Home / Tools / Remove version-disclosing files (readme.html, CHANGELOG.txt)
Exposed Files · Scan Check Guide

Remove version-disclosing files (readme.html, CHANGELOG.txt)

20 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

Many CMSs and frameworks expose their exact version number in page source, meta tags, or readme files (a WordPress /readme.html, a generator meta tag) — giving attackers a direct lookup for known vulnerabilities specific to that version.

Default CMS readme and changelog files hand attackers your exact software version — letting them look up known vulnerabilities for that specific release instead of guessing blindly.

How to fix it

  1. 1
    Check common disclosure points
    View your page source for a <meta name="generator"> tag, and check for a /readme.html or /CHANGELOG file at your root.
  2. 2
    Remove or block what you find
    Most CMSs have a plugin or one-line config change to strip the generator meta tag; delete or block direct access to readme/changelog files.
  3. 3
    Keep the actual software updated regardless
    Hiding the version number is a minor speed bump — staying current on security patches is what actually matters.

Common mistakes

How you'll know it's done

No generator meta tag or readme/changelog file reveals your exact CMS version publicly.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →