Should I remove install.php and install-helper.php?

All we need is an easy explanation of the problem, so here it is.

Is keeping wp-admin/install.php and wp-admin/install-helper.php a security leak on the newer versions of wordpress? By default file permission on those files are 644.

If there is any leak, what kind of please?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

No, there is no security risk. Both files do sanity checks before anything happens.

If WordPress is already installed:

  • install-helper.php returns just a blank page.
  • install.php says WordPress is installed and you should log in:
    enter image description here

You can forbid access to both files with a simple rule in your .htaccess above the permalink rules:

RedirectMatch Permanent wp-admin/install(-helper)?\.php /

This will redirect all requests to these files to the home page.

Method 2

# nginx configuration

location ~ wp-admin/install(-helper)?\.php {
    rewrite ^(.*)$ / redirect;
}

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply