What version of WordPress is behind that website?

Hi all, Dion here, Recently there’s been a few “security through obscurity” discussions going around, I’m sick of them, It doesn’t work, and this is my proof.

There are a few Plugins out there which hide the version number of WordPress, The first example i found was  Secure WordPress, It has over 170k downloads, But does it actually do what it claims?

Hiding the version number is Security through obscurity, You’re not making the install any safer, you’re merely not advertising the fact of which version you’re using.

But, do i hear you ask, “But if they dont know the version, doesnt that mean I’m safer?”
The answer to that is 3 fold:

  1. Just because they (the mystical hackers) cant see the version of WordPress you’re using, doesnt mean they’re not going to try the same attacks anyway, afterall, its only an extra 3 mouseclicks to run every exploit against every plugin known to man..
  2. Most  exploits in the WordPress world will be related to plugins, this is only due to the sheer number of them out there
  3. And finally, because hiding the version number doesnt hide the version of WordPress you’re using, which is the point of this tool/site

To use an example, It’s like walking through a battlefield with your gun hidden, just because they cant see your gun, doesn’t mean you’re going to be able to walk through the middle fo the battle, chances are, you’ll be shot anyway. Exploits are the same, they’ll attack anything that moves, the number of Joomla! or Drupal exploit attacks i see against my WordPress installs daily is enormous, & I’m sure Joomla! and Drupal installs see significant exploits thinking that the site is running WordPress. My point is, Exploits dont care, they’ll attack anyway.

Type the URL of a site below, be it advertising the fact its WordPress or not, and I’ll tell you instantly which version, or which version its most likely to be running:

Example sites:

PLEASE NOTE: This tool uses NOTHING PRIVATE, This is not connected to any WordPress.org infrastructure or otherwise secret data, All information that this tool uses is gleamed from your WordPress installation, just the same as anyone else can do.

WordPress, What cant it do?

WordPress can do almost everything thanks to its great Plugin API system.. But now and then.. You just have to hack the core code to get what you want..

Left Bank Pictures has taken it a step further however, Welcome to Military hacking.. Strike Back style.

If you’re wondering where/when, It appears at the start and end of Episode 5 of Series 1. The changes have since been merged to WordPress as well/

Second Class Citizen

Occasionally someone will pipe up and make you realise the sad truth amongst web developers, or for that matter, programmers. We are second class citizens in the eyes of many.

Gone are the days where making a computer do something different is cool, No, Now its a job, anyone can do it, you’ve just got to learn to code..  heck, some people are purely programmers for a day job, with no outside interest in it.

There Are No Famous Programmers – Zed A. Shaw (http://sheddingbikes.com/posts/1275989245.html)
Let me tell you about this cool new web server. I figured out how to merge the ZeroMQ event polling system with the libtask coroutine library so that you can use libtask to handle tons of TCP/UDP and ZeroMQ sockets in a single thread. I then took this very cool hack, and started building a web server using my Mongrel HTTP parser, but I modified the parser so that the same server on the same port can handle HTTP or Flash XMLSockets transparently. The next step is to get this server to route HTTP and XMLSocket JSON messages to arbitrary ZeroMQ backends. I was inspired by this so much that I registered utu.im and may try to bring it back. Not sure how or when though.

Sounds cool right? Totally doesn’t matter one bit. I could hack on projects like this and nobody would care at all because I’m a famous programmer, and there is no such thing as famous programmers. I don’t exist. I’m an enigma.

And he’s right, Name a “sucessful” startup who you can think of the name of the current CEO, I’m sure you can think of one, Did they write the product you’re associated with them however? In most cases, No. They’re just the ones with the vision, The one with money, The one with the guts to say “This could work!”. Being a programmer isnt enough anymore, you need a masters degree in marketing, A bucket load of cash, and a face to put forward – and face it, you’re not it.

Gone are the days when a single person can be a superstar, without the help from others, you’ll never reach gold; and if you do, be sure your programming days are long gone..