[wp-hackers] Ever a valid reason to access a plugin's readme.txt?
Dion Hulse (dd32)
wordpress at dd32.id.au
Mon Jun 18 16:20:28 UTC 2012
There's no reason why a Plugin would need HTTP access to a readme, or
not one I can think of at least.
Some plugins are known to dynamically load data from their readme's to
display in the admin panel however (Eg, changelog).
I'd just add a .htaccess rule to deny access to any readme.txt's if
you don't want people looking in there
On 18 June 2012 12:16, Michael Clark
<dc153464a11bcf5aeb18180db28017fb.wp-hackers at planetmike.com> wrote:
> Is there ever a valid reason for an end-user (anyone in the world) to
> directly access a plugin's readme.txt? As recently as a month ago crackers
> would scan my WordPress sites for insecure plugins by simply requesting the
> plugin file name (e.g.
> http://example.com/wp-content/plugins/whatever/whatever.php ). These were
> easily blocked with a handful of .htaccess rules. Last night the crackers
> started looking for readme.txt files of plugins (
> http://example.com/wp-content/plugins/whatever/readme.txt ). Can I safely
> remove the readme.txt files of my installed plugins? Then I can easily block
> any requests of readme.txt. Mike
> Michael Clark
> "Injustice anywhere is a threat to justice everywhere."
> - Martin Luther King Jr.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers