Is keeping wp-admin/install.php and wp-admin/install-helper.php a security leak on the newer versions of wordpress? By default file permission on those files are 644.
If there is any leak, what kind of please?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
No, there is no security risk. Both files do sanity checks before anything happens.
If WordPress is already installed:
install-helper.phpreturns just a blank page.install.phpsays WordPress is installed and you should log in:
You can forbid access to both files with a simple rule in your .htaccess above the permalink rules:
RedirectMatch Permanent wp-admin/install(-helper)?.php /
This will redirect all requests to these files to the home page.
Method 2
# nginx configuration
location ~ wp-admin/install(-helper)?.php {
rewrite ^(.*)$ / redirect;
}
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0