Too Secure?!
After my last post I was feeling a bit paranoid for whatever reason and decided it was time to implement one of the security mods on WordPress to deter automated attacks based on the version.
WP includes a statement about what version of the software generated each page. I decided the easy way to nix them all was to go straight to the WP code that does that on every page. Once I dug through the code I found the offending code: “get_bloginfo( ‘version’ )”.
The only place that gave me any trouble was in wp-includes/general-template.php and most of that was related to my ISP’s web cache and my web host’s web based editor. I ftp’ed the file over, edited out the offending get_bloginfo() calls, ftp’ed it back, and I was all set. I thought.
Sometime since then I noticed that I was having trouble accessing my admin pages. I could go to the login page and everything was fine, but my dashboard pages were coming up blank. I thought it was a fluke and that my hosting company would sort it out in a day or two. Well, it has been a week and I finally started digging through the error logs to find the problem.
With the flow of this post you probably figured out more quickly than I that my issue was with the general-template.php file I modified. Yep, it was front and center in the error logs. So I ftp a copy over and open it up in an editor only to find that the line with the error is the last line in the file. “Odd” I thought as my ‘leet programming skills kicked in and I caught on that I had a blank line at the end. Checked against the original file (always keep a backup!) and sure enough, the one blank line was the culprit.
I’m now back into my admin pages and have no foreseeable reason not to post something relevant tomorrow!
The take-away for you is this: how secure is too secure? I certainly removed that potential guided attack. Was it worth it to also lock myself out?Â
How have you “over shot” your desired level of security? What did you do about it in the end?