Home » Coding, Tools

wordpress version finder

23 May 2012 5 Comments

I was thinking about wordpress version enumeration and while the meta generator tag is very explicit but it’s not always showing since some (most?) public/custom themes don’t show that meta tag.

So while playing with wordpress i discovered a way of enumerating the version.
If you request domain.com/wp-login.php you will get this in the HTML response:

<link rel=’stylesheet’ id=’colors-fresh-css’ href=’ $ DOMAIN/wp-admin/css/colors-fresh.css?ver= $VERSION ‘ type=’text/css’ media=’all’ />

(or in older versions)

<link rel=’stylesheet’ id=’login-css’ href=’$DOMAIN/wp-admin/css/login.css?ver=$VERSION’ type=’text/css’ media=’all’ />

Each $VERSION relates to a different wordpress version.

With the help of core.svn.wordpress.org/tags/2.7/wp-includes/script-loader.php
(2.8/wp-includes/script-loader.php.. etc) i made a list

WP-version $colors_version
2.7   20081210
2.7.1 20081210
2.8   20090610
2.8.1 20090625
2.8.2 20090625
2.8.3 20090625
2.8.4 20090625
2.8.5 20090625
2.8.6 20090625
2.9   20091217
2.9.1 20091217
2.9.2 20091217
3.0   20100610
3.0.1 20100610
3.0.2 20100610
3.0.3 20100610
3.0.4 20100610
3.0.5 20100610
3.0.6 20100610
3.1   20110121
3.1.1 20110121
3.1.2 20110121
3.1.3 20110121
3.1.4 20110121
3.2   20110703
3.2.1 20110703
3.3   20111206
3.3.1 20111206



This can be brought down to:

2.7   20081210
2.7.x 20081210
2.8   20090610
2.8.x 20090625
2.9   20091217
2.9.x 20091217
3.0   20100610
3.0.x 20100610
3.1   20110121
3.1.x 20110121
3.2   20110703
3.2.x 20110703
3.3   20111206
3.3.x 20111206

Here is a working demo of detection http://0xa.li/wp-version.php
And here is the source http://0xa.li/wp-version.phps

5 Comments »

  • John Bonello said:

    Good reading, though I did some testing and can confirm that out of 10 blogs, I’ve only found such information on 4 blogs. Most of the blogs do not contain any version number (nowhere in the wp-admin), as per the sample below:

    I’ve searched thoroughly throughout the page and saw nothing. I’d like also to point out that the domains who are not showing the version number are almost vanilla wordpress with some comments and do not have any type of security plugin.

    Since the theme should not affect formatting of such page (as far as I know), any idea what it could be?

  • 0xAli (author) said:

    Do they happen to be hosted at wordpress.com? Andrew Waite (@infosanity) discovered that they don’t show up as expected.

    Also it doesn’t work against my blog because i use the “Stop Spammer Registrations Plugin” for some reason it protects against it.

  • John Bonello said:

    Wanted to add another comment, when I used the working demo, in fact it reports “Not WordPress”.

  • John Bonello said:

    Hi 0xaAli,

    No wordpress.com blogs. I am speaking about self hosted blogs (downloaded from WordPress.org).

  • Chad said:

    Thanks, this came in handy.

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.