Whenever WordPress performs a core update, it automatically pulls down the following files onto the root:
license.txtreadme.htmlwp-config-sample.php
These files aren』t an inherent security risk by themselves; however they are uneccessary clutter on the root of your site (why would you want a wp-config-sample.php file on your production website?!); and it』s just another easy-to-read vector confirming that you have a WordPress site for script-kiddies to scrape and attack.
Simply install this plugin and it will clean up those files every time you perform a core WordPress update.
