The WordPress Fix WordPress Doesn’t Want You To Know About

Sep 5th, 2009 | By | Category: General, Podcasting Software

wordpress-logoA major WordPress hack has been creating headaches for bloggers, podcasters and anyone else using WordPress for their content management system.

If you’re using anything other than the most recent version of WordPress, your site is apparently ripe for the plucking by hackers. If you haven’t already, update to the most recent version now.

WordPress creator Matt Mullenweg explains the vulnerability like this:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

Unfortunately, WordPress makes it easy for hackers to find vulnerable installs, by embedding an advertisement of your vulnerability on every page of your site.

If you view source on a page at a WordPress-based site, you’ll see something like this:

<meta name="generator" content="WordPress 2.8.4" />

This is there, presumably, to make it easy for WordPress to identify WordPress-based sites, and also to see what version you are using.

The problem is, the same meta tag makes it a no-brainer for crawlers to automatically find sites that are vulnerable.

Here’s how you can fix this problem in about 1 minute.

Removing the WordPress Generator Metatag

Check the HTML of your site and see if your site is advertising its WordPress version. If so, removing the WordPress generator metatag is pretty easy:

  1. Go to the Admin area of your WordPress install. Navigate to the Theme Editor.
  2. Find Theme Functions (functions.php) and edit it.
  3. Add this to functions.php and save:
    function rm_generator_filter() { return ''; }
    add_filter('the_generator', 'rm_generator_filter');

Check the source again, and the generator line should be eliminated.

See Christian Schenk’s site for more details on this fix.

Update: A lot of people (see the comments) consider the idea that there’s a benefit to removing information about your software and version number to be “snake oil”. Others, like me, see no value in sharing this information with the world, and possible risks.

Tags: ,

11 Responses to “The WordPress Fix WordPress Doesn’t Want You To Know About”

  1. […] anything other than the most recent version of WordPress, your site is apparently ripe … Read Full Article (No Ratings Yet)  Loading … Word […]

  2. Matt says:

    Did you read my post? That doesn’t actually fix anything — it’s snake oil.

  3. James Lewin says:


    Thanks for your comment.

    You clearly disagree with a lot of people’s thoughts on advertising your backend to the world.

  4. I wouldn’t be so harsh to say the tip above is snake oil, but it is an ill-advised security precaution that gives users a false sense of security. It certainly doesn’t not cause harm to make the change to hide your version of WordPress in your theme/feeds, but it does not stop worms from trying to infect your site or make a hacker to give up.

    There are a number of ways to see what version of WordPress someone is using. Just take a look at the readme file found in every installation: You can detect major releases as well just by finding new features on the site, probing for added/removed images/css/js files, version of jQuery running on the site, etc… For this reason, I don’t even bother with removing the WordPress Generator Metatag. What would be more valuable is if you couldn’t determine if the site was WordPress or Movable Type. This is a nearly impossible wish of mine, since all the folders are stored with a wp- prefix.

    I doubt a worm developer would add a check to see what version of WordPress it is about to attack. The only time hiding the version number of your WordPress installation may come in handy is if a novice hacker was specifically targeting you. At that point you have to worry about other security items as well such as the strength of your passwords and denial of service attacks. If someone is targeting you specially, not displaying the version number will only slow them down maybe 1-5 minutes while he/she probes your site for other files to find/not-find a file that was in the latest version but not 2.7.x, or just look at the readme.html like i did.

    Here’s a security tip, if you only have a couple users who actually sign into the admin portion of your blog, password protect the wp-admin folder with Apache HTTP authentication.

    I think the one thing we can agree on is keep up to date.

  5. Jane says:

    Are you seriously recommending that people hit their wordpress versions to prevent being attacked? Wow. Unlike Angela, I’ll say you’re peddling snake oil. A hacker obviously would be able to discover your wordpess version regardless.

  6. Matt says:

    Angela is correct, and the fact is that the worm writers moved past checking versions several years ago. You can ask people to hide their version, but it’s not responsible to suggest it will make them any more or less secure than before.

  7. James Lewin says:

    Matt, Jane & Angelo – good points. When you are considering a dedicated hacker attacking your site, obscuring your software and version number is useless. They will try everything.

    When you’re considering your site as one site out of 100+ million sites that hackers can attack, though, there’s value in staying one out of 100+ millions sites, instead of putting yourself on the short list.

    It’s “snake oil” to insist that users share should information about their site software with the world, when there’s no benefit to users in sharing that information.

  8. Otto says:

    This would have not have protected you. I’ve examined this particular hack, and it did not even check the version number.

    What you’re saying here is factually incorrect.

  9. I do agree that there is value in obscurity, just that the way this blog post is written it kind of implies that this step prevents your blog from being compromised, which isn’t necessarily true.

    I think there is more value in removing the version numbers of Apache and PHP. At present I can see you are running Apache 2.0.54 and PHP 4.4.8. I highly recommend PHP 5.2.x or newer, there are some serious performance improvements in the newer versions of PHP.

    To hide Apache version, enter the following two lines in your httpd.conf:

    ServerSignature Off
    ServerTokens Prod

    To hide PHP altogether, open your server’s php.ini, find the variable expose_php and set it to off. Doing this removes the X-Powered-by headers from your server.

  10. jordanallan says:

    sad people

  11. Why WordPress do not wanna us know it?? It's safe and we need them to make blogs,promoting our products.

Leave a Reply