When you install WordPress, several default files are deposited into your root directory. One of these—the seemingly harmless readme.html—contains basic installation information, instructions, and, most importantly, the exact version of WordPress you are running.
While it might appear to be just an informative document, to an attacker, this file is a map that indicates exactly which vulnerabilities to exploit.
The Risk: Information Disclosure
Discovering that the readme.html file is publicly accessible is classified as a medium severity security issue. The core problem is “Information Disclosure,” which provides malicious actors with vital intelligence about your server environment.
For example, displaying the version number allows attackers to look up version-specific vulnerabilities. If your site is even one minor release behind, a hacker can consult vulnerability databases, such as the one maintained by WPScan, to find the precise “door” left open in your system. In the hands of an attacker, knowing your software version is the first step toward a successful, targeted attack.
Why Is This Still a Problem?
Historically, WordPress displayed the version number in the site’s footer to assist with technical support. Modern versions have removed this practice for security reasons, yet the readme.html file is still included by default with every update. If you can see the version number via this file or in your footer, it is a clear indicator that your site is vulnerable or overdue for an update.
How to Mitigate the Risk
There are three primary ways to resolve this exposure, ranging from manual cleanup to server-level hardening:
- Manual Deletion (The Quickest Path): The fastest way to close this gap is to simply delete the readme.html file (and the accompanying
license.txt) from your root directory via FTP or your hosting File Manager. These files are not required for your site to function. - Protection via .htaccess (The Hardening Path): You can use your .htaccess configuration file to block access to these files without deleting them. Adding a specific rule to your root directory tells the server to deny any requests for the file from a web browser.
- Restrict Directory Browsing: Often, these files are discovered because “directory browsing” is enabled, allowing anyone to see a full list of files within your folders. Adding the instruction
Options -Indexesto your.htaccessfile ensures that even if the file exists, it cannot be easily discovered by automated scans.
Conclusion
WordPress security is built in layers, and “Removing Disclosures” is a fundamental layer of a hardened site. Eliminating access to readme.html strips an attacker of vital information, making your site a much harder and less predictable target.
Leave a Reply