60Web60

Remove default WordPress files (readme.html and license.txt)

Security3 min read·

Every WordPress installation ships with two files in the root directory that serve no purpose on a live website: readme.html and license.txt. While they are harmless on their own, they can reveal information about your site that is better kept private.

What these files contain

readme.html displays the WordPress version number and basic setup instructions. Anyone who visits yoursite.com/readme.html can see which version of WordPress you are running. Attackers use this information to find sites running older versions with known vulnerabilities.

license.txt contains the GNU General Public License under which WordPress is distributed. It confirms to anyone who requests it that your site runs WordPress.

Why you should remove them

Removing these files is a simple step that reduces your site's information footprint:

  • Version disclosure - readme.html tells attackers exactly which WordPress version you are running, making it easier to target known vulnerabilities.
  • Platform identification - Both files confirm that your site uses WordPress, which narrows down the attack methods an attacker might try.
  • No downside - Neither file is used by WordPress to serve your website. Removing them has no effect on functionality.

Web60 server-level protection

Even before you remove these files, Web60 blocks direct access to them at the server level. Any request for readme.html, license.txt, or similar documentation files returns a 403 Forbidden error. This means visitors and attackers cannot read the file contents regardless of whether the files exist.

Removing the files is an additional layer of defence - it eliminates the files entirely rather than just blocking access to them.

How to remove them

  1. Open your Web60 dashboard and select your website.
  2. Go to Advanced Settings.
  3. In the Security card, find Remove readme.html and Remove license.txt.
  4. Toggle each one on. The file is deleted immediately.

Once removed, the toggle is replaced with a Removed label. There is no toggle to restore the file because there is no reason to put it back.

You can also click Fix All at the top of the Security card to remove both files along with all other recommended hardening measures.

What happens after a WordPress update

WordPress core updates replace system files, including readme.html and license.txt. If a core update runs, these files will reappear. The Security card will detect this automatically and show an amber warning next to each file, so you can remove them again with one click.

Need help?

If you have questions about default WordPress files or site security, visit our support page and we will be happy to help.

Frequently asked questions

Will removing these files break my website?

No. These files are not used by WordPress to run your site. They exist purely as informational documents and can be safely deleted.

Can I undo this after removing them?

There is no need to undo it. If you ever need to see the readme or license, they are available on the official WordPress website. The files will also reappear automatically the next time WordPress runs a core update.

Why do the files come back after a WordPress update?

WordPress core updates replace your WordPress system files with fresh copies, including readme.html and license.txt. This is normal. The Security card will show an amber warning when they reappear, and you can remove them again with one click.

Last updated: 26 March 2026

← PreviousWhy you cannot edit wp-config.php directlyNext →Hide your WordPress version number

Still need help?

Contact our support team for personalised assistance.

Contact Support