A bit of security by obscurity


I’m writing this post in case you are not aware of  a couple of “features” of WordPress that concern me.  WordPress has decided to include in the HTML head tag:

  1. What version of WordPress is running, and
  2. Hooks for Windows Live Writer

The headers look something like this:

<link rel="EditURI" type="application/rsd+xml" title="RSD"
     href="http://www.yourblog.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml"
     href="http://www.yourblog.com/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 2.7" />

Sometimes I’m a bit paranoid, but I don’t see any reason to advertise what version of WordPress I’m using.  Why put information directly into peoples hands that can tell them what vulnerabilities are in your installation?  Its a simple task to go look up what’s vulnerable in a specific version.  Along with that, if you’re not using Windows Live Writer, why expose the manifest and EditURI?  Someone has even reported problems with anti-virus software interfering with access to their WordPress blog and potentially tied it back to the Windows Live Writer headers.

These three headers are injected as part of the wp_head() function call that’s typically in the header.php of a theme.  We have the choice of removing that function call which potentially interferes with other header hooks or we can find some plugins to help us.

I was able to find two nice plugins over at http://blog.taragana.com:

Two uploads and two activations later and my concerns are soothed.


Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: