[Resolved] Security

Tagged: 

  • Author
    Posts
  • #4275

    xc70
    Participant

    Hi Andrew. I just discovered this safety information and I saw it was not implemented in Ultra theme so I added it to my child theme.
    Wordpress default displays the version you are using. If a security hole is published and we do not update our theme hackers have information about our WordPress. If we do not hide this information we are giving facilities to those who want to access our admin panel.

    function removeHeadLinks () {
    remove_action(‘wp_head’, ‘wp_generator’);
    remove_action(‘wp_head’, ‘wlwmanifest_link’);
    remove_action(‘wp_head’, ‘rsd_link’);
    }
    add_action( ‘init’, ‘removeHeadLinks’ );

    Have a good weekend.

    #4276

    Andrew Misplon
    Keymaster

    Hi xc70

    Thanks for sharing this tip. For sure, on your site this is a handy little security addon. Unfortunately, on WordPress.org the theme standards are quite strict. At the moment themes aren’t allowed to remove default functionality like the sort you’ve described above. Some of the security plugins out there will offer this same header information removal as an option.

    Chat soon 🙂

    #4277

    xc70
    Participant

    Thanks Andrew, unaware that Automattic policy for their themes. It is curious that an issue like this which is known to all further use when it is detrimental to the safety of the user.

    Regards

    #4278

    Andrew Misplon
    Keymaster

    I hear you.

    Automattic do have influence over what happens in the Theme Review team but it’s mostly a community driven project. Here is the section that would cover these links:

    Required

    Specifically: No removing or modifying non-presentational hooks.

    Plugins like WordFence or BetterWPSecurity (did they change their name) are however free to do this. So in summary, this is more of a plugin level task.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Scroll to top