[wp-trac] [WordPress Trac] #23394: Remove version from readme.html / Upgrade core doesn't restore the file

WordPress Trac noreply at wordpress.org
Tue Feb 5 21:46:03 UTC 2013 

#23394: Remove version from readme.html / Upgrade core doesn't restore the file
---------------------------+----------------------
 Reporter:  momo360modena  |       Owner:
     Type:  enhancement    |      Status:  closed
 Priority:  normal         |   Milestone:
Component:  General        |     Version:
 Severity:  normal         |  Resolution:  invalid
 Keywords:                 |
---------------------------+----------------------

Comment (by nacin):

 Some of the security plugins out there do a few decent things that can
 improve the security of a site. Pretty much every example is things that
 we could not reliably do in core, for reasons such as wide server support.
 Most plugins — and most things done by even some of the good plugins — are
 overzealous, dangerous, ill-informed, or resort to scaring users with
 things that they don't need to be bothered with or take action on. All in
 the name of "security".

 > The file shows the version number of WordPress easily ... Security
 (Version disclosure)

 With publicly accessible web application software, there is no way to
 prevent version detection. The readme and generator versions are just the
 fairly cheap ways to do it. My favorite is looking at publicly accessible
 CSS and JS files, but there are many others. Script kiddies blindly attack
 sites. They don't sniff version numbers first. Even if they did, this
 means they're looking for core vulnerabilities. (Of which there are few,
 and anything of note requires a user account these days, at a minimum.)
 So, you're either running an out of date version — don't hide the version
 number, *update* — or you're running the latest (at which point, that's on
 us, and no suppressing that version is going to help you).

 There's one thing I could go for, as proposed here: on one-click upgrades,
 don't copy readme.html back over if it is gone. Same we do for bundled
 default themes. But I'm not agreeing to this for security reasons. Beyond
 license.txt, it's the only non-PHP file shipped in the root. Maybe someone
 wants to remove those because they have OCD. Now that we have about.php
 for in-dashboard upgrades (and most installs happen by hosts, not users),
 the very existence of a readme file isn't that helpful anymore.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/23394#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list