Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic)
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	jeremyb
	Aug 1 2014, 2:56 AM

Description

curl -vs blog.wikimedia.org 2>&1 >/dev/null | fgrep X-hacker

X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

We should recruit for WMF instead of automattic. :-D

This currently is served on:

Add this to the them functions.php to remove:

/**
 * Filter X-hacker output.
 */
add_filter( 'wp_headers', function( $headers ) {
    if ( isset( $headers['X-hacker'] ) ) {
        unset( $headers['X-hacker'] );
    }
    return $headers;
}, 999 );

Details

Reference: bz68982

Related Objects

Mentioned In: T132104: Consider moving policy.wikimedia.org away from WordPress.com
Mentioned Here: T193912: Changes for old Wikimedia Blog when new Wikimedia Foundation website launches

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:26 AM

• bzimport added a project: Diff-blog.

• bzimport set Reference to bz68982.

• bzimport added a subscriber: Unknown Object (MLST).

jeremyb created this task.Aug 1 2014, 2:56 AM

jeremyb-phone added a project: WMF-Human-Resources.Jan 1 2015, 12:28 AM

jeremyb-phone set Security to None.

Ricordisamoa subscribed.Jan 1 2015, 12:29 AM

I can't help but wonder if they're allowed to use that header at all...

jayvdb awarded a token.Jan 1 2015, 1:55 AM

Florian subscribed.Jan 1 2015, 2:43 PM

scfc subscribed.Jan 1 2015, 3:20 PM

Theopolisme subscribed.Jan 1 2015, 6:02 PM

Nemo_bis awarded a token.Jan 2 2015, 9:59 PM

Everyone's allowed to use any header :)

Well, this is my personal opinion, but I would expect WMF to completely disallow such advertising on Wikimedia sites in the contract.

Nnemo subscribed.Mar 1 2015, 6:56 AM

Qgil edited projects, added WMF-Legal; removed WMF-Human-Resources.Aug 14 2015, 9:01 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2015, 9:01 AM

jrbs subscribed.Sep 12 2015, 3:53 AM

Krinkle mentioned this in T132104: Consider moving policy.wikimedia.org away from WordPress.com .Apr 7 2016, 10:34 PM

• ZhouZ added subscribers: • MBrar.WMF, • ZhouZ.Apr 14 2016, 12:55 AM

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptApr 14 2016, 12:55 AM

• ZhouZ moved this task from Backlog to Assigned on the WMF-Legal board.Apr 14 2016, 12:55 AM

@Krenair @yuvipanda is this still an issue?

Yes:

alex@alex-laptop:~$ curl -vs https://blog.wikimedia.org 2>&1 >/dev/null | fgrep X-hacker
< X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

• Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:58 PM

revi subscribed.Aug 20 2017, 12:06 PM

@JBennett just pointed out that this also applies to wikimediafoundation.org

Krenair renamed this task from Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org to Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org and wikimediafoundation.org.Aug 31 2018, 1:54 PM

• chasemp updated the task description. (Show Details)Aug 31 2018, 2:39 PM

• chasemp added a project: Security-Team.

• chasemp renamed this task from Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org and wikimediafoundation.org to Remove inappropriate X-Hacker HTTP header served on sites hosted by Automattic .Aug 31 2018, 3:26 PM

• chasemp updated the task description. (Show Details)

Is this gone now? I can no longer reproduce atm.

In T70982#4548927, @chasemp wrote:

Is this gone now? I can no longer reproduce atm.

I see it still on both blog and wikimediafoundation sites, but the header shows up lowercase in curl output:

jgreen@weasel:~> curl -vs https://wikimediafoundation.org 2>&1 |grep -i X-hacker
< x-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

In T70982#4549007, @Jgreen wrote:

In T70982#4548927, @chasemp wrote:

Is this gone now? I can no longer reproduce atm.

I see it still on both blog and wikimediafoundation sites, but the header shows up lowercase in curl output:

jgreen@weasel:~> curl -vs https://wikimediafoundation.org 2>&1 |grep -i X-hacker
< x-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

Ah yes, thanks @Jgreen

Addshore awarded a token.Sep 4 2018, 9:51 AM

Addshore subscribed.

• chasemp moved this task from Incoming to To Follow Up on the Security-Team board.Sep 4 2018, 3:27 PM

Varnent moved this task from Incoming to Maintenance on the wikimediafoundation.org board.Sep 5 2018, 9:54 PM

Naturally, this applies to policy.wikimedia.org as well.

Krinkle updated the task description. (Show Details)Sep 8 2018, 11:52 PM

Krinkle removed a subscriber: • wikibugs-l-list.

This has been resolved on wikimediafoundation.org. It will be resolved on blog.wikimedia.org when we archive the site in the coming months.

