Posts Tagged ‘concerns’

A bit of security by obscurity

January 13, 2009

I’m writing this post in case you are not aware of  a couple of “features” of WordPress that concern me.  WordPress has decided to include in the HTML head tag:

  1. What version of WordPress is running, and
  2. Hooks for Windows Live Writer

The headers look something like this:

<link rel="EditURI" type="application/rsd+xml" title="RSD"
     href="http://www.yourblog.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml"
     href="http://www.yourblog.com/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 2.7" />

Sometimes I’m a bit paranoid, but I don’t see any reason to advertise what version of WordPress I’m using.  Why put information directly into peoples hands that can tell them what vulnerabilities are in your installation?  Its a simple task to go look up what’s vulnerable in a specific version.  Along with that, if you’re not using Windows Live Writer, why expose the manifest and EditURI?  Someone has even reported problems with anti-virus software interfering with access to their WordPress blog and potentially tied it back to the Windows Live Writer headers.

These three headers are injected as part of the wp_head() function call that’s typically in the header.php of a theme.  We have the choice of removing that function call which potentially interferes with other header hooks or we can find some plugins to help us.

I was able to find two nice plugins over at http://blog.taragana.com:

Two uploads and two activations later and my concerns are soothed.