What version of WordPress is behind that website?

Hi all, Dion here, Recently there’s been a few “security through obscurity” discussions going around, I’m sick of them, It doesn’t work, and this is my proof.

There are a few Plugins out there which hide the version number of WordPress, The first example i found was  Secure WordPress, It has over 170k downloads, But does it actually do what it claims?

Hiding the version number is Security through obscurity, You’re not making the install any safer, you’re merely not advertising the fact of which version you’re using.

But, do i hear you ask, “But if they dont know the version, doesnt that mean I’m safer?”
The answer to that is 3 fold:

  1. Just because they (the mystical hackers) cant see the version of WordPress you’re using, doesnt mean they’re not going to try the same attacks anyway, afterall, its only an extra 3 mouseclicks to run every exploit against every plugin known to man..
  2. Most  exploits in the WordPress world will be related to plugins, this is only due to the sheer number of them out there
  3. And finally, because hiding the version number doesnt hide the version of WordPress you’re using, which is the point of this tool/site

To use an example, It’s like walking through a battlefield with your gun hidden, just because they cant see your gun, doesn’t mean you’re going to be able to walk through the middle fo the battle, chances are, you’ll be shot anyway. Exploits are the same, they’ll attack anything that moves, the number of Joomla! or Drupal exploit attacks i see against my WordPress installs daily is enormous, & I’m sure Joomla! and Drupal installs see significant exploits thinking that the site is running WordPress. My point is, Exploits dont care, they’ll attack anyway.

Type the URL of a site below, be it advertising the fact its WordPress or not, and I’ll tell you instantly which version, or which version its most likely to be running:

Example sites:

PLEASE NOTE: This tool uses NOTHING PRIVATE, This is not connected to any WordPress.org infrastructure or otherwise secret data, All information that this tool uses is gleamed from your WordPress installation, just the same as anyone else can do.

Second Class Citizen

Occasionally someone will pipe up and make you realise the sad truth amongst web developers, or for that matter, programmers. We are second class citizens in the eyes of many.

Gone are the days where making a computer do something different is cool, No, Now its a job, anyone can do it, you’ve just got to learn to code..  heck, some people are purely programmers for a day job, with no outside interest in it.

There Are No Famous Programmers – Zed A. Shaw (http://sheddingbikes.com/posts/1275989245.html)
Let me tell you about this cool new web server. I figured out how to merge the ZeroMQ event polling system with the libtask coroutine library so that you can use libtask to handle tons of TCP/UDP and ZeroMQ sockets in a single thread. I then took this very cool hack, and started building a web server using my Mongrel HTTP parser, but I modified the parser so that the same server on the same port can handle HTTP or Flash XMLSockets transparently. The next step is to get this server to route HTTP and XMLSocket JSON messages to arbitrary ZeroMQ backends. I was inspired by this so much that I registered utu.im and may try to bring it back. Not sure how or when though.

Sounds cool right? Totally doesn’t matter one bit. I could hack on projects like this and nobody would care at all because I’m a famous programmer, and there is no such thing as famous programmers. I don’t exist. I’m an enigma.

And he’s right, Name a “sucessful” startup who you can think of the name of the current CEO, I’m sure you can think of one, Did they write the product you’re associated with them however? In most cases, No. They’re just the ones with the vision, The one with money, The one with the guts to say “This could work!”. Being a programmer isnt enough anymore, you need a masters degree in marketing, A bucket load of cash, and a face to put forward – and face it, you’re not it.

Gone are the days when a single person can be a superstar, without the help from others, you’ll never reach gold; and if you do, be sure your programming days are long gone..

A Call to Arms

WordPress 2.9 was just released, And several users have run into a bug. Surprising? Not really. Theres one simple reason for this, While thousands of people Test each and every WordPress release, These users are not You.

I’d like to use this as an example to all here, Why WordPress needs your help. No, I’m not talking about Coding help specifically, I’m talking about Testing. WordPress requires that users test the product throughout the development period.

WordPress is an open source application written by hundreds of contributors. While those hundreds probably use the Development version of WordPress every day, They do not use the same webhost as you, nor do they have the same theme, nor do they have the same requirements, They use different functions of WordPress than you.

During The beta and RC stages, thousands of people download and test, These testers are end users like you, In order to prevent these bugs getting into a released product, It requires that users actually take part in the developement of WordPress and report the bugs encountered.

Testing WordPress is not just something that Developers should do. If you use WordPress and enjoy using it, Please take some time once every few months to test WordPress, Its announced on the Dev blog when Beta’s are available, On a default install of WordPress, The Dashboard should have a RSS feed mentioning the releases too.

So please, For 3.0, When a Beta is released (Theres generally ~2-3 weeks of beta, with 2-3 beta’s from my quick recolection) Install it on your website, It doesnt have to be your main one, it can be in a subdirectory (ie. your usual one at http://my-site.com/ and the test at http://my-site.com/testing/), and test that things works ok for you, and your plugins, This does take an hour out of your time, and i realise not everyone can afford it, But it may spare you 2-3 hours of your time, when after a release, a bug that affects you is found, that a Developer had not noticed.

WordPress requires your input, Whilst I agree there are some downfalls in reporting bugs sometimes (Please do not flame me with related messages here, I’m not after that, This is mearly a request for more contributions) overall, your contributions would be greatly appreciated by all.

In order to make it easier to test Beta’s and nightly versions, Westi wrote this great plugin It allows you to use the inbuilt upgrader to upgrade to a beta, to make it easier for you, to be involved with the project you love using.