Archived

Delete Unnecessary WordPress Files

Updated

Written by

Dave Warfel

Reading Time

3 minutes

If you buy something from one of our links, we may earn a commission.

NOTE
This article is outdated and no longer relevant. We no longer recommend deleting these files. It won’t hurt anything to do so, but it also won’t help, and won’t make your site any more secure. It’s simply not worth your time.

There are a few WordPress files that you can delete after installation. They are not needed to run any part of your site, and in one case, they reveal the WordPress version you are using, which could tip hackers off to any security vulnerabilities on your site.

You’ll need FTP or SFTP access to your web server in order to delete these files. You can download a free FTP program like FileZilla, if you don’t already have one. If you don’t have access to FTP, or would rather not mess with files on your server, you could ask your hosting company to delete them for you. They may or may not honor your request, depending on the support contract you have with them.

This is part of our series on WordPress security. Learn how to secure your WordPress site from hackers & other threats.

Unnecessary WordPress Files

Delete wp-config-sample.php

wp-config-sample.php is found in the root of your WordPress installation. If your hosting company offers a one-click installation, you will see both wp-config.php AND wp-config-sample.php in the root folder. Just go ahead & delete wp-config-sample.php. Your hosting company has already setup & created wp-config.php, and the sample file is not needed.

If you are installing WordPress on your own, you will only have a wp-config-sample.php file. You need to rename this file to just wp-config.php. If you rename it, then the sample file will not be there anymore, which is what you want. No need to delete anything.

Surprisingly, even managed WordPress hosts like WP Engine, who install & configure WordPress for you, still leave the wp-config-sample.php on the server.

Delete readme.html

The readme.html file is also located in the root of your site. It provides basic information about installation, upgrading, system requirements & resources. It also displays the WordPress version you are running, which can be used by hackers to exploit vulnerabilities. You should delete this file.

This file gets added back every time you update WordPress (ex: from 3.7 to 3.7.1). To be on the safe side, you can delete it each time you perform an update.

Delete /wp-admin/install.php

This file is used when first installing WordPress. It contains the form where you enter your blog title, create a username & password, etc. If your web host has a one-click WordPress install, they have already taken care of all this for you. This file is not needed after the initial install, so you should delete it.

We Recommend

Kinsta – Blazingly Fast WordPress Hosting 🚀
https://kinsta.com › wordpress-hosting
Fast and secure infrastructure, worldwide CDN, edge caching, 35 data centers, and enterprise-level features included in all plans. Free site migrations.
Best WordPress Form Plugin for 2024 – Gravity Forms
https://gravityforms.com › features
Create custom web forms to capture leads, collect payments, automate your workflows, and build your business online. All without ever leaving WordPress.

Dave Warfel

LinkedIn  •  X (Twitter)
Dave has been working with WordPress since 2011. He's built 100s of client sites and almost a dozen of his own. He's tested almost every plugin you can think of, hosted with at least 10 different companies, and gone down every SEO rabbit hole you can imagine. When's he's not tinkering with new software, you'll find him in the mountains of Colorado, trail running, summiting peaks, and rippin' downhills on his mountain bike. 🏔️🏃🚴🤸

19 responses to “Delete Unnecessary WordPress Files”

  1. Phil Avatar
    Phil

    Thank you, good info. Would you agree that deleting also install-helper.php and setup-config.php would be a good practice ?

    Reply
    1. Phil Avatar
      Phil

      Hi, did my homework and learned that I should not delete install-helper.php . I still would like to learn if there are other unnessary files I should delete when hardening WP
      Thanks

  2. Phil Avatar
    Phil

    Hi, I also would like to have your thoughts about index.php files which can be found at several places inside httpdocs. I’v had some cases where attackers put their stuff in it. How to better protect it ? Can I just put a clean copy replacing the compromised one ?
    Thanks

    Reply
  3. Dave Warfel Avatar
    Dave Warfel

    Hi Phil,

    Thanks for chiming in here. I actually wouldn’t recommend you delete any other files. Even if you do, most of them will be added back every time you update the WordPress core.

