Wordpress Easy Install secure: Prevent Plecost analysis

wordpress

#1

Hi, I’m a happy Dreamhost user.

But I’m quiet worried because even I use the “easy install” funcionality my wordpress blog go to insecure state.
Few weeks ago I publish a tool to check wordpress installations. “Plecost: wordpress finger printer” search info about plugins versions installed in wordpress powered by Wordpress.

The fact is the next. When I upgrade my installation using your bot, all the files that content the info abut plugins a wordpress version reappear. That’s a security issue.

Could you modify your bot to add a funcionality that clean this installations? Erase some specific files.
Specifically:

  1. http://DOMAIN/wp-content/plugins/PLUGIN-NAME/readme.txt

Example:
http://DOMAIN/wp-content/plugins/akismet/readme.txt

=== Akismet ===
Contributors: matt, ryan, andy, mdawaffe, tellyworth, automattic
Tags: akismet, comments, spam
Requires at least: 2.0
Tested up to: 3.0
Stable tag: 2.3.0

  1. http://DOMAIN/readme.html

Example:
WordPress
Version 3.0
Semantic Personal Publishing Platform

If you change the bot, please report us. We would like to promote this interesting service.

Regards.


#2

I’m going to assume either English isn’t your first language or you used machine translation (though “quite” -> “quiet” suggests no machine translating)… with that in mind, I might be misunderstanding the meaning of your post, but: what is insecure about readme files or version info? The plugin readme files are going to be publicly available on the internet anyway from their source, so I don’t see what the problem is.


#3

The OP’s issue is that by leaving the ReadMe files viewable, a potential attacker can scan through and see which versions of plugins you’re running, and if there are any known vulnerabilities.

That said, DreamHost tries to stay on top of security updates, as should all WordPress admins.


#4

And for that matter, all Easy One-Click installs are running off of the same copy of Wordpress, so it’s no secret what version of Wordpress you’re running, or what plugins you have.