-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove version info from login screen #1878
Comments
No bot would ever care about the version string returned, as this could be forged anyway. They don't even care if a particular application is installed at all. They simply try out all attacks/exploit that they have in its database and hope that one of them is successful. If you want to harden your YOURLS installation, simply add password protection to the You can improve security even more by not giving the PHP interpreter write access to the webserver's document_root. Of course, this would break auto-update mechanisms of CMS like Wordpress or Drupal. But as usually: There is no free lunch. The more you secure your installation, the less comfy it is for you to use and administer it. |
<?php
/*
Plugin Name: Hide Version String
Plugin URI: https://github.com/YOURLS/YOURLS/issues/1878
Description: Plugin to hide the version string in the footer.
Version: 0.1
Author: chtaube
Author URI: http://github.com/chtaube
*/
if( !defined( 'YOURLS_ABSPATH' ) ) die();
yourls_add_filter( 'html_footer_text', 'hide_version_string' );
function hide_version_string( $value ) {
return preg_filter( '/ v .* \– /', ' – ', $value );
} |
Exactly what @chtaube says 👍 |
I know, security by obscurity is not working alone.
Still, i'd prefer to make live harder for an attacking bot who just needs to query the version string to apply the correct attack.
I'm no security expert, it's just an idea about something that sprung to my eye...
The text was updated successfully, but these errors were encountered: