The WordPress Meta “generator” Tag Paranoia
…or “WordPress Version Fingerprinting”
I have read dozens of “How to secure your WordPress” articles, and one common “tip” among others is getting rid of the “generator” tag in the HTML head, for additional security through obscurity.
WordPress uses the meta “generator” tag to “disclose” its version. The paranoia surrounding this fact is unbelievable, and they think that by removing it they harden WordPress. And that is absolutely not true.
Here’s why: https://codeseekah.com/readme.html. See that? That works on all WordPress sites. The readme.html is shipped with every version of WordPress since at least 1.5. Will they be scared now? None of the tutorials on how to remove the “generator” tag ever mention this file. There’s no point in “patching” one hole without “patching” another, is there? Water will still come through.
Okay, let’s delete or rename the readme.html file. That won’t help either. With a little bit more work we can still find out what WordPress version is running. How?
Fingerprinting WordPress
WordPress is constantly evolving with new features and fixes. Changes are made to static files as well, so by scanning those we can generate fingerprints (calling them “signatures” works equally well) and then compare them.
The starting point would be the WordPress source code, which we’ll parse and compile a list of fingerprints in iterations. Here’s how the first iteration would look:
WordPress 1.5
Has a wp-admin.css file. Contents would be hashed, potential targets would be scanned for this file.
WordPress 2.0
JavaScript is introduced. A /wp-includes/js/ folder now exists that will contain all the files that are necessary for generating and comparing fingerprints/signatures. The db-key.js is one file that introduced in this version.
WordPress 2.1
autosave-js.php is introduced.
WordPress 2.2
autosave-js.php is moved to autosave.js. jQuery introduced.
WordPress 2.3
prototype.js has changed in relation to previous version.
WordPress 2.5
list-manipulation.js is gone. autosave.js has been changed. Would be hashed and checked against.
WordPress 2.6
wp-ajax.js is gone. autosave.js has new changes again, a new fingerprint.
WordPress 2.7
comment-reply.js has been introduced among a couple of other files and changes.
WordPress 2.8
Minification is introduced. swobject.js is present in this version.
WordPress 2.9
autosave.js has its unique share of content, meaning a unique hash. json2.js is introduced.
WordPress 3.0
autosave.js is different again. codepress with all its files is gone.
WordPress 3.1
admin-bar.js is introduced.
WordPress 3.2
autosave.js is now of different size an content.
WordPress 3.3
Plupload is introduced, meaning plupload.js is available.
This is only the beginning, these are example files that change. Combinations of files and changes would be built into complex fingerprints or signatures and a site would be scanned against them version by version, excluding versions as it goes. For example:
- does plupload.js exist?
- WordPress 3.3 gets -= 1 point
- is autosave.js md5 hash ….?
- WordPress 3.2 gets += 1 point
The version with most points would then be selected, runners up could be displayed in case some versions overlap or you decide to fingerprint minor WordPress versions as well. Fingerprint patterns can be weighted for additional accuracy. Simple. Will take a little more work than writing a parser for index.html or the “generator” tag, but works and can seldom be fooled. Think of added images, the wp-admin directory has also got a js directory with static files, maybe themes.
Further reading
- Web App Version detection using fingerprinting – explains fingerprinting in more detail, using WordPress as an example.
- Hardening WordPress – ’nuff said!
- Plecost – included in BackTrack, Blackbuntu, BlackBox – written in Python, identifies WordPress version by reading the readme.html, provides report on installed plugins and their versions, etc.
Conclusion
So, don’t remove the “generator” tag. They’ll find out what version you’re running regardless. Leave it there, and place the $wp_version
global in the footer of your site, as a reminder to keep it up-to-date at all times and keep you on your toes at all times. Subscribe to the WordPress releases archive to be in the know.
Stay safe.
Also there’s a good chance that a new version of jQuery is included in every new WP version. Checking the version of jQuery in wp-includes may give the attacker a clue of what version of WP the site is running.
Indeed. There are many ways in which WordPress can be fingerprinted. I like this article https://kovshenin.com/2013/dont-hide-the-fact-that-youre-using-wordpress/ about hiding WordPress.
[…] any plugins or hacks changing or hiding the “generator” meta tag, the readme file and so on. A great post by my brother Gennady illustrates […]
[…] Även om du försöker att dölja din version av WordPress, finns det alltid flera vägar för att få reda på vilken version just du använder. En del exemple och mer information om just det finns här: discover what WordPress version […]
I completely agree with Gennady that by hiding the meta generator we are actually not hiding wordpress versions. readme.html and license.txt are always there open the truth is n’t there any way to hide readme and license??
Why would you hide them, the article clearly explains how to fingerprint WordPress even if you’ve hidden stuff, by looking at JavaScript library versions, theme CSS header versions, etc.
[…] 2. There are hundreds of ways to know that you are using WordPress and its version. […]
[…] Fact That You’re Using WordPress whereas his brother, Gennady (Security Consultant) wrote about The WordPress Meta “generator” Tag Paranoia. And I tend to agree with both of them on […]
I’m seeing everywhere why we should or should not remove this tag…but what I want to know is what is the actual point of it? If it serves no purpose then why not remove it? It is a waste of a meta tag…why add pointless junk to your website?
It seems to have started as a vanity tag. Today the most useful point lies in the collection of statistics on what powers the web. In any case, it’s less junk than the badges on automobiles 🙂
See https://core.trac.wordpress.org/ticket/23394 and https://core.trac.wordpress.org/ticket/32805 for potential discussions.
[…] are multiple means for hackers to detect the type of CMS that is being used, along with ways to discover the WP version number. Additionally, most WP plugins and features function according to the default location of the […]
[…] are multiple means for hackers to detect the type of CMS that is being used, along with ways to discover the WP version number. Additionally, most WP plugins and features function according to the default location of the […]
[…] to cover up your own WordPress variant number, you can find certainly a great number of methods to find what WordPress variant you are using only by being comfortable with the gaps between […]