readme.html renamed : hack?

  • Resolved floraciel

    (@floraciel)


    5 years, 3 months ago

    Hello,

    I have installed Wordfence to protect my website.
    I noticed that the readme.html file at the root of my site has been renamed to readme.697831eea5abd613a8e87f6a920d45f3.html

    When I asked on some forums, I was told that it could be the action of a hacker.
    However Wordfence did not detect any file changes in its scan.

    Could you please answer my questions?

    1) Why didn’t Wordfence detect this file renaming in its scan?

    2) My web host told me that the renaming could be done by my security plugin to prevent access to this file. Does Wordfence do this? Or should I worry about potential hacking on my site?

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfpeter

    (@wfpeter)

    5 years, 3 months ago

    Hi @floraciel, thanks for your question.

    Your host is correct. This is actually the Wordfence > All Options > General Wordfence Options > Hide WordPress version feature. As the readme.html is a widely known file in WordPress installations, it usually refers to the currently installed version so the random string is to prevent it from being easily guessed.

    Thanks,

    Peter.

    Thread Starter floraciel

    (@floraciel)

    5 years, 3 months ago

    Hi @wfpeter,

    Okay, thanks.

    Does the Wordfence > All Options > General Wordfence Options > Hide WordPress version feature modify other files ? If yes, which one? and what are the modifications?

    Also why Wordfence does not advise to check this feature?
    “We generally recommend that you do not enable this anymore, since there are other methods of determining the WordPress version (“fingerprinting” of static content, like css and javascript files), and it will be disabled on new installations.”

    Don’t you think it is better to hide the WordPress version in all the files it is written?

    Thanks

    Plugin Support wfpeter

    (@wfpeter)

    5 years, 3 months ago

    Hi @floraciel,

    To my knowledge, that plugin feature does not alter other files. Let me know if you’re seeing any other unexplained renames that don’t look like the same method as the readme.html.

    The feature is a long-standing one as far as Wordfence is concerned. As time has progressed and we’ve gathered more evidence of attacks and how they’re performed, we’ve noticed most attacks do not check for specific plugins or WordPress versions before targeting a site. It’s more efficient for them to “hope for the best” rather than wasting resources looking into the sites they’re targeting first. That’s why we don’t put as much emphasis on security-by-obscurity as we may have in the past.

    Keeping your passwords secure, enabling 2FA where possible and keeping your versions up-to-dates are the most important actions you can take in addition to running the Wordfence firewall & malware scanner.

    Thanks again,

    Peter.

    Thread Starter floraciel

    (@floraciel)

    5 years, 3 months ago

    Hi @wfpeter,

    Thank you very much for your explanations. Everything is clear now!

    Plugin Support wfpeter

    (@wfpeter)

    5 years, 3 months ago

    Hi @floraciel,

    No problem at all, if you ever have other Wordfence questions in the future, don’t hesitate to start a new topic and we’ll always be glad to help.

    Peter.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘readme.html renamed : hack?’ is closed to new replies.