Page MenuHomePhabricator

Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic)
Open, MediumPublic

Description

curl -vs blog.wikimedia.org 2>&1 >/dev/null | fgrep X-hacker

X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

We should recruit for WMF instead of automattic. :-D

This currently is served on:

  • blog.wikimedia.org
  • policy.wikimedia.org
  • wikimediafoundation.org
  • wikimediaendowment.org
  • techblog.wikimedia.org

See also https://wpvip.com/documentation/x-hacker-and-x-powered-by-http-headers/

Add this to the them functions.php to remove:

/**
 * Filter X-hacker output.
 */
add_filter( 'wp_headers', function( $headers ) {
    if ( isset( $headers['X-hacker'] ) ) {
        unset( $headers['X-hacker'] );
    }
    return $headers;
}, 999 );

Details

Reference
bz68982

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:26 AM
bzimport added a project: Wikimedia-Blog.
bzimport set Reference to bz68982.
bzimport added a subscriber: Unknown Object (MLST).
jeremyb created this task.Aug 1 2014, 2:56 AM

I can't help but wonder if they're allowed to use that header at all...

jayvdb awarded a token.Jan 1 2015, 1:55 AM
Florian added a subscriber: Florian.Jan 1 2015, 2:43 PM
scfc added a subscriber: scfc.Jan 1 2015, 3:20 PM

Everyone's allowed to use any header :)

Well, this is my personal opinion, but I would expect WMF to completely disallow such advertising on Wikimedia sites in the contract.

Nnemo added a subscriber: Nnemo.Mar 1 2015, 6:56 AM
Qgil edited projects, added WMF-Legal; removed WMF-Human-Resources.Aug 14 2015, 9:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2015, 9:01 AM
jrbs added a subscriber: jrbs.Sep 12 2015, 3:53 AM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptApr 14 2016, 12:55 AM
ZhouZ moved this task from Backlog to Assigned on the WMF-Legal board.Apr 14 2016, 12:55 AM

Yes:

alex@alex-laptop:~$ curl -vs https://blog.wikimedia.org 2>&1 >/dev/null | fgrep X-hacker
< X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
revi added a subscriber: revi.Aug 20 2017, 12:06 PM
Bawolff added a subscriber: JBennett.

@JBennett just pointed out that this also applies to wikimediafoundation.org

Krenair renamed this task from Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org to Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org and wikimediafoundation.org.Aug 31 2018, 1:54 PM
chasemp updated the task description. (Show Details)Aug 31 2018, 2:39 PM
chasemp added a project: Security-Team.
chasemp renamed this task from Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org and wikimediafoundation.org to Remove inappropriate X-Hacker HTTP header served on sites hosted by Automattic .Aug 31 2018, 3:26 PM
chasemp updated the task description. (Show Details)

Is this gone now? I can no longer reproduce atm.

Jgreen added a subscriber: Jgreen.Aug 31 2018, 4:05 PM

Is this gone now? I can no longer reproduce atm.

I see it still on both blog and wikimediafoundation sites, but the header shows up lowercase in curl output:

jgreen@weasel:~> curl -vs https://wikimediafoundation.org 2>&1 |grep -i X-hacker
< x-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

Is this gone now? I can no longer reproduce atm.

I see it still on both blog and wikimediafoundation sites, but the header shows up lowercase in curl output:

jgreen@weasel:~> curl -vs https://wikimediafoundation.org 2>&1 |grep -i X-hacker
< x-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

Ah yes, thanks @Jgreen

Addshore added a subscriber: Addshore.
chasemp moved this task from Incoming to To Follow Up on the Security-Team board.Sep 4 2018, 3:27 PM

Naturally, this applies to policy.wikimedia.org as well.

Krinkle updated the task description. (Show Details)Sep 8 2018, 11:52 PM
Krinkle removed a subscriber: wikibugs-l-list.
Varnent added a subscriber: Varnent.

