> All 3.6.7 Bug Fixes employed.
> CSS is set to External.
I've just had scan result from WebsiteDefender:
ALERT Source code disclosure (http://www.xxxxxx/?bfa_ata_file=css)
Source code patterns were found on this page. The source code of server-side scripts helps an attacker to better understand the logic behind the Web application and may help him conduct further attacks.
1) On 3.6.4. site(s) - having run WebsiteDefender - this issue does not occur.
2) Only, seemingly, occurs on 3.6.7 site (with the 3.6.7 bug fixes employed).
[By the way, I have NOT, ever, used the plugins AddThis, WP Touch or W3 Total Cache - on any site]