• Jcross moved this task from To Follow Up to Waiting on the Security-Team board.Sep 23 2019, 4:12 PM

@Varnent -

I know this task is probably low-priority, but is there any update on blog.wikimedia.org and/or policy.wikimedia.org? Both still have the x-hacker: If you're reading this... header. Additionally, blog.wikimedia.org has an amusing but possibly inappropriate x-nananana: Batcache header and policy.wikimedia.org has x-powered-by: WordPress.com VIP <https://wpvip.com> and x-pingback: https://policy.wikimedia.org/xmlrpc.php headers, which provide some information disclosure and probably shouldn't be sent if they do not have to be.

In T70982#5516652, @sbassett wrote:

@Varnent -

I know this task is probably low-priority, but is there any update on blog.wikimedia.org and/or policy.wikimedia.org? Both still have the x-hacker: If you're reading this... header. Additionally, blog.wikimedia.org has an amusing but possibly inappropriate x-nananana: Batcache header and policy.wikimedia.org has x-powered-by: WordPress.com VIP <https://wpvip.com> and x-pingback: https://policy.wikimedia.org/xmlrpc.php headers, which provide some information disclosure and probably shouldn't be sent if they do not have to be.

The policy site is managed by the Legal team - although I could probably help them with a patch if I can dig up what we did for the Foundation site. The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Thanks for the reply, @Varnent:

The policy site is managed by the Legal team - although I could probably help them with a patch if I can dig up what we did for the Foundation site.

Is there a technical contact on WMF-Legal for that site? Otherwise, we probably want to be proactive here and create and deploy the patch for them. Happy to help, though I obviously do not have access to the Automattic servers.

The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Ok. Is there an open task for it?

The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Ok. Is there an open task for it?

Yup! It's T193912.

In T70982#5522799, @sbassett wrote:

Is there a technical contact on WMF-Legal for that site? Otherwise, we probably want to be proactive here and create and deploy the patch for them. Happy to help, though I obviously do not have access to the Automattic servers.

Best person to poke would probably be @Slaporte. He has a more involved role these days than when he was the "tech guy" for Legal :) so may be harder to reach him now.

Florian unsubscribed.Sep 26 2019, 7:06 PM

TechBlog has slightly modified version of this.

x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.

RhinosF1 added a project: Technical Blog.May 9 2020, 8:55 PM

RhinosF1 subscribed.

Krinkle updated the task description. (Show Details)May 20 2020, 7:47 PM

Per the link that @Krinkle just added this seems super easy to remove.
Or to decide that we are not going to remove it?
Perhaps the team in control could make that decision and remove it or close this task? :)

CKoerner_WMF renamed this task from Remove inappropriate X-Hacker HTTP header served on sites hosted by Automattic to Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic).May 27 2020, 7:52 PM

CKoerner_WMF updated the task description. (Show Details)

I updated the task with the current status of blogs hosted by VIP. I've submitted a pull request for the techblog. (https://github.com/wikimedia/wpvip-wikimedia-techblog/pull/2).

Why the heck am I here? We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space) so I wanted to make sure I did this for our own development going forward. :)

In T70982#6170566, @CKoerner_WMF wrote:

We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space)

@CKoerner_WMF: That raises some questions (e.g. what happens to its current content). Is there a related technical task about this which has more info?

In T70982#6176378, @Aklapper wrote:

@CKoerner_WMF: That raises some questions (e.g. what happens to its current content). Is there a related technical task about this which has more info?

I'm starting to document more. A few tasks in WMF-Communications and https://meta.wikimedia.org/wiki/Diff_(blog)

The old blog.wikimeida.org content will remain.

Updating project tags to reflect current state.

Krinkle updated the task description. (Show Details)Jul 28 2020, 6:30 PM

bd808 moved this task from Backlog to Code changes on the Technical Blog board.Aug 1 2020, 11:12 PM

In T70982#6170566, @CKoerner_WMF wrote:

I updated the task with the current status of blogs hosted by VIP. I've submitted a pull request for the techblog. (https://github.com/wikimedia/wpvip-wikimedia-techblog/pull/2).

Why the heck am I here? We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space) so I wanted to make sure I did this for our own development going forward. :)

This has been merged as https://github.com/wpcomvip/wikimedia-techblog/pull/13/commits/4bc2d8e2c7838c464d7acaf7ea996acdd70750ee and deployed to the live blog.

bd808 moved this task from Code changes to Watching on the Technical Blog board.Aug 4 2020, 11:03 PM

Just noting the x-hacker header still exists for policy.wikimedia.org.

Looks like policy.wikimedia.org now redirects to https://wikimediafoundation.org/advocacy/, of which the domain already excludes that header. The newer soundlogo.wikimedia.org site also lacks the header, so it looks like this can be closed.

BCornwall updated the task description. (Show Details)Mar 2 2023, 7:55 PM

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Mar 2 2023, 8:00 PM

sbassett added a project: SecTeam-Processed.

Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic)Closed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic)
Closed, ResolvedPublic
Actions