How to hide your website applications version?
The topic was raised in the Mauritius Internet Users mail list where Shelly asked about a non-technical method to identify applications on which a website is running. SM suggested her to try Wappalyzer browser extension. I use that too, since a long time.
While I wrote a blog post about Wappalyzer, JoKi commented and reminded me about web security :-) That's yet another topic that we discussed during the MSCC Code & Coffee sessions. Aww! I miss those Wednesday talks.
What happened to my app versions?
After migrations and several WordPress upgrades, I had my settings overridden. Now's the perfect time to write this post as it is fresh in the head. So, how to hide your website applications version?
To make my webserver, Nginx, be less verbose I will have to add
server_tokens off; in the configuration file. It should not be in
nginx.conf file but instead in individual site configurations (e.g under ../sites-enabled).
Next, let's cut the verbosity of PHP. We set
expose_php = Off in the
inote:/home/ish # lynx -head -mime_header https://hacklog.mu HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jun 2015 16:01:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding, Cookie Cache-Control: max-age=3, must-revalidate WP-Super-Cache: Served supercache file from PHP
Ahaan! Clean enough. No more webserver & PHP versions shown.
Lastly, I searched how to hide the WordPress version number. Oh! Before you proceed with code edits, please remove
readme.html from your WordPress root. Thank you :-) Nirvan Pagooah, a young fellow & security enthusiast, suggested me this long time back.
There is nice article by Raelene Wilson about hiding the WordPress number. However, that would require you manually edit your
functions.php file. It works! Though a simpler method would be finding a plugin that does the job. That way, the code edit does not get overridden when WordPress updates.
WordPress version hiding is featured in a plugin name Umbrella Protection. It's simple to set up & configure. Oh, and it works :-)
While the list of libraries and applications appear, notice there are no version numbers.