Number 10 site (British PM) – no wordpress credit

As for the security through obscurity discussion, I am personally of the opinion that it is generally a waste of time

I am of this opinion as well, especially in this particular case.

Hackers don’t care what version you are running. They don’t even bother to check. Why? Because they don’t have to.

Here’s how almost all websites get hacked:
1. Hack is discovered in some piece of software.
2. Code is written to exploit it and upload a backdoor of some standard other kind.
3. Code is put into a library of exploits.
4. Library of exploits is mass-spammed across the net on every site that the script kiddie can find.
5. After it runs a few hours, kiddie now has a list of exploited sites that he can do what he likes with.

There’s nowhere in that process that requires version checking. Sure, there is probably some targeting involved in the fact that a site runs WordPress, but it’s actually easier and simpler to simply hit every site with a bunch of known attacks than it is to a) check the version and b) then run the attack specific to that version. The second one is an extra request, which is in fact unnecessary. Mass spamming the requests can be done very rapidly, without any need to read from the network connection at all.

So version obscuring is, in the long run, pointless. It prevents nothing.

So version obscuring is, in the long run, pointless. It prevents nothing.

and I disagree — but thats neither here nor there. Im sorry — some sites are targets just by existing.

Been to defcon lately, Otto? A guy from work went this last weekend — you’re dead wrong on your assumptions, but thats your gig.

Furthermore, I am NOT suggesting that security by obscurity should be the only solution. Thats ludicrous. I can also tell you though, knowing someone that works in IT at Wells Fargo — they would NEVER ‘advertise’ any software application versions that they run on any of their sites. Never.

Otto – In general I would agree, however, I have seen scripts that do target specific versions – i.e. it does a quick scan to check as many sites as possible to collect a list of potential targets, followed by then running the full script on those targets (because the script might take longer so its better to target it). So if taking the version number off even stops 1% of attacks, its probably worth it (taking into consideration the number of non-techie people who will be running wordpress and might not be on top of things like security).

But in general of course security through obscurity is not an option. It just doesn’t work – and other security measures are far more important. So I do take your point that it is pretty much pointless.

whooami – That might be true for WF but I could list you several top-tier investment banks who would be running a sharepoint site (or similar) somewhere publicly accessible which would have the version number available somewhere. Its just not something that they care about.

Anyway, in summary. Theres nothing to stop you taking the version number off. It doesn’t gain you anything having it publicly visible, so why not take it off… even if all it does is prevent 0.0001% of attacks ??
Just never for a minute think of it as a real security measure.

Actually my short remark was just another pointer to how pointless the whole original discussion actually was and now this tread is way offtopic. The question was if WP developers mind that somebody uses WP and doesn’t publically say so. Some will say “no”, others might say “yes” and with us having standpoints could have made this thread lot lot shorter ??

(And there’s little security on the website, but let’s not talk about that here.)

sure, it’s off topic .. but then we are miscellaneous ??

Wow
fame at last. I always said the PM was a blogger.
Well I think thats what I said.
What a great thread.
mike.

It’s just another case of the British Government not giving proper credit to people who have done the real work for them.