I know

what your WP version is

Arūnas Liuiza

WordPress Core Contributor, WordPress Kaunas Meetup co-organizer, WordCamp (Lithuania, Riga, Stockholm, Jyväskylä, Oslo, Norrköping) speaker and one of the editors of the Lithuanian WordPress translation team.

Free & premium WordPress plugin developer

Software Engineer at

For Developers

deployer.seravo.com - a service that syncs WordPress plugins from GitHub to WordPress.org automatically.
 

TryoutWP.com - a service to spin up live temporary demo sites for WordPress plugins and themes.

I know
what your WP version is

And that's alright

Security through obscurity

Reliance in security engineering on design or implementation secrecy as the main method of providing security.

If they do not know what software you use, they can't hack you.

Rogues are very keen in their profession, and know already much more than we can teach them

- Alfred Charles Hobbs,1851

Why it does not work?

• Stupid bots do not care
   
• Smart humans can overcome it
   
• Other methods - much more efficient

Stupid bots

• Target popular technologies
   
• Do no checks on software in particular server
   
• Just try running known exploits
   
• Rely on the law of large numbers

Other methods

• Timely updates
   
• Web Application Firewall
   
• Disabling direct access to PHP files
   
• 2-factor authentication
   
• Proper access right management
  
  ....

Let's play a game

• Give me an address of a WP site
   
• I'll try to find the WP version that site is running
   
• Sure, I am cheating a little bit.

/whois Asset fingerprinting

Instead of looking for clues in code, generated by WordPress, we can look at WordPress Core files.

Particularly, assets ( js, css, icons, fonts, images, licenses, etc).

/wp-content is no use

/wp-admin you can move/hide

/wp-includes - not so much

/whois Asset fingerprinting

Questions?