WordPress.org

Support

Support » Requests and Feedback » readme.html is security hole

readme.html is security hole

  • MECU
    Participant

    @mecu

    Having the file readme.html available on a website tells a would-be hacker exactly what version of WordPress is being used. If someone hasn’t updated, say for example is still on 3.0 and not 3.0.1, a hacker then knows immediately what vulnerabilities there are.

    You should delete this file. It could be changed into a readme.php file where the isAdmin() [or whatever it is] is checked but this reduces visibility for off-line folks.

    This is the same reasoning why the version isn’t published on each webpage on a site.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Clayton James
    Participant

    @claytonjames

    This is the same reasoning why the version isn’t published on each webpage on a site.

    It is if you haven’t taken explicit measures to remove or obscure it. All you need to do is look at the source code of any page on any WordPress site, and there it is:

    <meta name="generator" content="WordPress 3.0.1" />

    By obscuring I mean something like:

    <meta name="generator" content="WordPress abc" />

    Rather than the version number.

    🙂

    mrmist
    Forum Janitor

    @mrmist

    Most hacks are drive-bys, they don’t check the version in advance of deploying the hack. So it’d make little difference.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘readme.html is security hole’ is closed to new replies.