Google announced it was planning to start notifying site owners about outdated CMS software back in November 2009. Until today, I hadn’t actually seen one of these notifications. For several sites running versions of WordPress 3.1.x this morning, I received an email telling me that the version of WordPress installed was out of date. Google publicly stated that its detection of version was based on the generator meta tag. For WordPress, this tag is set automatically based on the version you are currently running. While it’s nice of Google to let me know, I’m not sure how its efforts are more likely to convince me to upgrade than the nagging done inside the WordPress admin interface when I sign in. I’m also less sure of what else Google will decide to do with this data. For instance, if Google knows there are potential security holes in a version of WordPress and it sees your generator tag is listing this unsecured version, could the search algorithm use an outdated generator tag as one of the many signals with regard to site quality?
I do a fairly decent job of locking things down at the server level in general. I know anything can be hacked, but I’m taking a number of precautions that should reduce the most common risks. As a result, I don’t drop what I’m doing and upgrade to the latest version of WordPress the second it comes out. I know Matt Mullenweg and team are smart guys, but I like to wait and see what collateral damage comes from the latest version. There are always plugin incompatibilities and other quirks that emerge each time Automattic tweaks the code.
One of the things I have told people to do in obscurely securing WordPress is to remove the generator tag from the blog theme header. This tag serves no purpose to the outside world (though it is now evident Google actively uses it). When you sign in to the admin interface in WordPress, the software still knows its version number with or without a meta tag in the public HTML. For a bot that is scanning for insecurities in WordPress, the generator tag is a quick way to identify the version and fire off an if version equals N run vulnerability attack Y script. Take that away, and it might take a bot slightly longer. And yes, I realize, there are many other important security considerations with greater impact than eliminating the generator.
What’s interesting about Google even looking at the generator tag is how easily it can be gamed. I could hard code anything in that tag. I could configure the tag to auto-increment. I could set the tag to pretend that WordPress was Drupal or MovableType. What about sites without a generator tag at all? I have some custom applications built on PHP and MySQL. As the only user of the software, there’s no purpose to having a generator tag. In other words, the generator tag is a lousy signal of anything about a site, because the ease of providing false information is far too high. Hopefully Google realizes this and isn’t using the generator for anything beyond a friendly email.
If you haven’t seen one of these emails it reads as follows:
Dear site owner or webmaster of [Site URL],
Your site appears to be running an older version of WordPress. Google recommends that you update to the latest release. Older or unpatched software may be vulnerable to hacking or malware that can hurt your users. To download the latest release, visit the WordPress download page.
If you have any additional questions about why you are receiving this message, Google has provided more background information in a blog post about this subject.
Google Search Quality Team
If Google is genuinely making an effort to improve the security of blogs and Web sites across the Internet, good for it. I can’t help feeling like this is a bit “Big Brother” in approach, particularly because WordPress already notifies when a new version is available. What if the underlying message here is: we know your software is out of date, and it’s going on your permanent record?