I know
what your WP version is
Arūnas Liuiza
For Developers
deployer.seravo.com - a service that syncs WordPress plugins from GitHub to WordPress.org automatically.
TryoutWP.com - a service to spin up live temporary demo sites for WordPress plugins and themes.
I know
what your WP version is
And that's alright
Security through obscurity
Reliance in security engineering on design or implementation secrecy as the main method of providing security.
If they do not know what software you use, they can't hack you.
Rogues are very keen in their profession, and know already much more than we can teach them
- Alfred Charles Hobbs,1851
Why it does not work?
- Stupid bots do not care
- Smart humans can overcome it
- Other methods - much more efficient
Stupid bots
- Target popular technologies
- Do no checks on software in particular server
- Just try running known exploits
- Rely on the law of large numbers
Other methods
- Timely updates
- Web Application Firewall
- Disabling direct access to PHP files
- 2-factor authentication
- Proper access right management
....
Let's play a game
- Give me an address of a WP site
- I'll try to find the WP version that site is running
- Sure, I am cheating a little bit.
/whois Asset fingerprinting
Instead of looking for clues in code, generated by WordPress, we can look at WordPress Core files.
Particularly, assets ( js, css, icons, fonts, images, licenses, etc).
/wp-content is no use
/wp-admin you can move/hide
/wp-includes - not so much
/whois Asset fingerprinting
{
"4.9.8": {
"file": "wp-includes/js/tinymce/plugins/wordpress/plugin.js",
"hash": "e6b4fc0ca4804f019468aab230449c61b508948a"
},
"5.0": {
"file": "wp-includes/js/media-views.min.js",
"hash": "8b47e100869f5553df66694e4b44eb42126d95f9"
},
"5.1": {
"file": "wp-includes/js/wplink.js",
"hash": "6889c85f61c8786c266553216f8170c03f19bd80"
},
"5.2": {
"file": "wp-includes/js/media-views.min.js",
"hash": "54e88cc265a36ba3d344aad0b0292bfdb81789cc"
}
}Questions?
