[wp-trac] [WordPress Trac] #28722: Boost performance with ETag in load-scripts.php and load-styles.php

WordPress Trac noreply at wordpress.org
Sun Apr 10 14:02:30 UTC 2016 

#28722: Boost performance with ETag in load-scripts.php and load-styles.php
------------------------------+------------------------------------------
 Reporter:  sergej.mueller    |       Owner:  swissspidy
     Type:  feature request   |      Status:  reopened
 Priority:  normal            |   Milestone:  4.5
Component:  Script Loader     |     Version:  4.0
 Severity:  normal            |  Resolution:
 Keywords:  has-patch commit  |     Focuses:  administration, performance
------------------------------+------------------------------------------

Comment (by RedSand):

 Replying to [comment:26 Presskopp]:
 > @RedSand:
 > Isn't it so that it's not so hard to find out a site is using WordPress,
 whatever you try to hide? Security doesn't come from hidden version
 number.. :)
 > And the bots must not even test for WP running or check version, they
 just fire in all directions, and if they find an open door - bingo, if
 not, they probably don't try to find out why, but just switch to the next
 possible target.
 > This doesn't mean to don't care about protection and security! :)

 Hey @Presskopp

 Yes, finding out a site is using WordPress is easy. The directory
 structure (among many other things) would give away, so revealing it's
 WordPress is not the concern. Keep in mind, I said it's the '''version
 numbers''' that shouldn't be advertised.

 That's actually not how most hacks happen these days. Sure, there are
 still bots employed by script kiddies that just try to hit a site with
 every type of attack. More often, they don't try any attacks on their
 first pass...they are merely scanning sites collecting data. They are
 building a list of sites that have specific vulnerable software versions.
 They can either be hit again automatically right after the data is
 collected, or the hacker employing the bot, can review the list and single
 out interesting targets. Either way, the bots are sent again, this time
 going for specific vulnerabilities.

 I hear you about hiding the version numbers not being a mighty security
 measure ''in and of itself'', but notice I didn't say that ''security
 '''came from''' hiding the version number''. It's one small layer in the
 whole strategy though, and stats show that hiding the version number
 throughout the site, will reduce the number of sites that get hacked.

 For example, if I can do a quick scan of your site, and see that you're
 using a specific version of WordPress that's known the have ''x''
 vulnerabilities, it makes it that much easier for me to target your site.
 That doesn't mean you shouldn't practice good security though...you should
 by all means, and be using updated versions.

 But the fact that 48% of WordPress users aren't even updated to the 4.4
 branch and 31% are still using PHP 5.2 and 5.3, shows pretty clearly that
 a high percentage of users are not practicing good security. So, we need
 to help them out and make it as secure as possible. Not everyone has
 expert security consultants helping them.

 We do security consulting day in and day out for clients, and most hacks
 come from outdated software, and revealing version numbers makes it easier
 for hackers to gather data and target. Most hacks also don't come from
 really talented hackers...they come from hackers with low to intermediate
 skill. Yet they cause a lot of damage.

 Security isn't binary...it's ''not on or off''. Security is about''
 reducing risk'', and ''lowering the statistical probability of a
 successful attack.'' You can never eliminate risk fully, and there is no
 such thing as 100% impenetrable security, even with the best measures in
 place.

 In most criminal acts, it’s about following the path of least resistance —
 if you increase the difficulty of success (sometimes by even a small
 margin) then often the hacker will go somewhere else.

 Good security requires a ''layered strategy''. It's really not necessary
 for anyone other than the site owner to know the version number, so why
 put that out there? (Similarly WordPress needs to remove all references to
 the version number throughout the site, so I will put in tickets regarding
 those as well.)

 This is a pretty well-established security principle (granted - only one
 among many) to avoid web server fingerprinting, and to avoid revealing
 specific version numbers, so I'm not sure why we would want to ignore
 ''any'' good security principles, however small it may seem.

 So while this may not seem like a big thing in and of itself...look at it
 like this: If we make some small changes like this through out WordPress
 core - not revealing version numbers - and it can help prevent ''some'' of
 WordPress' users from being hacked, why wouldn't we want to do it? :)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28722#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list