Thoughts about removing WP version number, file hotlink protection, blocking bad bots

Home Forums BulletProof Security Pro Thoughts about removing WP version number, file hotlink protection, blocking bad bots

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • November 28, 2019 at 7:16 pm #38325
    Living Miracles
    Participant

    Hi there,

    I’m wondering if you’d share your thoughts about the following blocks of code. I just did a little bit of research and see some peopel recommend implementing code to 1) stop WordPress from displaying its version number in the code of the WordPress site, 2) stop file hotlinking, and 3) blocking bad bots. Thank you for sharing your thoughts!!

    1. Remove Version Numbers
    Add t0 child theme functions.php file:

    // remove version from head
remove_action('wp_head', 'wp_generator');

// remove version from rss
add_filter('the_generator', '__return_empty_string');

// remove version from scripts and styles
function shapeSpace_remove_version_scripts_styles($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('style_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);

    2. Stop File Hotlinking
    Add to root .htaccess file (can add other file types as well (videos, zip files, etc.)):

    # STOP HOTLINKING (METHOD 1)
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?example\.com [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [NC,F,L]
</IfModule>

    3. Block Bad Bots
    Add to root .htaccess file:

    # BLOCK BAD BOTS
<IfModule mod_rewrite.c>

RewriteCond %{HTTP_USER_AGENT} (360Spider|acapbot|acoonbot|alexibot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httrack|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|linkextractor|linkscan|linkwalker|loader|miner|majestic|mechanize|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nutch|octopus|pagegrabber|planetwork|postrank|proximic|purebot|pycurl|python|queryn|queryseeker|radian6|radiation|realdownload|rogerbot|scooter|seekerspider|semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot|sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker|winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg) [NC]

RewriteRule .* - [F,L]

</IfModule>
    November 29, 2019 at 8:06 am #38326
    AITpro Admin
    Keymaster

    #1.  You can remove the WP version number using the action and filter you posted above without causing any problems, but it is still very easy to get your WP version number even if you also remove scripts and styles version Query Strings.  Removing the scripts and styles version Query Strings could cause minor to major problems.  Query Strings are cached.  When the version number (or anything for that matter) in a Query String changes the URI and Query String cache will be updated.  If on the other hand the Query String is not changed or updated then the URI script or style will not be updated in cache.  There are numerous problems that could occur based on the caching methods you are using and of course what Browser’s are caching.  Website speed testing websites may recommend removing the version Query Strings (the last time I checked a long time ago), but they don’t take into account that the website is a WordPress website site type – that may have changed since I last checked a website speed testing website.  So I don’t recommend that you do any of these things.

    #2.  Hotlink protection is definitely useful and will not cause any problems that I am aware of.

    #3.  Blocking bad bots is useful as long as your list of bad bots is not excessive – ie 10,000+ lines of htaccess code.  So you would not want to list every known bad bot and just list/block the worst bad bots that are known to make random requests very frequently.

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.