fbpx

When an attacker arrives at your url (or a scripted bot, for that matter) one of the things it will look to discover is exploitable code

One of the methods of discovering this is to check paths for possible plugins, and have a look for a readme.txt (or similar) in order to discover the version number of the plugin/theme/code.

Once discovered, they will look to see if this version of the plugin/theme/code is exploitable..if it is; the games begin.

While recently looking through one of our servers which hosts a number of WordPress installations, we discovered 340 files matching the basic expression of readme*!!

$ sudo find /var/www/html -type f -iname "readme*" | wc -l
n340

So, what does this mean?

This means that there are 340 opportunities to discover the version number of a given file, plugin, theme or piece of code. In fact, in our example..every single one of those files had a string matching “version” in them!

You can see from this, that it’s pretty undesirable to have these files in existence on the filesystem, ready to be looked at from a web browser.

In fact, you can test this idea by visiting http://{your_url}/readme.html …do you see your WordPress version number in the readme?  What if this was an exploitable version? Rhetorical questions of course..we know what would happen if it was an exploitable version (and what might happen shortly afterwards).

So, what to do?

In my case at least (and if you find an edge case, please feel free to comment..and we’ll come up with a solution/workaround) I simply do not want these files in the filesystem. I do not want would-be hackers/bots discovering the version numbers of the code in use on my website. Of course, we look to protect the webroot in other ways, but if we can try to stop the attempt in the first place..then our security systems aren’t tested!

So, for me..I did (and yes, really do back up your files before proceeding!)

sudo find /var/www/html/yoursite/ -type f -iname "readme*" -exec rm -v {} ;

a few moments later, any file matching readme* will be removed from the webroot. Make sure you test your site thoroughly after running the above command..any problems restore from the backup you took(!!) and post a comment below.

Hope this is helpful!

Worried about maintaining your website? Get in touch with XRF Digital we have maintenance packages to suit all budgets!

Let's Talk Start Now