WordPress readme.html file
Description
The WordPress installation contains a publicly accessible readme.html file in the root directory. This file typically includes version information, installation instructions, and system requirements that can help attackers identify the specific WordPress version in use and plan targeted attacks against known vulnerabilities in that version.
Remediation
Remove the readme.html file from the WordPress root directory to prevent information leakage. This can be accomplished through the following methods:
1. Via command line (SSH/terminal access):
rm /path/to/wordpress/readme.html
2. Via FTP/SFTP: Connect to your server and delete the readme.html file from the WordPress installation directory.
3. Alternatively, restrict access using .htaccess (Apache) by adding the following to your WordPress root .htaccess file:
<Files readme.html> Order allow,deny Deny from all </Files>
After removal or restriction, verify the file is no longer accessible by attempting to access https://yourdomain.com/readme.html in a web browser. Note that WordPress updates may restore this file, so include this check in your regular security maintenance procedures.