Support » Requests and Feedback » readme.html is security hole

  • Having the file readme.html available on a website tells a would-be hacker exactly what version of WordPress is being used. If someone hasn’t updated, say for example is still on 3.0 and not 3.0.1, a hacker then knows immediately what vulnerabilities there are.

    You should delete this file. It could be changed into a readme.php file where the isAdmin() [or whatever it is] is checked but this reduces visibility for off-line folks.

    This is the same reasoning why the version isn’t published on each webpage on a site.

Viewing 2 replies - 1 through 2 (of 2 total)
  • This is the same reasoning why the version isn’t published on each webpage on a site.

    It is if you haven’t taken explicit measures to remove or obscure it. All you need to do is look at the source code of any page on any WordPress site, and there it is:

    <meta name="generator" content="WordPress 3.0.1" />

    By obscuring I mean something like:

    <meta name="generator" content="WordPress abc" />

    Rather than the version number.

    🙂

    mrmist

    (@mrmist)

    Forum Janitor

    Most hacks are drive-bys, they don’t check the version in advance of deploying the hack. So it’d make little difference.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘readme.html is security hole’ is closed to new replies.