[Plugin: WordPress SEO by Yoast] TO ALL: HIDDEN BACKLINK in class-frontend.php

Actually, thats not a backlink per se, neither is hidden.
This is nothing but credit to the author. He developed a great plugin and he is sharing with everybody absolutelly free. He owns and deserve the credit.
If you take a closer look to the html code, you will see its
<!-- This site is optimized with the Yoast WordPress SEO plugin v1.1.5 - https://yoast.com/wordpress/seo/ -->

That’s and HTML COMMENT. It’s not a backlink at all.

Hope it clears the misunderstanding for you and you give back the author the credit he deserves.

Cheers.

And as long as there is never, ever a security flaw in his script, everything will be rainbows, until there is a flaw..

The author has been informed as to how this is a security hole and has expressed how he doesn’t care.

Some day we’ll all read news as to how someone hacked a host of sites running a specific version of this plugin, and nobody will be guessing how they figured it out.

The plugin is great and feature packed, but the version number, especially, should never be displayed to the world.

This is not a security hole, it’s not a backlink, and it’s not against the repo guidelines.

HTML comments like that are not backlinks. HTML comments are completely ignored by search engines and these URLs are just plain text.

To quote Viper007bond in a previous conversation:

It’s why hackers insert real links into footers and such but then hide them using CSS. They have to be real, “visible” (not commented out) links in order for them to do anything related to search engines.

If there’s a security hole that the author won’t fix, please email that to [email protected]

But you’d better prove it with good examples of how it’s a hole.

Exploiting 101:

Step 1: When hacking a site, pull up the HTML source code, look for indications of the server running scripts with vulnerabilities.

Step 2: Search the web for reports of security flaws regarding aforementioned server scripts

Step 3: Hack said site using exploits matching the version the webmaster so helpfully advertised to you

It only takes one vulnerability of one version to be very bad news, as when you advertise version numbers (let alone scripts), you are helping the world select the perfect exploit to use.

Not all exploits are found by white hats and reported. There could be a flaw in any version of any plugin, and so long as they are advertised in html, people are far more at risk.

It is security through obscurity, which is not ideal, but is certainly preferred to advertising “I’ll help you hack me!” in your html source. Even wordpress adds a version # in the html source, which they should absolutely know better.

To all who wish to remove the wordpress version # from your html, seeing as the topic is here, add this to your theme functions.php file:

remove_action(‘wp_head’, ‘wp_generator’);

There may be a similar method to prevent SEO from adding the version # to the html source, but I’m no wordpress developer. I got that code from this security conscious article which warns of exactly what I just mentioned.

Again, Yoast makes a wonderful plugin, but with anything this complex made by one guy, mistakes can happen, and advertising a script and version number does nothing but help hackers hack. The best wbesites out there are the ones you can’t tell what script they run or, better yet, make you think it is a different script running in a different language.