Nodeinfo exposes WordPress version?

[ndegruchy]

I know that security through obscurity is a weak defense, if any. However, I like to remove all the version identifiers from the software that I expose to the public. The less an attacker knows about the infrastructure, the better.

Is there a way to remove the version identifiers from nodeinfo (and likely your other plugins)? I don't even truly mind that it still says WordPress.

For instance, the ActivityPub endpoint /wp-json/activitypub/1.0/nodeinfo2 exposes software and version for WordPress. Additionally nodeinfo provides a generator with information about the software and version in question via /wp-json/nodeinfo/2.1.

Perhaps I'm able to see this because I'm logged in?

[pfefferle]

This is the NodeInfo plugin repo but it seems that you use the ActivityPub endpoint, is that true?

You can use a filter, to remove the Informations about WordPress, but maybe it is a better choice to remove the endpoint completely (???), because I am not sure if FediDB indexes sites that have no software identified.

[ndegruchy]

Okay. Thanks.

Yes, I know this is the nodeinfo repo. Having either-or installed reports this information (at least as far as I can tell).

because I am not sure if FediDB indexes sites that have no software identified.

Odd, but it is what it is.

Thanks!

[pfefferle]

I think this is still a relevant feature, because we could at least mask the version number and have a possibility to disable it completely.

[pfefferle]

I at least masked the version number to show only the major version.