[wp-trac] [WordPress Trac] #35554: De-emphasis WordPress Version in the admin

WordPress Trac noreply at wordpress.org
Wed Jan 11 18:39:41 UTC 2017 

#35554: De-emphasis WordPress Version in the admin
----------------------------+------------------
 Reporter:  dd32            |       Owner:
     Type:  enhancement     |      Status:  new
 Priority:  normal          |   Milestone:  4.8
Component:  Administration  |     Version:
 Severity:  normal          |  Resolution:
 Keywords:  has-patch       |     Focuses:
----------------------------+------------------

Comment (by rawrly):

 Replying to [comment:15 dd32]:
 > I'm going to put a general request out there:
 >
 > > '''Please do not consider this a security ticket; It's not. It's a
 user-experience ticket.'''
 >
 > Showing version numbers is not a security risk and removing them does
 nothing to protect sites.
 > You can read the rehashed topic in #23394 and make all the arguments
 there, this ticket is not the place.

 I don't wish to rehash the security topic, but the utilization of the
 readme file's version string is what many third party utilities rely on
 for accurate version reporting for WordPress. It has some indirect
 security concerns if this gets removed or truncate to only major releases.

 Removal of this version string's minor release version would result in
 some security utilities either choose to inaccurately reporting a site's
 version (reporting it as vulnerable when it is not, resulting in
 requirement of the site owners to file appeals), or scan engines to have
 to become more resource intensive on how they determine a site's accurate
 version number (this is both resource intensive on their time to code, as
 well as server resources as they may attempt more requests to get an
 accurate version). Ultimately if I were to guess, the former will be what
 will happen in most cases.

 Current third party utilities which rely on the site's readme file for
 accurate version identification are (I personally validated their source):
 wpscan
 nmap
 metasploit
 and many more security utilities...

 I'm not making an argument that the change is incorrect or bad for any
 reason, I am only stating a side effect that will occur.

 This change will make things look cleaner for most site operators, but it
 will likely also result in problems for site owners who are utilizing
 third party utilities for site security monitoring.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35554#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list