What version of WordPress is behind that website?

Hi all, Dion here, Recently there’s been a few “security through obscurity” discussions going around, I’m sick of them, It doesn’t work, and this is my proof.

There are a few Plugins out there which hide the version number of WordPress, The first example i found was  Secure WordPress, It has over 170k downloads, But does it actually do what it claims?

Hiding the version number is Security through obscurity, You’re not making the install any safer, you’re merely not advertising the fact of which version you’re using.

But, do i hear you ask, “But if they dont know the version, doesnt that mean I’m safer?”
The answer to that is 3 fold:

  1. Just because they (the mystical hackers) cant see the version of WordPress you’re using, doesnt mean they’re not going to try the same attacks anyway, afterall, its only an extra 3 mouseclicks to run every exploit against every plugin known to man..
  2. Most  exploits in the WordPress world will be related to plugins, this is only due to the sheer number of them out there
  3. And finally, because hiding the version number doesnt hide the version of WordPress you’re using, which is the point of this tool/site

To use an example, It’s like walking through a battlefield with your gun hidden, just because they cant see your gun, doesn’t mean you’re going to be able to walk through the middle fo the battle, chances are, you’ll be shot anyway. Exploits are the same, they’ll attack anything that moves, the number of Joomla! or Drupal exploit attacks i see against my WordPress installs daily is enormous, & I’m sure Joomla! and Drupal installs see significant exploits thinking that the site is running WordPress. My point is, Exploits dont care, they’ll attack anyway.

Type the URL of a site below, be it advertising the fact its WordPress or not, and I’ll tell you instantly which version, or which version its most likely to be running:

Example sites:

PLEASE NOTE: This tool uses NOTHING PRIVATE, This is not connected to any WordPress.org infrastructure or otherwise secret data, All information that this tool uses is gleamed from your WordPress installation, just the same as anyone else can do.

Introducing: “TwentyTen: Remove Max Editor Width”

(Download Link)

The new TwentyTen WordPress theme is a pretty awesome theme if you ask me. Written by decent people who know what they’re doing (Unlike many other themes out there — Which whilst shiny on the outside, can be a rabbits nest underneath).

The theme only has one problem to me — and as i’ve noticed, to some other people as well. Infact, Its annoying me right now, just writing this post.

So, What is it?

Its the limitation of limiting your TinyMCE (Thats your visual text editor on the New Post screen) window to 640px. It does have some uses, but for someone like me, just writing text, and not caring about the benefits; can be downright annoying.

Oh, I nearly forgot, It also applies to fullscreen mode. So for people with a 1200px wide monitor.. well.. you get the idea (If you dont, it means, your post will be using the left most 53% of the screen). This is actually a limitation of TinyMCE not being able to distinguish between inline and fullscreen edit modes to be fair, but is still a PITA all the same.

Do try and use it yourself however, I quite like it for aligning images, but not for general purpose posts..

So, Whats the benefit exactly?

Floating images. When was the last time you were writing a blog post, and tried to insert an image, then hit preview, and found it was in a completely different place than you were expecting? And that the text was flowing badly around it? Well, this allows you to have a preview of how the actual post WILL look right in the WordPress new Post administration panel. Pretty cool in general, a downright pain to others.

So, What can i do about it?

I’ve written this short (Seriously, Theres more comments than code in this plugin) plugin which allows your editor to regain its innermost full content width.

You can download the plugin from the WordPress.org repository Here. But since the plugin isn’t actually live yet (awaiting creation) you may download it HERE instead.

Revision Control 2.0 Beta

The time has come for a Beta release of Revision Control 2.0. Would also like to announce that I’ve Cracked the 20k downloads on a plugin! currently its standing at 0.

Download 2.0-beta Now. Download POT file for Translations

Things to note of this release:

  • Fully rewritten from scratch
  • Better support for multiple post types
  • 100% api usage, less chance of breaking something
  • Revisioning of Categories and Tags (Well, Any taxonomy really!) – One limitation, It doesn’t restore this, thats for the next Revision :)
  • WordPress 2.9+ only.

Compatibility with older releases: I’ve not 100% tested backwards compatibility, That will come this next week, For new users, you’ll have no problems, for existing users, you should be warned that your settings may not be remembered, more testing needs to happen to verify that it works in 100% of cases.

If you’d like to submit a Translation of this plugin, or encounter a bug just send it along to wordpress@dd32.id.au

Thank you to all,
Dion

EDIT: Release Date: 24th Jan 2010 – approximately.
EDIT2: Updated the POT and .zip locations, There were a few translation issues.

A Call to Arms

WordPress 2.9 was just released, And several users have run into a bug. Surprising? Not really. Theres one simple reason for this, While thousands of people Test each and every WordPress release, These users are not You.

I’d like to use this as an example to all here, Why WordPress needs your help. No, I’m not talking about Coding help specifically, I’m talking about Testing. WordPress requires that users test the product throughout the development period.

WordPress is an open source application written by hundreds of contributors. While those hundreds probably use the Development version of WordPress every day, They do not use the same webhost as you, nor do they have the same theme, nor do they have the same requirements, They use different functions of WordPress than you.

During The beta and RC stages, thousands of people download and test, These testers are end users like you, In order to prevent these bugs getting into a released product, It requires that users actually take part in the developement of WordPress and report the bugs encountered.

Testing WordPress is not just something that Developers should do. If you use WordPress and enjoy using it, Please take some time once every few months to test WordPress, Its announced on the Dev blog when Beta’s are available, On a default install of WordPress, The Dashboard should have a RSS feed mentioning the releases too.

So please, For 3.0, When a Beta is released (Theres generally ~2-3 weeks of beta, with 2-3 beta’s from my quick recolection) Install it on your website, It doesnt have to be your main one, it can be in a subdirectory (ie. your usual one at http://my-site.com/ and the test at http://my-site.com/testing/), and test that things works ok for you, and your plugins, This does take an hour out of your time, and i realise not everyone can afford it, But it may spare you 2-3 hours of your time, when after a release, a bug that affects you is found, that a Developer had not noticed.

WordPress requires your input, Whilst I agree there are some downfalls in reporting bugs sometimes (Please do not flame me with related messages here, I’m not after that, This is mearly a request for more contributions) overall, your contributions would be greatly appreciated by all.

In order to make it easier to test Beta’s and nightly versions, Westi wrote this great plugin It allows you to use the inbuilt upgrader to upgrade to a beta, to make it easier for you, to be involved with the project you love using.