Wordfence alters the version url parameter for enqueued scripts and styles

Looking further into this it appears this is a deliberate feature aiming to hide the WordPress version.

Might I suggest to hash the actual script version rather than the WP version. That way caches can still be refreshed when the a plugin or theme releases a new version.

Suggested change to wordfence::replaceVersion()

public static function replaceVersion($url){
		global $wp_version;

		$parts = parse_url($url);
		parse_str($parts['query'], $query);

		$version = empty($query['ver']) ? $wp_version : $query['ver'];

		$version = wp_hash($version . WORDFENCE_VERSION);

		return preg_replace("/([&;\?]ver)=[0-9\.]+/", "$1={$version}", $url);
	}

If we did not hash the wordpress version then attackers could see what version of wordpress you are running. That’s the point of the ‘hide wordpress version’ option, which you can disable by unchecking it on the options page near the bottom.

tim

Thanks for your response Tim, I realised that after my initial comment.

I’d still suggest that small change because the script version is not always set to the wordpress version. Its extremely useful for plugins to define their own version for a script so that when an update is released any caches can be cleared.

Hi Dan,

Thanks for the input — we have a similar change scheduled for an upcoming version. I don’t have an exact date yet, but it should be fairly soon.

-Matt R

Thanks guys, love your work!