No, I don’t suppose that is the first thing you are going to tell a perfect stranger now is it? How about someone who has just called to your door? More unlikely still.

The Rant:
Which is why it really annoys me that some web applications insist on vanity tags displaying to the world what software system you are using, and worse still, sometimes it shows what version you are using!

Just what is required to execute a zero-day attack on your poor little website. Or indeed make it far too easy for evil minded people to find sites running out of date software.

Is it on your site?
Examine the source code of your web page. It will be between the “head” tags at the top of the page. Take for example the screenshot of the html code on a blog I visited the other day. You can clearly see from the generator meta tag that not only is the blog powered by Wordpress, but it is running version 2.5.1. In this example, the blogger is probably fine. There are a couple of security fixes released since Wordpress 2.5.1 was out in July, but none that I would rate as vital. But is it really a good idea to let the world know:
a) what web application you are running?
b) what exact version you have installed?

The cure
Now, I was going to go into a big rant about just how pointless I thought the generator meta tag was anyway, but I have to decided to bite my tongue and concentrate on the real evil: including the version number.

This is just plain old bad idea. I was really annoyed to see it creep back into the Wordpress blogs I manage recently as the location has been switched from the wordpress header template file to the Wordpress internals (from Wordpress 2.5 on). So even if you thought you had removed it, if you upgraded to 2.5 or later, it might be back in there again!

There is a relatively easy way to remove it again however, and this should be permanent unless they change this again in a future major version release.
Add the following line to the functions.php file of your Wordpress theme:
remove_action('wp_head', 'wp_generator');
(within the php code tags)

For other web applications, you may need to check the documentation or search the support forums for answers on how to remove the generator tag.

Jason Roe has pointed out a potential security issue for Wordpress which I picked up on via boards.ie.

The issue can allow someone to scrape email addresses and other contact details from a wordpress site that allows user registration on it.

In the grand scale of things, it isn’t the worst, but it certainly is not kosher to allow someone’s email address to be seen when you have assured them it will be private.

This was of concern to me as I recently completed a project that is powered by Wordpress and there are several hundred registered users. I zipped on over and sure enough, it was vulnerable (it was running Wordpress 2.04).

I immediately went about upgrading to the latest version of Wordpress 2.0x, version 2.06. This is not affected, but there is a mistake in the related code. Line 60 of the file /wp-admin/user-edit.php has the following:

die__('You do not have permission to edit this user.');

It should be

die(__('You do not have permission to edit this user.'));

It isn’t a biggie, it just throws a php error rather than telling the nosey parker to mind their own beeswax. I will report it to Wordpress now if someone hasn’t already.

Wordpress is an increasingly popular web publishing tool and with popularity comes security holes, from simple bugs like this one not being spotted through to people running versions that should have been upgraded a year ago. On the whole, I’m comfortable with it’s standard of coding and security.

I’m quite sure other, less popular applications have as many issues, but they go unnoticed without as many users poking and prodding the software.

It is sometimes easy to be lazy and leave that upgrade to another day, but issues like this highlight the importance of keeping up to date with the latest developments of your chosen web applications.