This section describes the problem of wordpress upgrade.php and install.php leaking the wordpress version and how to deal with it.

WordPress Version Leakage Problem

If a vulnerability is discovered in WordPress, this version information can be used to hack into the site. For security reasons, it is safer to make sure that the WordPress version is not known from the outside.

WordPress uses a meta-generator to add version information to header information, styles and scripts with the query ?

The versioning of meta-generator header information and styles and scripts with the query ?

/*Turn off the query of ver*/.
add_filter( 'style_loader_src', 'shift8_security_remove_wp_ver_css_js', 10, 2);
add_filter( 'script_loader_src', 'shift8_security_remove_wp_ver_css_js', 10, 2);

function shift8_security_remove_wp_ver_css_js( $src ) {
    if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
        $src = remove_query_arg( 'ver', $src ); 
    return $src;
}

/*Do not output the meta generator in the header */
remove_action( 'wp_head', 'wp_generator' ); }
remove_action( 'opml_head', 'the_generator' );

Leakage of version information in upgrade.php and install.php

In addition, nowadays, tools such as WPSCAN and others that examine WordPress vulnerabilities (or conversely, can do a preliminary check for hacking) will also automatically examine the WordPress version in two files, upgrade.php and install.php.

For example, if you access the following URL, you will see that the WordPress version has been compromised from its source code.

https://WordPressURL/wp-admin/install.php
https://WordPressURL/wp-admin/upgrade.php

Example of source code

Since each of these files is called from outside the WordPress hook process, it is quite tricky to prevent this by including the countermeasure code in the theme’s functions.php.

We plan to add an easy workaround for this problem in the next version of the [Free] WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal], scheduled for release in late October or early November 2024. Please use it if you like.

Prevent version information leakage in upgrade.php and install.php from HTACCESS

Since version information leakage in upgrade.php and install.php cannot be prevented from the WordPress programming code, you can prevent it by writing access denial settings in the HTACCESS file.

(The HTACESS file is a server configuration file located in the WordPress installation directory.

Because install.php is not used after WordPress is installed, access to it is prohibited. (Add to the top of the HTACCESS file)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*)wp-admin/install\.php$ - [R=404,L,NC]
</IfModule>

upgrade.php may be used to update the database by automatically navigating to this file at login if wordpress is updated by manual overwrite via FTP, for example. Therefore, if you simply prevent access to this file, you may not be able to log in.
For this reason, access should be prevented only when non-logged in. (Add to the top of the HTACCESS file)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*wp-admin/upgrade\.php$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule ^(.*)wp-admin/upgrade\.php$ - [R=404,L,NC]
</IfModule>

%{HTTP_COOKIE} ! ^.*wordpress_logged_in.*$ The line [NC] means that access is prevented only if there is no login-specific cookie.