This is the text of simple plugin that hide real Wordpress version number from evil eyes. Don’t treat it like the single security fix for your Wordpress install, it’s just one simple step in security process.

So, the source is right here:

< ?php /*
Plugin Name: MNR Mask Wordpress Version
Plugin URI: http://melnikov.net.ru/
Description: Replaces WordPress version all the output (except admin panel).
Author: Anton Melnikov
Version: 0.1
Author URI: http://melnikov.net.ru/mnr-mask-wpversion/
License: GPL */
function mnr_maskWpVersion() {
		global $wp_version;
		if(  ! ereg( '/wp-admin/', $_SERVER['SCRIPT_FILENAME'])   ){
			$wp_version = '9.1.1';
		}
}
add_action('init', 'mnr_maskWpVersion', 1);
?>

The logic: if user runs script from /wp-admin/ folder, hi is authorized Wordpress backend user (otherwise script will gives out redirect and quits); Wordpress backend depends on $wp_version value, so we leave it as is. It is needed in two functions at least:

• wp-admin/includes/update.php, function wp_update_plugins()
• wp-admin/includes/upgrade.php, function wp_check_mysql_version()

, but there are more of them.

Any script not from /wp-admin/ folder could be started by unauthorized user and it seems we could gives out any fake version number without the risk of backend problems. In case some automated processes are sensitive to format of strings with this version number (http headers used for feed requests/answers, etc), it is formatted as real version number in this plugin — three dot-separated digits, ‘9.1.1′ in my example. You could change it for what you like.

The plugin is of alfa quality, it definitly needs more testing. If you have bug or some idea, feel free to write it right here.

Tags: plugin, security, WordPress