Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php

2 Views

Just a quick question that might help a tad bit with security. I noticed that the readme.html file has the version number listed. It reappears after each upgrade and so do the licence.txt, and wp-config-sample.php.

Is there a easy way to have WordPress auto remove these files after an upgrade?

Read More

I already block the version number from showing in the meta tags, rss feeds, atom, etc.

I know this type of security isn’t exactly that much helpful, but just thought it might be a tiny start. I heard that people can simply check the version of jQuery that is included in WP-includes and cross reference which version of WP shipped it.

Post Views: 2

Related posts

Leave a Reply

3 comments

  1. You don’t really need to remove these files. It’s much easier to just block access to them. If you are using pretty URL’s you already have an .htaccess file. Using .htaccess to block the files is secure and you only have to add a directive once.

    Blocking files is done by adding a directive to .htaccess like this:

        <files filename.file-extension>
         order allow,deny
         deny from all
    </files>

    So, to block readme.html you do this: 

        <files readme.html>
         order allow,deny
         deny from all
    </files>

    Do the same with the license file or any other file you want to prevent anyone from accessing. Just open .htaccess in Notepad or any other basic text editor, add the directives and save, making sure that the text editor keeps the file name exactly – without any .txt on the end.

  2. Here is my take:

    RewriteRule (?:readme|license|changelog|-config|-sample).(?:php|md|txt|html?) - [R=404,NC,L]
    • 404 (not existing) rather than 403 (forbidden) to avoid any clue about existence.
    • also in subfolders (i.e. themes and plugins, which might offer attack opportunities)
    • case-insensitive, extension-flexible, also catches README.html, or license.html (feel free to add typical suspects like changelogs|faq|contributing)

    Personally, I would also block:

    RewriteRule .(?:psd|log|cmd|exe|bat|c?sh)$ - [NC,F]

    nb:

    • ‘?:’ just declares the bracket to be non-matching (no importance).
    • requires RewriteEngine to be on (it most likely is. it would be rare, to use wordpress without… (ugly permalinks, etc…)).
    • insert before the # BEGIN WordPress section in your .htaccess
  3. add_action('core_upgrade_preamble','my_function_to_delete_files');

    Edit : you can also try these

    add_action('upgrader_pre_install','my_function_to_delete_files');
add_action('upgrader_post_install','my_function_to_delete_files');