    In terms of securing your site, deleting files like this is one of the least effective things you can do. Still helpful, just near the bottom in terms of prioritizing your site security.

    I definitely would NOT delete any index.php files. And if they do get hacked, you should download a fresh copy of WordPress from wordpress.org, and replace them with the official file from WordPress. Most of them are blank, yes, but I’d still recommend grabbing the exact copy from wordpress.org.

    I use iThemes Security to protect files & directories on my site, and alert me when someone tries to access them.

    Reply
  4. Pankaj Murthalia Avatar
    Pankaj Murthalia

    can we delete wp-activate file? as we have disabled registrations? like the one showing when we do login on our site?

    Reply
    1. Dave Warfel Avatar
      Dave Warfel

      You probably could without any issue, but I haven’t researched it enough to be able to recommend it.

  5. Ashik Avatar
    Ashik

    Ok Sir, My question is should I delete all files in the public_html folder before I install WordPress?

    Reply
    1. Dave Warfel Avatar
      Dave Warfel

      Ashik — No, I would not delete all of the files in your public_html folder. While some of them are probably not necessary to run WordPress, they shouldn’t be a security concern either.

  6. Rob Avatar
    Rob

    Hi,
    Thanks for discussing this. What about the license.txt file? Should that be deleted or should a redirect be created so that hackers can’t simply look for that file and immediately tell that it’s a WordPress site?

    Thanks,
    Rob

    Reply
    1. Dave Warfel Avatar
      Dave Warfel

      Hey Rob — This post hasn’t been updated in a while, and honestly, I wouldn’t bother with deleting these files. Especially the license.txt file. There is really no benefit to doing so.

      Trying to hide your WordPress version in any way, including by deleting files, is not a worthwhile security measure, and not worth your time.

    2. deep Avatar
      deep

      Dear Dave, Thanks

  7. AGB Avatar
    AGB

    Hello,
    I see some files that Sucuri lists as “not an official WordPress file” e.g. bestside.php
    license.php
    wp-admin/RUxMV09PREdST1VQLkNPTQ==.txt (several variations of that)
    wp-admin/error_log
    wp-admin/functions.php
    wp-includes/error_log
    wp-includes/js/mediaelement/mediaelement-and-player.minBK.js

    and also three files that have been modified including index.php, wp=load.php.

    Do you think that I should delete all the files that are not official WordPress files? I Can’t find any information on Sucuri’s site to explain what that message means.

    Thank you!

    Reply
    1. Dave Warfel Avatar
      Dave Warfel

      I can’t say for sure, but it sounds like you’ve been hacked. Those are common tactics and filenames that hackers use to disguise malicious files. Simply deleting them probably won’t fix it.

      I recommend you hire Sucuri to clean your site. Then look into some further security, and/or better hosting.

  8. Anna Barensfeld Avatar
    Anna Barensfeld

    OK thanks Dave. In the meantime would I cause my site any harm if I did delete these files? I recognize that I do need to get professional help for the bigger problem.

    Reply
    1. Dave Warfel Avatar
      Dave Warfel

      Your site should be fine if you delete them. They are not necessary WordPress files.

  9. Romapad Avatar
    Romapad

    Must be some snippet to automate it on every wordpress update, isn’t it?

    Reply
    1. Dave Warfel Avatar
      Dave Warfel

      Not that I’ve seen but I’m pretty sure it’s possible to write one.

  10. deep Avatar
    deep

    Hello everyone In my root folder index.php automatically updated what is the issue.

    Reply
    1. Dave Warfel Avatar
      Dave Warfel

      It will be updated every time there is a WordPress update. There’s no way around it.

      Also, this article is quite old and I don’t really think deleting these files is worth it any more.

Leave a Comment

Site Update

We're completely rebuilding the site from scratch using only the block editor. There's also a new brand in the works, as well as a slightly different focus.

We'll still cover WordPress (heavily), but we'll be branching out to cover other online software as well. Ecommerce, form builders, automation tools, SEO software, writing/editing software, CRMs, and other no-code platforms.

About

Legal

Escape Creative, LLC © 2013-2024