Wordfence’s renaming /readme.html to a random filename seems extremely poor on several counts:
/readme.html is a core WordPress file shipped with every release and Wordfence is tampering with that despite that fact that every third-party WordPress developer is told to never modify/rename/delete core WordPress files!
The default behaviour of the /readme.html renaming has dubiously changed between recent releases – it used to be an option the end-user had to turn on, but it has silently been changed to be enabled by default in the latest release.
If you are concerned about version leakage (e.g. the latest /readme.html contains the 4.3.1 version string), then ask the WordPress maintainers to remove that version string, which is the correct way to fix this, not to rename a core file randomly!
The WP-CLI tool has the command “wp core verify-checksums” – Wordfence’s renaming of /readme.html now breaks that useful security-checking command because /readme.html is part of WP’s checksumming. Yep, a security plugin breaks a core WP security feature – well done.
If all of that wasn’t bad enough, Wordfence has a horrendous multi-version leak of its own, far worse than /readme.html. Yep, go here on Wordfence’s own product site:
Every Wordfence install on the net leaks this readme.txt with far more version-related info than /readme.html !
Can I please request that you remove this ludicrous /readme.html renaming and ask the WP devs to take the version number out of the file upstream instead. This is the only sensible course if you’re concerned about the correct way to secure that file.
- The topic ‘Renaming /readme.html is extremely poor behaviour’ is closed to new replies.