Hi @banijadev, thanks for getting in touch.
Our option “Scan for publicly accessible configuration, backup, or log files” when turned on should ensure most critical files like .user.ini aren’t viewable to anybody with malicious intent.
We don’t block the readme by default, though we do have an option that hides the WordPress version, which renames the default readme.html. You can however add wildcards in Wordfence > All Options > Advanced Firewall Options >?Immediately block IPs that access these URLs, so adding /*readme.txt here will block anybody visiting a URL that ends with readme.txt, so also protects specific plugin folders on top of the WordPress readme.
Please note that you will even block yourself if you visit an “Immediately block…” URL as a test.
Thanks,
Peter.
