Wordpress - Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php

You don't really need to remove these files. It's much easier to just block access to them. If you are using pretty URL's you already have an .htaccess file. Using .htaccess to block the files is secure and you only have to add a directive once.

Blocking files is done by adding a directive to .htaccess like this:

    <files filename.file-extension>
         order allow,deny
         deny from all
    </files>

So, to block readme.html you do this:

    <files readme.html>
         order allow,deny
         deny from all
    </files>

Do the same with the license file or any other file you want to prevent anyone from accessing. Just open .htaccess in Notepad or any other basic text editor, add the directives and save, making sure that the text editor keeps the file name exactly - without any .txt on the end.


Here is my take:

RewriteRule (?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|html?) - [R=404,NC,L]
  • 404 (not existing) rather than 403 (forbidden) to avoid any clue about existence.
  • also in subfolders (i.e. themes and plugins, which might offer attack opportunities)
  • case-insensitive, extension-flexible, also catches README.html, or license.html (feel free to add typical suspects like changelogs|faq|contributing)

Personally, I would also block:

RewriteRule \.(?:psd|log|cmd|exe|bat|c?sh)$ - [NC,F]

nb:

  • '?:' just declares the bracket to be non-matching (no importance).
  • requires RewriteEngine to be on (it most likely is. it would be rare, to use wordpress without... (ugly permalinks, etc...)).
  • insert before the # BEGIN WordPress section in your .htaccess

add_action('core_upgrade_preamble','my_function_to_delete_files');

Edit : you can also try these

add_action('upgrader_pre_install','my_function_to_delete_files');
add_action('upgrader_post_install','my_function_to_delete_files');