Security fix guide
HIGH

Sensitive Files Publicly Accessible

WordPress ships with files that reveal your site version. Learn how to block public access in minutes.

What is this?

WordPress installs several files in your site's root folder that were never meant to be publicly readable: readme.html, license.txt, wp-config.php-sample, and install.php. These files are accessible to anyone who types the URL — no login required. The readme.html file, for example, states the WordPress version in plain text in the first paragraph.

Why does it matter?

These files give attackers a reliable way to confirm you're running WordPress and to find out exactly which version. Combined with other signals like the generator tag, they make it easy to fingerprint your site. The fix is permanent (blocking via .htaccess survives updates), takes under two minutes, and has zero effect on how your site works for real visitors.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Log in to cPanel → File Manager → navigate to public_html.

2

Open (or create) .htaccess and add this block:

<FilesMatch "^(readme\.html|license\.txt|wp-config\.php-sample|install\.php)$">
  Order deny,allow
  Deny from all
</FilesMatch>

Note: Don't delete the files — WordPress recreates them on every update. Blocking is the permanent solution.

3

Save.

For developers / SSH access
1

Edit .htaccess in your site root:

nano /var/www/html/.htaccess
2

Add the same FilesMatch block:

<FilesMatch "^(readme\.html|license\.txt|wp-config\.php-sample|install\.php)$">
  Order deny,allow
  Deny from all
</FilesMatch>

Note: No server restart needed — .htaccess changes take effect immediately.

How to verify the fix

Try visiting your-site.com/readme.html in a browser. You should get a 403 Forbidden response. Do the same for license.txt. Then re-run your scan.

Re-run your scan to confirm this is resolved →

Related issues

WordPress Version in Page Source

Your WordPress version is visible in every page's HTML. Learn how to remove it with one line of code.

Directory Listing Enabled

Anyone can browse your WordPress uploads folder. One line in .htaccess closes this immediately.

Vulnerable Plugins Detected

One or more WordPress plugins has known security vulnerabilities. Learn how to find and update them.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Simple ($49)