Hacking WP-PluginsUsed To Remove Plugin Version Numbers

One of the greatest contributors to the WordPress plugins repository is Lester “GaMerZ” Chan.

It’s testament to the value of his contributions that his work has not only been duplicated, borrowed and built upon by hundreds of other plugin developers — just search “gamerz” in the WordPress plugins repository to see how many times his name is cited — but many of his ideas and hacks have made their way into the core functionality of WordPress.

I use two of Gamerz’s plugins: WP-PostViews and WP-PluginsUsed. (Until recently, I also used WP-PostRatings, but that was not a popular feature, so I turned it off.) I like them both, but I had concerns about the security of using WP-PluginsUsed.

My concern was not WP-PluginsUsed itself, but the fact that it reported the version numbers of other plugins. Just telling the world that I am using a plugin is bad enough; reporting the specific version number, making it even easier on crackers, seems pointless.

But I believe in giving credit where credit is due, even at the risk of someone trying to exploit this site. I can always deactivate any plugin that has a major security hole. Besides, what plugins one is using generally isn’t difficult to figure out; there tends to be a handful available for any given task, and the ones that work well are often few and far between. You can pretty much just look at a WordPress blog and get a good feel for what plugins it is running.

That said, to keep my peace of mind, I simply commented out the part of WP-PluginsUsed that reveals version numbers.

You can do that either in the plugin editor that’s built into WordPress, or your favorite text editor. Look for the get_plugingsused_data() function, around Line 46:

### Function: WordPress Get Plugin Data
function get_pluginsused_data($plugin_file) {
	$plugin_data = implode('', file($plugin_file));
	preg_match("|Plugin Name:(.*)|i", $plugin_data, $plugin_name);
	preg_match("|Plugin URI:(.*)|i", $plugin_data, $plugin_uri);
	preg_match("|Description:(.*)|i", $plugin_data, $description);
	preg_match("|Author:(.*)|i", $plugin_data, $author_name);
	preg_match("|Author URI:(.*)|i", $plugin_data, $author_uri);
	if (preg_match("|Version:(.*)|i", $plugin_data, $version)) {
		$version = trim($version[1]);
	} else {
		$version = '';
	$plugin_name = trim($plugin_name[1]);
	$plugin_uri = trim($plugin_uri[1]);
	$description = wptexturize(trim($description[1]));
	$author = trim($author_name[1]);
	$author_uri = trim($author_uri[1]);
	return array('Plugin_Name' => $plugin_name, 'Plugin_URI' => $plugin_uri, 'Description' => $description, 'Author' => $author, 'Author_URI' => $author_uri, 'Version' => $version);

We’re going to edit the last line of that function, the one that says “return array( … ).” Here’s the replacement line:

	return array('Plugin_Name' => $plugin_name, 'Plugin_URI' => $plugin_uri, 'Description' => $description, 'Author' => $author, 'Author_URI' => $author_uri, 'Version' => ''); //$version);

What this does is replace the version number for each plugin with an empty string; it has the same practical effect, through the rest of the plugin’s code, as never having reported the version of the plug-in.

Note that I also could have commented out lines 54, 55, 56 and 58, and left Line 64 intact. That, too, would have set the value of the version for each plugin to an empty string. I opted for the solution above because it is most elegant.

I distribute all code under the GNU GPL.

Leave a Reply

  • Check out the Commenting Guidelines before commenting, please!
  • Want to share code? Please put it into a GitHub Gist, CodePen or pastebin and link to that in your comment.
  • Just have a line or two of markup? Wrap them in an appropriate SyntaxHighlighter Evolved shortcode for your programming language, please!