#WordPress Security Tip – Limit Information Disclosure

Reducing the amount of information that is available will at least slow down a non-determined attacker. Here are just a few things that you can do-

Open your theme’s functions.php and add these to the end-

#Don’t display error information regarding a failed login. By default the message is generic about the username or password not being right, but you can completely remove that. Or replace “return null” with “return ‘custom message'” to return a custom message.
add_filter('login_errors',create_function('$a', "return null;"));

#Don’t display any WordPress version information in the meta data. This will not return any WordPress version information from the generator in the meta tags. You could also change it to return anything that you want.
add_filter('the_generator',create_function('$a', "return null;"));

#You could also just use this line to remove it altogether
remove_action('wp_head', 'wp_generator');

You should also remove the readme.html file in your blog’s main directory. This contains information about the version that is running.

This certainly isn’t an exhaustive list, but should help you get started…

This entry was posted in Wordpress. Bookmark the permalink.