SecurityLow

WordPress readme.html exposed

The readme.html file at the root of your WordPress installation is publicly accessible. It contains the exact installed WordPress version.

Why it matters

Knowing the version allows an attacker to target version-specific vulnerabilities and automate exploits.

How to fix

  1. 1

    Delete the file

    bash
    # Via FTP or SSH
rm /var/www/votresite/readme.html
  2. 2

    Block access without deleting

    apache
    <Files readme.html>
  Order allow,deny
  Deny from all
</Files>
  3. 3

    Note: the file returns after WordPress updates

    WordPress recreates readme.html with each major update. Add its deletion to a hook or use a hardening plugin like iThemes Security.

Related articles

SecuritySensitive files exposed on your WordPress siteSecurityWordPress out of date - outdated version detected

Ready to fix this issue on your site?

Audit my site for free →