Remove version info from login screen

[sirtet]

I know, security by obscurity is not working alone.
Still, i'd prefer to make live harder for an attacking bot who just needs to query the version string to apply the correct attack.

I'm no security expert, it's just an idea about something that sprung to my eye...

[chtaube]

No bot would ever care about the version string returned, as this could be forged anyway. They don't even care if a particular application is installed at all. They simply try out all attacks/exploit that they have in its database and hope that one of them is successful.

If you want to harden your YOURLS installation, simply add password protection to the admin/ directory. As a side effect, this wil hide the login page with the version string, too.

You can improve security even more by not giving the PHP interpreter write access to the webserver's document_root. Of course, this would break auto-update mechanisms of CMS like Wordpress or Drupal. But as usually: There is no free lunch. The more you secure your installation, the less comfy it is for you to use and administer it.

[chtaube]

user/plugins/hideversion/plugin.php :

<?php
/*
Plugin Name: Hide Version String
Plugin URI: https://github.com/YOURLS/YOURLS/issues/1878
Description: Plugin to hide the version string in the footer.
Version: 0.1
Author: chtaube
Author URI: http://github.com/chtaube
*/

if( !defined( 'YOURLS_ABSPATH' ) ) die();

yourls_add_filter( 'html_footer_text', 'hide_version_string' );

function hide_version_string( $value ) {
    return preg_filter( '/ v .* \&ndash; /', ' &ndash; ', $value );
}

[ozh]

Exactly what @chtaube says 👍