The question:
Is keeping wp-admin/install.php
and wp-admin/install-helper.php
a security leak on the newer versions of wordpress? By default file permission on those files are 644.
If there is any leak, what kind of please?
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
No, there is no security risk. Both files do sanity checks before anything happens.
If WordPress is already installed:
install-helper.php
returns just a blank page.install.php
says WordPress is installed and you should log in:
You can forbid access to both files with a simple rule in your .htaccess above the permalink rules:
RedirectMatch Permanent wp-admin/install(-helper)?.php /
This will redirect all requests to these files to the home page.
Method 2
# nginx configuration
location ~ wp-admin/install(-helper)?.php {
rewrite ^(.*)$ / redirect;
}
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0