Suggestion: Remove WP version number from URLs and hide HTML comments

Or of course hide the version.

Sure. It’s a WP site for sure but that’s not the point.

The point is that it hides the WP version.

post your website URL and I will scan your site with a basic cURL script and post the WordPress version that your site is using.

Or you can test with this very basic cURL script.

$CustomScan = 'https://example.com/wp-includes/js/heartbeat.js';

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $CustomScan);
	//curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
	echo '<pre>';
	$file_contents = curl_exec($ch);
	echo '</pre>';
	curl_close($ch);

Thanks to Njardim for the code to hide the version number and to AITpro for providing links and code for finding out the system of a site.

AITpro: If the version number is hidden in this way, is there a way for an outsider to find out the version of WP a site is running?

For an attacker it’d be neat to attack only vulnerable sites instead of attempting to attack also the up-to-date WP sites in the world. Hiding the version number would remove the site from any attack lists of WP sites with a specific version number.

It is impossible to hide that your site is using WordPress and also impossible to hide the WordPress version. hackers don’t bother with checking for the WordPress version anyway. Maybe they did 3 years ago, but they are no longer doing this sort of hacker recon. We monitor what hackers are scanning for/reconning for on a regular basis and they have not been scanning/reconning for the WordPress version in years.

So basically the point I am trying to make is that there is no point in trying to hide the WordPress version at all because this is no longer an attack vector that hackers are checking anymore.

Correction: hackers do still have a basic scan parameter for WordPress versions that are 3 years out of date with current versions of WordPress. If the site is using a 3+ year old version of WordPress then the assumption can be made that this is an abandoned/dead website. Probably not a very desirable target for a hacker. ??

Thanks for the info!

This has to be the most ludicrous discussion I’ve ever heard. You “find it highly unlikely that a significant coding mistake would somehow get through the security specialists and everyone else at WP who are involved in releasing new versions?” The WP devs must be geniuses, because seemingly no other entity, no matter how many resources they devote to the problem, is able to do this.

It’s also strange because there are several known security vulnerabilities in even very recent versions of WP: https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/

The idea that hiding the WP version (or even that you’re using WP at all) is “pointless” also doesn’t make sense. It is not in and of itself an adequate security measure but it certainly does make you less likely to be the target of a mass automated attack.

And the statement that reading about curl will show you why it’s fruitless to try and hide the version is also nonsensical. Curl is ultimately used to make Web requests. That’s totally separate from the issue that you can look at Javascript files to determine the version of WordPress that is being used.

cURL is a common tool used by hackers and spammers.

So what? You could achieve the same results as your code by just typing the address into the address bar of a regular Web browser. I don’t know what it proves that you can do it programmatically with PHP too.

Of course. Doesn’t prove anything. Merely a very basic example. I would not of course post advanced hacking scripts publicly. ??

This is a simple and pretty much harmless example of “other” uses for cURL.
https://hakipedia.com/index.php/CURL#cURL_Brute_Force_Script

OK, that looks like a simple script to try and bruteforce basic HTTP auth. Can you explain what this has to do with determining the version of WordPress someone’s running?

It has nothing to do with fingerprinting the WordPress version. My personal opinion is that fingerprinting protection for the WordPress version is pointless. Hackers don’t bother doing this anymore so why should a website owner be concerned about hiding the WordPress version fingerprint if hackers are not bothering to check this anymore? Hackers are still looking at what type of site a website is. You have to remember that human hackers launch automated hacking scripts. The human hacker rarely ever actually visits a hacked website. What is the most lucrative business for hackers these days is this:

automated Hacking of 1,000, 10,000, 100,000 etc. websites and sell those hacked websites to someone else in a hacking network. That is where the money is made these days in hacked websites. There is no money in targeting individual websites, unless of course the website is doing some sort of high dollar transactions internally, which could be hijacked or sensitive / private data can be sold to a buyer.

So in summary, 99.99% of all hacking is automated. A human hacker will probably never visit the hacked website. Hackers resell hacked websites in bulk to make a profit. The money is made by bulk/volume hacking at the fastest rate of hacking possible. Fingerprinting the WordPress version is no longer done. Fingerprinting the type of website is done.