Security issue. Remove version from body

Viewing 3 replies - 1 through 3 (of 3 total)

  • I completely agree. The plugin is excellent and works well above my expectations for any plugin, but with the version number in the body, this is giving a potential exploit notifier available for any vulnerability scanner. All I’m asking is that you remove the version number. The rest of it is completely cool with me. Thank you for your hard work!

    Hi Jim,

    One thing you could try – define AIOSEOP_VERSION in your wp-config.php

    define( 'AIOSEOP_VERSION', 'x.xx' );

    I’ll see if it’s possible to add an option for this; note that this may not be easy, as the version gets set very early on in the plugin. Also, I can’t guarantee that withholding the version number will afford you any real protection – often, hackers run automated tools that try exploits regardless of the displayed version number, without checking for them, because they already know that version numbers displayed on a webpage aren’t a reliable way of checking what version of which software may actually be present.

    Thread Starter Jim Burnett

    (@blackfault)

    Peter, Thanks a ton for the reply.

    I was able to find a way to strip all comments from the final output but running filters with ob_start. Not the best solution but it prevents version information like this for being leaked.. Any disclosure of any version information is considered an information disclosure leak, regardless of the priority. While targeted attacks do exploit regardless of version numbers, the bots mainly do not.

    Thank a ton for the consideration!

    -Jim

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security issue. Remove version from body’ is closed to new replies.