Readme file deletion

Resolved wpandlpuser
(@wpandlpuser)

2 months ago

Hi Woo team,

I was browsing my website analytics and recognized that a few times the following file was opened by website visitors:

/wp-content/plugins/woocommerce-payments/readme.txt

This page is readable for any website visitors, and it contains general information, such as the version numbering (eg. 10.6).

I am afraid that this file was accessed to map vulnerabilities of my website, as a general visitor would not even know that this file exists.

Are there any risks to deleting this file? Is WordPress using this file to read the version numbering or for any other purposes?

Thank you!

The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Support Frank Remmy (woo-hc)
(@frankremmy)

2 months ago
Hi @wpandlpuser,

Great security awareness! You’re right that readme.txt files expose version information that can be used by bots to fingerprint plugin versions and look up known vulnerabilities.

That said, deleting the file isn’t the recommended approach. Every time WooPayments updates, the file gets automatically restored. You’d need to re-delete it after every update.

The good news is that WooPayments (and WordPress in general) does not use readme.txt for any functional purpose. So blocking public access to it won’t break anything.

The better solution is to block browser access to it via your server configuration. If you’re on Apache or LiteSpeed, you can add this to your .htaccess file:
```
<Files "readme.txt">
  Order Allow,Deny
  Deny from all
</Files>
```
Or to block all readme.txt files across all plugins at once:
```
<FilesMatch "^readme\.txt$">
  Order Allow,Deny
  Deny from all
</FilesMatch>
```
This will return a 403 Forbidden for anyone trying to access those files directly, and it survives plugin updates since you’re not modifying the file itself.

Beyond that, the most effective protection against version-based attacks is simply keeping WooPayments and all plugins up to date. That way even if someone knows your version, any known vulnerabilities in it are already patched.

I hope that helps. Let us know if you need anything else.
Thread Starter wpandlpuser
(@wpandlpuser)

1 month, 3 weeks ago
Hi @frankremmy ,

Thank you very much for coming back to me and giving such a detailed feedback.
Interesting that there is not much documentation about this on the internet.
Hopefully anyone who searches for this topic, will find what I added to the .htaccess:
```
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/.*/readme\.txt$ [NC]
RewriteRule .* - [F,L]
</IfModule>
```
This even blocks the access for the logged in admin user, but WordPress seems to use the files still:

https://developer.ww.wp.xz.cn/plugins/wordpress-org/how-your-readme-txt-works/

Thanks!
Plugin Support Frank Remmy (woo-hc)
(@frankremmy)

1 month, 3 weeks ago

Hi @wpandlpuser,

Thanks so much for sharing your solution here. It’s always incredibly helpful when folks circle back with what worked for them. This kind of information makes a real difference for anyone who might run into the same situation down the road.

If you’ve found WooPayments helpful, we’d really appreciate a quick review when you have a moment:
https://ww.wp.xz.cn/support/plugin/woocommerce-payments/reviews/

Thanks again for contributing to the community and helping others.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.