Archive for July, 2010

How to Remove the WordPress Version Number

One of the most commonly seen security tips around the WordPress-o-Sphere has got to be this:

Don’t display your WordPress version number publicly
Many WordPress developers often display the WordPress version in the source code. But having this information publicly available makes it easy for attackers to exploit known vulnerabilities on a particular WordPress version.

This sort of thinking is referred to as “security through obscurity,” and may or may not be an effective way to increase the overall security of your site.

By default, WordPress executes the wp_generator() function whenever the wp_head() hook is called. Typically, this hook is located in your theme’s header.php file within the <head> section of the document markup:

[ Screenshot: wp_head() Hook ]
The wp_head() hook as seen via the header.php file

Then, after WordPress processes your web page, the wp_generator() function outputs the following code (depending on page view) to your browser:

<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://digwp.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://digwp.com/wp-includes/wlwmanifest.xml" />
<link rel='index' title='Digging into WordPress' href='http://digwp.com/' />
<meta name="generator" content="WordPress 2.8.1" />

Notice that last line there? There are many posts on WordPress security that point out how specifying your version number is a security risk. Whether or not this is the case is certainly debatable, but the thinking is that you should avoid revealing this sensitive information in order to prevent attacks targeting specific versions of WordPress.

Now for the fun part. Assuming that sharing your version information is bad, how to go about removing the information? Well, that depends on how savvy you are with WordPress. Here are several methods to prevent WordPress from displaying your version-specific number, ranked in order from the absolute worst way to the absolute right way. That is, until someone shows us how to do it in less than 41 characters 😉

The absolute worst way to remove the WordPress version number

I have seen recent posts where the author actually recommends deleting the wp_head() hook! Here is an example:

Study what things this function outputs for you, and just hardcode them into your theme files since these values will unlikely change.

While there are indeed valid reasons for removing this important WordPress hook, removing the version number from your source code is not one of them.

A pretty good way to remove the WordPress version number

Much better than simply deleting the wp_head() hook, this method serves us well by placing the version-removal function in the theme’s functions.php file, where it belongs. By returning an empty string for the_generator function, this function removes the version information by preventing output of its <meta> tag:

function remove_version_info() {
     return '';
}
add_filter('the_generator', 'remove_version_info');

This method has the added bonus of removing the version information from not only your blog pages, but from your feeds as well.

The right way to remove the WordPress version number

Going a step beyond the previous method, this technique gets the job done quite eloquently, with a mere 41 characters of code:

remove_action('wp_head', 'wp_generator');

Just place that single line into your theme’s functions.php and enjoy a small taste of “security through obscurity”. 🙂

Article Source: digwp.com

Advertisements

How To Make Thread Comment On WordPress

Thread is feature that mostly used by forums. By the thread, we can comment not only the post, but also comment the existed comment. So it look like a reply within reply. So the hierarchy of the comments would be better and also, the commenter could get commented by the other commentator.

As you can see above, there is subcomments within comments, just like folder in our computer, isn’t it ? :-)

How To Hack ?

Want a blog that has threaded comments navigation like forum does? It is easy because with plugin, we can hack WordPress in the way we like. So what’s plugin to make the WordPress has the thread comment? It is WP Thread Comment

Features

  • One can reply on any exist comments.
  • The discussion will be displayed nested or threaded.
  • Easy to install. No hacking on WordPress or your theme is needed.
  • W3C compatible.
  • Customizable HTML / PHP / CSS on admin section.
  • AJAX support, enables to comment without reloading the whole page.
  • Choose AJAX or not freely
  • Get notification by email when reply is available.

Installation

Well, i must admit that the installation is a bit silly and little complicated, but it is easy and anyone can do this

  1. Download and unzip the Plugin package.
  2. Rename “wordpress-thread-comment” folder to “wp-thread-comment”
  3. Upload it to WordPress Plugin folder, ‘*WORDPRESSROOT*/wp-content/plugins/’
  4. Activate from Plugin page in the WordPress site admin.
  5. Have a check if there is a “reply” link on your exist comments.
  6. Other configurations like AJAX, HTML/CSS and more can be found in the option section in the site admin.

source : Mr Hokya dot com

WordPress 3.2 to Drop Support for PHP 4 and MySQL 4

WordPress has announced a bold move today. In an official blog post Mark Jaquith, one of the lead developers

of WordPress said that eventually, starting this year WordPress will end the support for PHP 4 and MySQL 4.

Wordpress

WordPress

Quoting from the blog post, the reasons he gave were:

Our approach with WordPress has always been to make it run on common server configurations. We want users to have flexibility when choosing a host for their precious content. Because of this strategy, WordPress runs pretty much anywhere. Web hosting platforms, however, change over time, and we occasionally are able to reevaluate some of the requirements for running WordPress. Now is one of those times. You probably guessed it from the title — we’re finally ready to announce the end of support for PHP 4 and MySQL 4!

According to the official announcement, WordPress 3.1 which is due to be announced in late 2010 will be the last build to support PHP 4. Also WordPress 3.2 which should come anytime around first half of 2011, the compatibility will be fixed to PHP 5.2. Also for MySQL, announcement made on the blog post was:

In less exciting news, we are also going to be dropping support for MySQL 4 after WordPress 3.1. Fewer than 6 percent of WordPress users are running MySQL 4. The new required MySQL version for WordPress 3.2 will be 5.0.15.

In order to check, which version of PHP and MySQL your hosting provider provides, you can make use of Health Check plugin. This plugin will tell you, if you are ready to be upgraded to WordPress 3.2 when it is available. If you are not ready for it, your blog will not be able to upgrade to WordPress 3.2 because of an inbuilt adapter, which stops it.

According to us, this announcement is surely a bold move, but should not take much concerns for most of the blog owners as statistics show that very less number of trivial blogs only run on PHP4. But still if you are unaware of the version of PHP and MySQL that your hosting provider provides, you better keep an eye on it and check it before it’s too late for you to upgrade to latest version of WordPress.

Source: blogsdna.com , WordPress

%d bloggers like this: