A few of my client’s have their sites hosted on WPEngine. When MainWP runs its normal security scans, it always reports that “readme.html file has not been removed from WordPress root” and warns, “Removing the file on WPEngine hosting can cause issues. If you need to remove the file, please consult the WPEngine support first.”
The problem is, even after WPEngine support removes the file, it just keeps showing back up after every WordPress update. Because of this, I hardly ever have 0 security issues, and I’m always having to check the details to make sure it’s not something new – only to find it’s that same “readme.html” issue. So, over time, I begin to ignore the security warning. Not ideal.
Is there any way to disable the “readme.html” check on selected sites?
@Taz Yeah I can see how this could drive anyone mad. Right now there isn’t a built in way to ignore security checks on specific sites. At least I don’t believe there is.
However, I created & tested this Code Snippet out that would at least give you the ability to simply delete the file remotely.
This is also recommended within WPengine’s WP Security PDF as you can see from the Highlighted screenshot below - so I am not sure why they would say not to remove it…
Thank you VERY much for your time and effort on this! And, please excuse my delay in getting back you. Life took an unexpected turn, but I’m back on track now.
While I consider myself a fairly savvy WordPress user, my brain explodes when seeing code without context. Can you tell me where I need to inject this code? Or, perhaps, this is intended to remain as a separate file that’s called via cron? I’m a little lost. Correction, I’m very lost.
Also, I asked a WPengine rep why removing the readme.html file might be considered problematic. The tech there said she wasn’t sure, but she guessed it might have something to do with checksum errors that could come up when copying content between WPengine environments (moving to and from a staging site, for example). Does that jive with your understanding of the issue?
This code is meant to be saved with the MainWP Code Snippet Extension. If you create a new addition and save it under “Return info from Child Site” it will reach out to any site you choose from the list and delete the readme file for you. Optionally you may manually log into your sites SFTP and delete it by hand.
As for the mixed signals you are getting from WP Engine - I couldn’t say. Since WPEngine’s own security documentation states other wise, it would be lead to believe the help desk rep that you spoke with was not well informed.
The file will be automatically added back on updates & if you are worried then keep a copy of it to replace if you run into issues but I highly doubt that you will.
