Ben is a lifelong Nintendo fan who likes to build websites, and make video games. He buys way too much Lego.
I got banned from Technorati a long time ago. Apparently releasing free themes is bad (and get’s lots of inbound links) only fair I guess 🙁
Anyway, Technorati have dropped off my radar recently, their constant redesigns and confused product are pushing people away, and since they’ve been dropped by WordPress I don’t visit at all. The thing I am most interested in is the recent announcement that they’re “suspending” blogs using old versions of WordPress.
Personally I feel this is a well meaning, but misguided, attempt to keep the site clean. I think it’s misguided for two reasons. Firstly, they are going to be blocking a lot of blogs that haven’t been hacked, and secondly they are no doubt letting through a lot of blogs that have been compromised, and then upgraded (with the blog owner none the wiser).
A recent post on CodeScheme – Technorati and WordPress explains how to stop this from happening to you.
Essentially many WordPress blogs have a small snippet of code added to the WordPress header that details what version of WordPress is being used. This makes the sites easy targets for hackers looking for old versions of the software to attack.
<meta name="generator" content="WordPress 2.5" />
All the hackers have to do is go to Google and enter the string above and they will have many thousands of blogs ripe for the picking.
I have always coded my own themes, and so have never included this code however when working with the latest version of WordPress I noticed that the theme was including the generator code for me. That is, WordPress is now outputting the WordPress version into your theme – opening your site up to potential security issues.
Normally I am happy to let WordPress do it’s own thing, generally it’s for the greater good, but in this case I make an exception. I am not going to give the hackers an additional target, solely so that Automattic can see how many sites use their software (the only reason I can think of to include the code).
Thankfully it only took me 5 minutes to work out a solution. The code was added through a WordPress plugin hook… so can easily be removed again using the same hook. All you have to do to protect your blog is add the following line of php to a file called functions.php in your theme directory.
<?php remove_action( 'wp_head', 'wp_generator' ); ?>
I considered making a plugin for this but figured it was so simple there was little point. If anyone wants me to make one then let me know and I will rustle something up.