Monthly Archives: October 2015

Advanced Footprints Series: X-Powered-By Headers

In our last post we talked about HTTP headers such as the Server Header and the typical values we can expect they carry for servers running WordPress. But as we hinted previously, the Server Header is not the only HTTP header that gives out important information about servers hosting the websites. This time around, we’ll take a look at what other information we can expect to receive inside HTTP headers that webservers send us.

Let’s start with a quick refresher in case you haven’t read our previous blog post (though we highly recommend it). When we surf the internet, our browser (Firefox, Chrome, etc.) asks for a webpage from a webserver. A webpage is nothing more than information – from the photos and graphics to the text. There’s plenty we don’t see – some of this is code which instructs our browser on how to display the page, cookies for traffic and visitor analytics, metadata about the page and the server (often meant for search engines), etc. Metadata gets sent to our browser in the form of HTTP headers.

In the last post we talked specifically about the Server Header, today we’ll continue and take a look at another header that can easily be used to footprint webservers – specifically the “X-Powered-By” header.

As you might guess, this tells us what technology is powering the website we’re currently visiting. With WordPress sites this is a version of PHP, other examples might be Microsoft’s ASP.NET, JBoss, etc.

We can easily check this header with Firefox for any website, just as we previously did with the Server Header. On a website we right click anywhere in a blank space and select “Inspect Element”. We select the “Network” tab and reload the webpage – this will list all the traffic which flows from the webserver to our browser. We find the first item, this is the HTML, the basic structure of the website. In the right half of the Inspect pane we select the headers tab and scroll down to find the “X-Powered-By” header.

network_tab

As with last time, we’re using data from Shodan.io, a search engine for finding specific types of computers. This allows us to easily analyze data from 100.000 servers running WordPress.

We see that most servers return the X-Powered-By header, only slightly more than a fourth don’t:

is_powered_by_set

And we can check the most common values for the X-Powered-By header:

x_powered_by

This gives us the raw number of servers which return a specific header. Here we should mention that the first entry, PleskLin, comes from servers setup with the Plesk webhosting automation software. Let’s take a look at what percentage of these servers identify as being Powered-By a version of PHP:

powered_by_php

Out of all of these, almost all of them run PHP 5:

php_version

The subversions are considerably more varied:

php_subversion

So the most common version is PHP 5.3, though this is also split between subversions. But what happens if we go back and consider all servers hosting WordPress?

Well, 28% of servers don’t pass the X-Powered-By header, the rest pass this header, but as we saw earlier, they pretty much always specify the version of PHP down to at least one, usually two decimal places (so PHP 5.3.1, for instance). Some even add the server’s operating system on the end. So if we take the largest group, that’s PHP 5.3, it actually represents a total of 27.35% of all servers, these are then split among subversions, with 5.3.29 being the most common at the time of writing this post.

php_and_os

To put it another way – the typical server running WordPress doesn’t pass the X-Powered-By header at all. In second place are servers which pass some specific version of PHP 5.3, at the moment the largest group being 5.3.29, these represent around 6% of all of the analyzed WordPress servers.

The Conclusion

The most common behavior for a WordPress server is to not even pass the X-Powered-By header – about a third of all your blogs shouldn’t be returning this header at all, in fact, with most of the headers we’ve discussed in this and the previous blog post, the common opinion among web developers is that they are simply not needed – most modern browsers ignore them.

You can easily check what your PBN blogs pass as a X-Powered-By header by using the steps described above. Don’t be surprised if they pass the same thing for all of their blogs, even if this same thing is not passing the header at all.

For users of Easy Blog Networks, don’t worry – we’ve got you covered. We pass different headers in a ratio which closely mimics the ratios we’ve talked about here. Around a third of our blogs don’t pass the X-Powered-By header, and with those which do, they pass different headers with varied PHP versions.

Because these versions are in constant flux, they tend to slowly go up as administrators update versions of PHP, we make sure that the headers our servers pass are slowly changing as well.

all_headers

Easy Blog Networks Update #15

It’s been a while since the last system update. There’s some really good news – we’ve seen the daily deindexation rate go down (it’s currently below 0.5%). Let’s keep it up, build quality blogs and make sure there are no footprints.

Here’s what we’ve been up to in the last few weeks:

  • Published Spider Blocker to WordPress.org.
  • Published a course on PBN building, free for EBN users, PBNmasters.net.
  • Open-sourced one of our older products, a simple rewriting plugin.
  • SEO metrics are now checking the correct URL if you’ve changed your blog address to www.
  • Better import that includes a simple clone plugin for easier manual imports.
  • Stability, security and speed optimization (managing almost a hundred servers is serious business).
  • Over 200 other issues resolved.

Things on the to-do list:

  • New hosting providers, DNS providers and more IPs.
  • New domain monitoring tool.
  • Blog presets so you don’t have to enter the same settings every time you install a blog.
  • New blog info page with blog analytics.

For any suggestions and comments, let us know!

Why you shouldn’t use Hide My WP or similar plugins for your PBN

Plugins to hide WordPress footprints are commonly suggested when people want to have all-WordPress PBN but not have it seen as such.

Unfortunately there are major issues with using these plugins. Yes, you could hide WordPress completely. However that is a very complex task that requires moving of wp-admin and wp-content folder and rewriting paths for CSS and Javascript. It also means most plugins and themes would stop working because they use hard-coded paths to wp-content.

Don't hide WPPlugins like HideMyWP or HideWP do not do that. They do it on a lesser level and as such still leave obvious footprints that the website is WordPress. Two examples of those footprints are directly pingable files xmlrpc.php and wp-cron.php (in root).

Beside that there is another issue, specifically with Hide My WP – server footprints changer. In one case one of our users chose Microsoft IIS as server footprint. The plugin then created system layouts that resemble that server setup. However the server is still easily identifiable as Linux through server headers which makes the whole setup look ridiculous (you can’t run Microsoft IIS on Linux).

Our recommendation: if you want to randomize the backlinks to your sites, build a few Web2.0s instead. Or you can use plain site builders and upload them to a few shared hosts. Here are a few of them (PHP, no MySQL): HTMLy, Pico, Stacey, FlatPress, Razor CMS, GetSimple CMS, PivotX.

As for WordPress, keep it simple and plain as much as possible.