Should I remove install.php and install-helper.php?

The question:

Is keeping wp-admin/install.php and wp-admin/install-helper.php a security leak on the newer versions of wordpress? By default file permission on those files are 644.

If there is any leak, what kind of please?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

No, there is no security risk. Both files do sanity checks before anything happens.

If WordPress is already installed:

  • install-helper.php returns just a blank page.
  • install.php says WordPress is installed and you should log in:
    enter image description here

You can forbid access to both files with a simple rule in your .htaccess above the permalink rules:

RedirectMatch Permanent wp-admin/install(-helper)?.php /

This will redirect all requests to these files to the home page.

Method 2

# nginx configuration

location ~ wp-admin/install(-helper)?.php {
    rewrite ^(.*)$ / redirect;

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment