feat(plugins): deny access to .txt and .md files in plugin directories #1625

AltanS · 2025-11-12T23:07:03Z

Plugin directories are often the first point of entry for attackers as they expose README.txt and CHANGELOG.md files to the public. This exposes version information which can be used to identify known vulnerabilities.

I don't think theres any upside in leaving these publicly accessible.

swalkinshaw · 2025-11-15T18:39:13Z

roles/wordpress-setup/templates/wordpress-site.conf.j2


+  {% block plugin_docs_files -%}
+  # Block .txt and .md files in plugins and mu-plugins directories to prevent version disclosure
+  location ~* /plugins/.+\.(txt|md)$ {


Should we anchor these to /app/plugins? Technically this would block any path containing plugins/foo.txt

tangrufus · 2025-11-15T20:53:23Z

Following the same logic, I suggest we block *.md and *txt files under /app/themes as well

feat(plugins): deny access to .txt and .md files

243746e

swalkinshaw reviewed Nov 15, 2025

View reviewed changes

feat: improve docs file blocking for plugins and themes

9938144

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

feat(plugins): deny access to .txt and .md files in plugin directories #1625

feat(plugins): deny access to .txt and .md files in plugin directories #1625

AltanS commented Nov 12, 2025

Uh oh!

swalkinshaw Nov 15, 2025

Uh oh!

tangrufus commented Nov 15, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

feat(plugins): deny access to .txt and .md files in plugin directories #1625

Are you sure you want to change the base?

feat(plugins): deny access to .txt and .md files in plugin directories #1625

Conversation

AltanS commented Nov 12, 2025

Uh oh!

swalkinshaw Nov 15, 2025

Choose a reason for hiding this comment

Uh oh!

tangrufus commented Nov 15, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants