dynamicinternet Wir machen Ihr Web dynamisch!

WordPress Version verstecken?

geschrieben von Micha am 04. Dezember 2008 | 2 Kommentare

Es gab und gibt immer mal wieder Diskussionen, ob das Verstecken der Versionsnummer von WordPress zusätzlich etwas zur Sicherheit des Blogs beträgt. Hier mal ein paar ganz interessante Anmerkungen von Otto in der wp-testers Mailinglist im Originalton:

Hiding the version number will not make the exploitation of a critical vulnerability harder. Not even a little bit. Really. Look at it from the point of view of an attacker. There’s two possible scenarios to consider:

Scenario 1: Cracker wants to exploit a lot of sites and stick his spam on them. This is the most common case.

In this scenario, the cracker gets a big list of vulnerabilities, and spams them across every site he can find. When one of them strikes paydirt, the “load” is injected, which then goes and cracks every piece of software on that server possible. You see this a lot on shared hosting setups, once the exploit is performed, a script is loaded which searches all possible injection points on that server and writes his spam into everywhere it can find to do so. This infects many more sites on that server with the link spam, and causes potentially hundreds of sites to now have links back to the spammer’s stuff.

This is a common case because it’s an easy one. Software exists to do exactly this sort of thing. Vulnerabilites are circulated in plug-and-play forms for these specific types of software. Exploits/injections are pluggable as well, and can be easily adapted to any spam you want to use. In literally a matter of minutes, with zero code being written by the attacker, somebody can create a system using nothing but plug and play modules that will attempt to exploit hundreds of known vulnerabilities on a list of millions of websites, and it can even run on a distributed system (botnet). All it requires is money and a lack of morals.

Note that NONE of this involves ever caring what version of the WordPress software you are running. Indeed, they don’t even care that you are running WordPress. It’s simply one of the many different packages with exploits coded into their exploit-pack. Indeed, checking your version before attempting to exploit you doesn’t really save them anything. Time, perhaps, but only slightly, and only if the software is smart enough to care (95% of these softwares are not, they just spam a series of hacks and check for success/failure).

Scenario 2: Somebody with a revenge fixation decides they want to hack you, specifically.

In this scenario, they can quickly tell that you’re running WordPress.
a) Assuming you’re not hiding your version, then they look for exploits for that version.
b) Assuming you’re running the latest version, then they won’t find any and you’re safe.
c) Assuming they’re slightly smarter than that, they do some easy-to-do searches, find exploitable software running on other websites, but on the same shared host as you, and hack you that way.
d) Failing all this, they stamp their feet and give up.

Now, in your situation, you want to hide the version of WordPress.
This stops them from looking for specific exploits. However, a list of generic WordPress exploits for several versions *is just as good to them*. They can sit there and try half a dozen exploits, no problem.
It doesn’t take them any more time, really. Just a few extra HTTP requests. If they don’t know how to do this sort of thing themselves, then they download a bunch of script kiddie hacks and run them all, hoping that one hits. The point being that they are not significantly slowed by this sort of preventative medicine. And anyway, assuming you’re running the latest version and therefore “safe”, it makes no difference anyway.

Now, you might be considering scenario 3: Zero-day exploits. An exploit is discovered against the latest version, so there is a limited amount of time to exploit it before it is patched. Having your version hidden means you don’t show up in searched for that version.
Problem with that sort of thinking is that they’re not searching for sites with a specific version. They just keep a single list of known websites for that sort of thing. When a zero-day is discovered, they spam it across to all of them. Searching takes too much time. It’s easier to simply keep a list of a whole crapload of sites, then spam them all. And version checking is not done here either, because it’s faster to attempt the hack than it is to a) check for vulnerability and then b) attempt the hack. Trying the hack takes the same time as checking for the version number, so why bother? Makes no sense.

Hiding the version is simply ineffective, in all respects. It does nothing that is even slightly helpful for your site. It deters nobody.

-Otto