X-hacker and X-Powered-By HTTP Headers

By default, VIP adds two custom HTTP response headers to every application we host. These headers help us monitor our platform and can be useful when troubleshooting the origin of a request, but if required they can be removed.

HTTP headers are not visible when viewing web pages in a browser, neither are they visible when viewing the HTML source for a web page. HTTP headers are part of the HTTP protocol used to request web pages and request responses from API endpoints, and also to send the response, e.g. the web page or the API response.

HTTP headers added by our platform, along with all other request and response headers, can be inspected by savvy users using specific tools, e.g. cURL. Here is an example of the X-hacker and X-Powered-By HTTP headers added by our platform:

X-hacker: If you’re reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
X-Powered-By: WordPress.com VIP <https://wpvip.com>

How to change or remove the headers

To alter the headers, use the wp_headers filter to unset or modify them as desired. The source code contains the latest header keys and can be used as a reference.

The following snippet can be used to remove the X-hacker header:

add_filter( 'wp_headers', function( $headers ) {
    if ( isset( $headers['X-hacker'] ) ) {
        unset( $headers['X-hacker'] );
    }
    return $headers;
}, 999 );

To change the value of a header, replace the value with a new one. For example:

add_filter( 'wp_headers', function( $headers ) {
   $headers['X-hacker'] = 'Follow the white rabbit over to wpvip.com/careers to join our team.';
   $headers['X-Powered-By'] = 'WordPress VIP, an Automattic Production.';
    return $headers;
}, 999 );

These two snippets can also be mixed and matched as needed.

How to disable the privacy tools in WordPress

WordPress 4.9.6 and above will include five new GDPR tools: a privacy policy page, a privacy policy editing helper, a personal data export tool, a personal data erasure tool, and a permissions checkbox that is used with comments.

You can learn more about the release schedule and current feature set for WordPress 4.9.6 on the WordPress.org site.

On the WordPress.com VIP platform these tools will be disabled. On the VIP Go platform these tools will be available, but clients can choose to disable them. By default, the tools are disabled in Multisite for single-site administrators, but are still available for Super Admins.

You can use the map_meta_cap() filter to hide the following tools for all users:

  • privacy policy page
  • privacy policy editing helper
  • personal data export tool
  • personal data erasure tool

If you just want to restrict access to a small group of users (admins for example) the user_has_cap() filter would work as well, with some modifications.

/**
* Disable the privacy tools added in WordPress 4.9.6.
*
* @param array $required_capabilities The primitive capabilities that are required to perform the requested meta capability.
* @param string $requested_capability The requested meta capability
* @param int $user_id The user ID.
* @param array $args Adds the context to the cap. Typically the object ID.
*
* @return array The primitive capabilities that are required to perform the requested meta capability.
*/
function disable_496_privacy_tools( $required_capabilities, $requested_capability, $user_id, $args ) {
$privacy_capabilities = array( 'manage_privacy_options', 'erase_others_personal_data', 'export_others_personal_data' );

if ( in_array( $requested_capability, $privacy_capabilities ) ) {
$required_capabilities[] = 'do_not_allow';
}

return $required_capabilities;
}
add_filter( 'map_meta_cap', 'disable_496_privacy_tools', 10, 4 );

The permissions checkbox that is used with comments, can be disabled using the comment_form_default_fields filter.

Ready to get started?

Drop us a note.

No matter where you are in the planning process, we’re happy to help, and we’re actual humans here on the other side of the form. 👋 We’re here to discuss your challenges and plans, evaluate your existing resources or a potential partner, or even make some initial recommendations. And, of course, we’re here to help any time you’re in the market for some robust WordPress awesomeness.