This document is not the common step-by-step guide on how to protect your WordPress installation. A lot of sites cover that already, so I will talk about some additional topics that you don't see around very often, specially torwards security with obscurity.
I am not propagating that just by hiding the version of WordPress is going to make you more secure, but the truth is, why SHOULD ANYONE know that? No user of your site needs to know your WordPress version or Apache or PHP version. Good security practices always specify that the minimum privilege (or information) that you give, the better.
There are lots of tutorials on how to disable the version of WordPress from showing up in the "generator" field (look at the links section at the bottom).
However, what most people miss is that the generator field is not the only place to get the version you are running. The easiest way is to look for the file "readme.html" on the top of the WordPress installation. Easy no?Examples of blogs? Look at the top 5 blogging blogs:
They all have their version displayed for everyone to see in the readme file. Some other blogs, like copyblogger, tried to hide from the generator, but left the file in there:
HOW TO FIX:
Just remove the readme.html file. (security is simple)
PHP is very good in leaking the internal paths of your system in case of errors. You can find out exactly where the blog is hosted (/var/www, /home/user, etc) and you can 99% of the time guess the user name used for administration.
For example, looking at our favourites bloggers, you can see that they easily leak this info:
WordPress internal path: /home/copyblog/public_html/wp-content/themes/thesis/index.php
WordPress internal path: /home/copyblog/public_html/wp-content/themes/default/index.php
WordPress internal path: /home/blogging/public_html/wp-content/themes/BloggingTips/index.php
WordPress internal path: /home/blogging/public_html/wp-content/themes/default/index.php
WordPress internal path: /home/blogging/public_html/wp-admin/upload-functions.php
WordPress internal path: /home/content/b/l/o/blogsessive/html/wp-content/themes/blogsessive/header.php
WordPress internal path: /home/content/b/l/o/blogsessive/html/wp-content/themes/default/index.php
WordPress internal path: /home/dailyblo/public_html/wp-content/themes/dailyblogtips2/index.php
WordPress internal path: /home/dailyblo/public_html/wp-content/themes/default/index.php
This information can help on password guessing attacks, XSS, etc.
HOW TO FIX:
Open your php.ini file (generally at /etc/php.ini) and set:
display_errors = Off
Apache is another friendly server, loving to let anyone know what version it is running, what modules it has enabled, etc. Example of header:
Running on: Apache/2.1.0
System info: (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b DAV/2 mod_auth_passthrough/2.1
mod_bwlimited/1.4 FrontPage/5.0.2.2635 SVN/1.5.4 mod_perl/2.0.4 Perl/v5.8.8
Powered by: PHP/5.2.8
Does anyone really need to know all of that about your server?
HOW TO FIX:
Add the following to your Apache's config (httpd.conf):
ServerSignature Off
ServerTokens ProductOnly
This is our last one. PHP will by default add a message "Powered by: PHP/version" on your HTTP headers. As I said before, no one cares about it mr. PHP, sorry :)
HOW TO FIX:
Add the following to php.ini file:
expose_php = Off
We only covered a small part of what it means to protect your blog, site, etc. You must first keep it updated, before you worry about any of the above.
For more info:
