[wp-trac] [WordPress Trac] #28722: Boost performance with ETag in load-scripts.php and load-styles.php
WordPress Trac
noreply at wordpress.org
Sun Apr 10 11:48:54 UTC 2016
#28722: Boost performance with ETag in load-scripts.php and load-styles.php
------------------------------+------------------------------------------
Reporter: sergej.mueller | Owner: swissspidy
Type: feature request | Status: reopened
Priority: normal | Milestone: 4.5
Component: Script Loader | Version: 4.0
Severity: normal | Resolution:
Keywords: has-patch commit | Focuses: administration, performance
------------------------------+------------------------------------------
Changes (by RedSand):
* status: closed => reopened
* resolution: fixed =>
Comment:
The WordPress version should not be used in headers like this, as it's a
security risk. Revealing software version in headers or code is not a good
security practice.
The IETF (Internet Engineering Task Force) has this to say in
[http://www.ietf.org/rfc/rfc2068.txt RFC 2068]:
"Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against software that
is known to contain security holes."
If a security vulnerability is discovered, and a site owner hasn't
upgraded their site yet, revealing this makes it easy for hackers to run
automated scripts to scan their site and discover the version bumber.
That's why most security hardening plugins remove the WordPress version
number from the site's code.
Obviously a website owner should practice good security, but even so, this
should be changed so that WordPress code leaks as little data as possible.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28722#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list