There are a few WordPress files that you can delete after installation. They are not needed to run any part of your site, and in one case, they reveal the WordPress version you are using, which could tip hackers off to any security vulnerabilities on your site.
You’ll need FTP or SFTP access to your web server in order to delete these files. You can download a free FTP program like FileZilla, if you don’t already have one. If you don’t have access to FTP, or would rather not mess with files on your server, you could ask your hosting company to delete them for you. They may or may not honor your request, depending on the support contract you have with them.
This is part of our series on WordPress security. Learn how to secure your WordPress site from hackers & other threats.
Unnecessary WordPress Files
wp-config-sample.php is found in the root of your WordPress installation. If your hosting company offers a one-click installation, you will see both
wp-config-sample.php in the root folder. Just go ahead & delete
wp-config-sample.php. Your hosting company has already setup & created
wp-config.php, and the sample file is not needed.
If you are installing WordPress on your own, you will only have a
wp-config-sample.php file. You need to rename this file to just
wp-config.php. If you rename it, then the sample file will not be there anymore, which is what you want. No need to delete anything.
Surprisingly, even managed WordPress hosts like WP Engine, who install & configure WordPress for you, still leave the
wp-config-sample.php on the server.
readme.html file is also located in the root of your site. It provides basic information about installation, upgrading, system requirements & resources. It also displays the WordPress version you are running, which can be used by hackers to exploit vulnerabilities. You should delete this file.
This file gets added back every time you update WordPress (ex: from 3.7 to 3.7.1). To be on the safe side, you can delete it each time you perform an update.
This file is used when first installing WordPress. It contains the form where you enter your blog title, create a username & password, etc. If your web host has a one-click WordPress install, they have already taken care of all this for you. This file is not needed after the initial install, so you should delete it.