As previously noted, here another part of my Hardening WordPress series. This time I’ll show you the really basic technique of how you can obfuscate at least the generator-tag for your blog.
The generator tag is the one in the sourcecode with <meta name=“generator“ content=“Wordpress version“/>. Ususally it should provide visitors or search engines some meta information on which software you use in which version. But it is also helpful to attackers. When they know which software in which version you use, they can reduce the attacks to known issues of this version. So it’s not a good idea to have this information in your blog. Also this information can help attackers to write scripts that will attack your blog on their own.
So the most basic step is to tell WordPress to remove this information, which is done by adding few methods into the functions.php within the theme folder (the plugin bs-wp-noversion will do the same thing without modifying any theme files):
remove_action('wp_head', 'rsd_link'); // remove Really Simple Discovery entry remove_action('wp_head', 'wlwmanifest_link'); // remove Windows Live Writer Link remove_action('wp_head', 'wp_generator'); // remove Version output
The most important thing here is that you removes the WordPress version from the header AND the feeds.
And finally: Don’t forget to remove the files readme.html and license.txt from the root folder as an intruder may look at them to determine the version. Be aware: The removal of this files is needed everytime you update your WordPress core.
Additionally you can include some fake generator-tags within the header of your theme, like:
<meta name="generator" content="Movable Type v3.2" /> <meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> <meta name="generator" content="TYPO3 4.1 CMS" /> <meta name="generator" content="Yahoo! SiteBuilder/2.4/1.5.0_02" /> <!-- This website is powered by TYPO3 - inspiring people to share! TYPO3 is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL. TYPO3 is copyright 1998-2006 of Kasper Skaarhoj. Extensions are copyright of their respective owners. Information and contribution at http://typo3.com/ and http://typo3.org/ -->
Unfortunately an intruder can detect the lots of „wp-includes“ and „wp-content“ etc. on your page to at least determine that you’re using WordPress. There are several other strategies to obfuscate your wordpress up to a point, where it is really difficult for some intruder to tell what blogging-software you use at all.
But this extends, for now, the scope of this post (as it requires lots of changes on your theme and a lot of rewrite rules in your htaccess files to hide eveything).
Perhaps later on I’ll tie together some of my personal functions together to a plugin to do this automatically.