WordPress Security Tip: Delete ReadMe after Installation

Finally, we upload the final touch-ups to the website and make the site go live. Before releasing myself from the project, I go over the usual routine for every site developed by our studio, or special request from clients. The routine is a security enhancement. One of these security enhancement, it to delete unwanted & unnecessary files.

Beside the inactive plugins, themes, the unwanted files I will delete are ReadMe files. Because other than WordPress and plugins version number (maybe some instructions for developer), these files are laying there doing nothing but releasing important information to visitors (including hackers). If you don’t believe me, you can try one of following links:

  • yourdomain/readme.html
  • yourdomain/wp-content/plugins/akismet/readme.txt
  • yourdomain/wp-content/plugins/jetpack/readme.txt
  • etc

You get the idea. These files contains sensitive information disclosure which may be used to against your WordPress website by hackers. Especially when your WordPress including themes & plugins are not regularly updated. Software version can be used to search for publicly known vulnerabilities.

To delete these files, I simply using Linux command in Terminal window like this:

$ sudo “path-to-root” -find readme* -exec rm -f {} \;

(“path-to-root” is the path to your website root directory. By default, you should be at the default root directory after login, and you can leave “path-to-root” blank in this case).

If you access hosting server through FTP client, some of them have Search function which helps you looking for specific files through all directory hierarchy. For example, here is a screenshot of FileZilla Remote file Search.

FileZilla-Remote-File-Search

Please be advised that this is not one time deal. Every time updating WordPress or plugins can bring these ReadMes back again. We need to re-apply this security tip. Or you can check out WordPress Security Tip: Lock Down File Access

There are other files you may consider to clean up:

  • yourdomain/license.txt
  • yourdomain/wp-config.sample.php
  • yourdomain/wp-admin/install.php
  • yourdomain/wp-admin/upgrade.php

The basic principle: If the file is NOT required, then it should NOT be there.