Should I remove install.php and install-helper.php?

Is keeping wp-admin/install.php and wp-admin/install-helper.php a security leak on the newer versions of wordpress? By default file permission on those files are 644.

If there is any leak, what kind of please?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

No, there is no security risk. Both files do sanity checks before anything happens.

If WordPress is already installed:

  • install-helper.php returns just a blank page.
  • install.php says WordPress is installed and you should log in:
    enter image description here

You can forbid access to both files with a simple rule in your .htaccess above the permalink rules:

RedirectMatch Permanent wp-admin/install(-helper)?.php /

This will redirect all requests to these files to the home page.

Method 2

# nginx configuration

location ~ wp-admin/install(-helper)?.php {
    rewrite ^(.*)$ / redirect;
}


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments