WordPress.org

Ready to get started?Download WordPress

Forums

readme.html is security hole (3 posts)

  1. MECU
    Member
    Posted 4 years ago #

    Having the file readme.html available on a website tells a would-be hacker exactly what version of WordPress is being used. If someone hasn't updated, say for example is still on 3.0 and not 3.0.1, a hacker then knows immediately what vulnerabilities there are.

    You should delete this file. It could be changed into a readme.php file where the isAdmin() [or whatever it is] is checked but this reduces visibility for off-line folks.

    This is the same reasoning why the version isn't published on each webpage on a site.

  2. ClaytonJames
    Member
    Posted 4 years ago #

    This is the same reasoning why the version isn't published on each webpage on a site.

    It is if you haven't taken explicit measures to remove or obscure it. All you need to do is look at the source code of any page on any WordPress site, and there it is:

    <meta name="generator" content="WordPress 3.0.1" />

    By obscuring I mean something like:

    <meta name="generator" content="WordPress abc" />

    Rather than the version number.

    :-)

  3. mrmist
    Forum Janitor
    Posted 4 years ago #

    Most hacks are drive-bys, they don't check the version in advance of deploying the hack. So it'd make little difference.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.