Support » Plugin: Wordfence Security » Renaming /readme.html is extremely poor behaviour

  • Resolved rklrkl

    (@rklrkl)


    Wordfence’s renaming /readme.html to a random filename seems extremely poor on several counts:

    /readme.html is a core WordPress file shipped with every release and Wordfence is tampering with that despite that fact that every third-party WordPress developer is told to never modify/rename/delete core WordPress files!

    The default behaviour of the /readme.html renaming has dubiously changed between recent releases – it used to be an option the end-user had to turn on, but it has silently been changed to be enabled by default in the latest release.

    If you are concerned about version leakage (e.g. the latest /readme.html contains the 4.3.1 version string), then ask the WordPress maintainers to remove that version string, which is the correct way to fix this, not to rename a core file randomly!

    The WP-CLI tool has the command “wp core verify-checksums” – Wordfence’s renaming of /readme.html now breaks that useful security-checking command because /readme.html is part of WP’s checksumming. Yep, a security plugin breaks a core WP security feature – well done.

    If all of that wasn’t bad enough, Wordfence has a horrendous multi-version leak of its own, far worse than /readme.html. Yep, go here on Wordfence’s own product site:

    https://www.wordfence.com/wp-content/plugins/wordfence/readme.txt

    Every Wordfence install on the net leaks this readme.txt with far more version-related info than /readme.html !

    Can I please request that you remove this ludicrous /readme.html renaming and ask the WP devs to take the version number out of the file upstream instead. This is the only sensible course if you’re concerned about the correct way to secure that file.

    https://wordpress.org/plugins/wordfence/

Viewing 13 replies - 16 through 28 (of 28 total)
  • Hmmmm, I’ve been renaming and deleting them for years and never had a problem… but thanks for the heads up.

    where do I disable it? I can’t find(

    FWIW, the renamed readme.yadayadayada.html file caused my upgrade to 4.6 to fail. Only after I changed it back to readme.html would it work.

    Plugin Support wfasa

    (@wfasa)

    Just adding to this thread for posterity that as of Wordfence 6.2.1 the option to hide WordPress version is disabled by default. For already existing installs, if you don’t want your readme.html renamed visit the Wordfence “Options” page and disable the setting “Hide WordPress version”. Doing this renames your file back to readme.html

    This example by @janwoostendorp is great. Please, please @mmaunder add this filter so that developers can disable the feature no matter how many times users try to select it.

    Plugin Support wfasa

    (@wfasa)

    Hi Otto,
    thanks for the feature request. I just want to ask a follow up question. If you have clients who try to mess with settings they don’t know how to use wouldn’t it make more sense for them to only have editor privileges? I have thought about this myself in the past as I have had similar issues. If there is a web master, nobody else really needs to be admin. What do you think?

    The example by @janwoostendorp is great. It will help smart developers to protect site settings being messed up by less smart developers. It is a great suggestion and a good compromise if you don’t agree on completely removing the readme.html renaming in the first place.

    We are not interested in a workaround, we already have plenty of them, but we wish the author to provide us with the final fix.

    Plugin Support wfasa

    (@wfasa)

    Hi again Otto,
    we may remove the feature completely at some point. I see that as more likely than adding more ways to disable it. I was just curious in what kind of scenario a user is qualified to change all other options in Wordfence except this one.

    Users are often qualified to install plugins, edit the theme etc but we don’t trust all admin users to correctly configure plugins that contain “bad” options.

    Plugin Support wfasa

    (@wfasa)

    Ok, thanks. The reason we have kept it is of course that some users think it’s a good feature, but your feedback has been noted and as I said we may very well choose to remove it in the future. Take care and good luck with your sites for now!

    Ov3rfly

    (@ov3rfly)

    Sidenote: Above described renaming does not work anyway for non-english versions of this file, e.g. /liesmich.txt in german release is not renamed.

    Plugin Support wfasa

    (@wfasa)

    Hi ov3rfly,
    That would be correct. The language specific versions do include a readme.html though and I am assuming that one (not the language specific one) would be used for updates via CLI etc. The language specific readme only seems to be added to some language specific releases. For example, in the Swedish release there is only readme.html.

    I guess this is still unresolved. If somebody want’s to automate negating the stupid option, and in effect prevent any user from selecting it, but this in your cron:

    wp db query "UPDATE wp_wfConfig SET val=0 WHERE name='other_hideWPVersion';"

Viewing 13 replies - 16 through 28 (of 28 total)
  • The topic ‘Renaming /readme.html is extremely poor behaviour’ is closed to new replies.