This has been resolved on wikimediafoundation.org. It will be resolved on blog.wikimedia.org when we archive the site in the coming months.

Jcross moved this task from To Follow Up to Waiting on the Security-Team board.Sep 23 2019, 4:12 PM
sbassett added a subscriber: sbassett.EditedSep 23 2019, 4:20 PM

@Varnent -

I know this task is probably low-priority, but is there any update on blog.wikimedia.org and/or policy.wikimedia.org? Both still have the x-hacker: If you're reading this... header. Additionally, blog.wikimedia.org has an amusing but possibly inappropriate x-nananana: Batcache header and policy.wikimedia.org has x-powered-by: WordPress.com VIP <https://wpvip.com> and x-pingback: https://policy.wikimedia.org/xmlrpc.php headers, which provide some information disclosure and probably shouldn't be sent if they do not have to be.

@Varnent -

I know this task is probably low-priority, but is there any update on blog.wikimedia.org and/or policy.wikimedia.org? Both still have the x-hacker: If you're reading this... header. Additionally, blog.wikimedia.org has an amusing but possibly inappropriate x-nananana: Batcache header and policy.wikimedia.org has x-powered-by: WordPress.com VIP <https://wpvip.com> and x-pingback: https://policy.wikimedia.org/xmlrpc.php headers, which provide some information disclosure and probably shouldn't be sent if they do not have to be.

The policy site is managed by the Legal team - although I could probably help them with a patch if I can dig up what we did for the Foundation site. The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Thanks for the reply, @Varnent:

The policy site is managed by the Legal team - although I could probably help them with a patch if I can dig up what we did for the Foundation site.

Is there a technical contact on WMF-Legal for that site? Otherwise, we probably want to be proactive here and create and deploy the patch for them. Happy to help, though I obviously do not have access to the Automattic servers.

The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Ok. Is there an open task for it?

EdErhart-WMF added a comment.EditedSep 25 2019, 6:06 PM

The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Ok. Is there an open task for it?

Yup! It's T193912.

jrbs added a subscriber: Slaporte.Sep 25 2019, 6:10 PM

Is there a technical contact on WMF-Legal for that site? Otherwise, we probably want to be proactive here and create and deploy the patch for them. Happy to help, though I obviously do not have access to the Automattic servers.

Best person to poke would probably be @Slaporte. He has a more involved role these days than when he was the "tech guy" for Legal :) so may be harder to reach him now.

Florian removed a subscriber: Florian.Sep 26 2019, 7:06 PM
revi added a comment.May 9 2020, 8:49 PM

TechBlog has slightly modified version of this.

x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
RhinosF1 added a subscriber: RhinosF1.
Krinkle updated the task description. (Show Details)May 20 2020, 7:47 PM

Per the link that @Krinkle just added this seems super easy to remove.
Or to decide that we are not going to remove it?
Perhaps the team in control could make that decision and remove it or close this task? :)

CKoerner_WMF renamed this task from Remove inappropriate X-Hacker HTTP header served on sites hosted by Automattic to Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic).May 27 2020, 7:52 PM
CKoerner_WMF updated the task description. (Show Details)
CKoerner_WMF updated the task description. (Show Details)

I updated the task with the current status of blogs hosted by VIP. I've submitted a pull request for the techblog. (https://github.com/wikimedia/wpvip-wikimedia-techblog/pull/2).

Why the heck am I here? We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space) so I wanted to make sure I did this for our own development going forward. :)

We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space)

@CKoerner_WMF: That raises some questions (e.g. what happens to its current content). Is there a related technical task about this which has more info?

@CKoerner_WMF: That raises some questions (e.g. what happens to its current content). Is there a related technical task about this which has more info?

I'm starting to document more. A few tasks in WMF-Communications and https://meta.wikimedia.org/wiki/Diff_(blog)

The old blog.wikimeida.org content will remain.