme file found in every installation: http://www.podcastingnews.com/content/readme.html You can detect major releases as well just by finding new features on the site, probing for added/removed images/css/js files, version of jQuery running on the site, etc… For this reason, I don’t even bother with removing the WordPress Generator Metatag. What would be more valuable is if you couldn’t determine if the site was WordPress or Movable Type. This is a nearly impossible wish of mine, since all the folders are stored with a wp- prefix.

    I doubt a worm developer would add a check to see what version of WordPress it is about to attack. The only time hiding the version number of your WordPress installation may come in handy is if a novice hacker was specifically targeting you. At that point you have to worry about other security items as well such as the strength of your passwords and denial of service attacks. If someone is targeting you specially, not displaying the version number will only slow them down maybe 1-5 minutes while he/she probes your site for other files to find/not-find a file that was in the latest version but not 2.7.x, or just look at the readme.html like i did.

    Here’s a security tip, if you only have a couple users who actually sign into the admin portion of your blog, password protect the wp-admin folder with Apache HTTP authentication.

    I think the one thing we can agree on is keep up to date.

  5. Jane says:

    Are you seriously recommending that people hit their wordpress versions to prevent being attacked? Wow. Unlike Angela, I’ll say you’re peddling snake oil. A hacker obviously would be able to discover your wordpess version regardless.

  6. Matt says:

    Angela is correct, and the fact is that the worm writers moved past checking versions several years ago. You can ask people to hide their version, but it’s not responsible to suggest it will make them any more or less secure than before.

  7. James Lewin says:

    Matt, Jane & Angelo – good points. When you are considering a dedicated hacker attacking your site, obscuring your software and version number is useless. They will try everything.

    When you’re considering your site as one site out of 100+ million sites that hackers can attack, though, there’s value in staying one out of 100+ millions sites, instead of putting yourself on the short list.

    It’s “snake oil” to insist that users share should information about their site software with the world, when there’s no benefit to users in sharing that information.

  8. Otto says:

    This would have not have protected you. I’ve examined this particular hack, and it did not even check the version number.

    What you’re saying here is factually incorrect.

  9. I do agree that there is value in obscurity, just that the way this blog post is written it kind of implies that this step prevents your blog from being compromised, which isn’t necessarily true.

    I think there is more value in removing the version numbers of Apache and PHP. At present I can see you are running Apache 2.0.54 and PHP 4.4.8. I highly recommend PHP 5.2.x or newer, there are some serious performance improvements in the newer versions of PHP.

    To hide Apache version, enter the following two lines in your httpd.conf:

    ServerSignature Off
    ServerTokens Prod

    To hide PHP altogether, open your server’s php.ini, find the variable expose_php and set it to off. Doing this removes the X-Powered-by headers from your server.

  10. jordanallan says:

    sad people

  11. Why WordPress do not wanna us know it?? It's safe and we need them to make blogs,promoting our products.

  12. Thanks for your post, finally i got it.

  13. code psn says:

    After that, Gearbox Software stepped in, and with the help of
    2K Games, who was set to publish Duke Nukem Forever, picked up the pieces and confirmed a few months
    ago that it will release the game next year.
    On the subject of the emergence of a new genotype of human, Polich writes that “the codes to awakening our ancestral endowment–namely, our inner light–may lie hidden within the structure of our DNA. If one option doesn’t work, try the other (the servers are being hammered, unfortunately).

  14. userscripts says:

    I do accept as true with all of the concepts you’ve introduced on your post. They’re really convincing and can certainly work. Still, the posts are very brief for novices. Could you please extend them a bit from next time? Thanks for the post.

  15. magnificent post, very informative. I wonder why the other specialists of this sector don’t notice this. You should continue your writing. I am sure, you’ve a great readers’ base already!

  16. Awesome things here. I am very happy to look your post.
    Thanks so much and I am looking forward to contact you.
    Will you kindly drop me a mail?

  17. Procedure: The particular catchers will train having another catcher or which has an pro that serves as a new feeder. The very battre, 100 % gear, will start in the all set position meant for getting a pitch. The very tosser holds around 30 feet before your girlfriend. The very tosser will begin by stopping a baseball in the dust (or upon ground when working on the indsie directly on the heurter. The exact catcher have to drop towards both hips as your ex glove drops, palms upwards, straightaway between the legs. Concurrently, the woman should get rid of the face to breasts and around the shoulder muscles, setting up an box. Often the ball should time in front side of the person behind the plate. Each individual catcher obstructs two packages of certain or 20 pool balls.

  18. mca training says:

    “Looking forward to reading more. Great article post.Really looking forward to read more. Great.”

  19. “I was curious if you ever thought of changing the layout of your site? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having one or two pictures. Maybe you could space it out better?”

  20. “Hey! This post could not be written any better! Reading through this post reminds me of my good old room mate! He always kept talking about this. I will forward this page to him. Pretty sure he will have a good read. Thank you for sharing!”

  21. Jimmie Ask says:

    I really adore hacks products but there are so many that dont work.

  22. I really love iPhone’s only thing I dont like is that EU people pay more then other country’s for tax.

Leave a Reply