Delete Unnecessary WordPress Files

WordPress Delete Unnecessary Files - readme.html, wp-config-sample.php

NOTE
This article is outdated and no longer relevant. We no longer recommend deleting these files. It won’t hurt anything to do so, but it also won’t help, and won’t make your site any more secure. It’s simply not worth your time.

There are a few WordPress files that you can delete after installation. They are not needed to run any part of your site, and in one case, they reveal the WordPress version you are using, which could tip hackers off to any security vulnerabilities on your site.

You’ll need FTP or SFTP access to your web server in order to delete these files. You can download a free FTP program like FileZilla, if you don’t already have one. If you don’t have access to FTP, or would rather not mess with files on your server, you could ask your hosting company to delete them for you. They may or may not honor your request, depending on the support contract you have with them.

This is part of our series on WordPress security. Learn how to secure your WordPress site from hackers & other threats.

Unnecessary WordPress Files

Delete wp-config-sample.php

wp-config-sample.php is found in the root of your WordPress installation. If your hosting company offers a one-click installation, you will see both wp-config.php AND wp-config-sample.php in the root folder. Just go ahead & delete wp-config-sample.php. Your hosting company has already setup & created wp-config.php, and the sample file is not needed.

If you are installing WordPress on your own, you will only have a wp-config-sample.php file. You need to rename this file to just wp-config.php. If you rename it, then the sample file will not be there anymore, which is what you want. No need to delete anything.

Surprisingly, even managed WordPress hosts like WP Engine, who install & configure WordPress for you, still leave the wp-config-sample.php on the server.

Delete readme.html

The readme.html file is also located in the root of your site. It provides basic information about installation, upgrading, system requirements & resources. It also displays the WordPress version you are running, which can be used by hackers to exploit vulnerabilities. You should delete this file.

This file gets added back every time you update WordPress (ex: from 3.7 to 3.7.1). To be on the safe side, you can delete it each time you perform an update.

Delete /wp-admin/install.php

This file is used when first installing WordPress. It contains the form where you enter your blog title, create a username & password, etc. If your web host has a one-click WordPress install, they have already taken care of all this for you. This file is not needed after the initial install, so you should delete it.

19 Commentson "Delete Unnecessary WordPress Files"

  1. /

    Thank you, good info. Would you agree that deleting also install-helper.php and setup-config.php would be a good practice ?

    → Reply
    1. /

      Hi, did my homework and learned that I should not delete install-helper.php . I still would like to learn if there are other unnessary files I should delete when hardening WP
      Thanks

  2. /

    Hi, I also would like to have your thoughts about index.php files which can be found at several places inside httpdocs. I’v had some cases where attackers put their stuff in it. How to better protect it ? Can I just put a clean copy replacing the compromised one ?
    Thanks

    → Reply
  3. (Author) /

    Hi Phil,

    Thanks for chiming in here. I actually wouldn’t recommend you delete any other files. Even if you do, most of them will be added back every time you update the WordPress core.

    In terms of securing your site, deleting files like this is one of the least effective things you can do. Still helpful, just near the bottom in terms of prioritizing your site security.

    I definitely would NOT delete any index.php files. And if they do get hacked, you should download a fresh copy of WordPress from wordpress.org, and replace them with the official file from WordPress. Most of them are blank, yes, but I’d still recommend grabbing the exact copy from wordpress.org.

    I use iThemes Security to protect files & directories on my site, and alert me when someone tries to access them.

    → Reply
  4. /

    can we delete wp-activate file? as we have disabled registrations? like the one showing when we do login on our site?

    → Reply
    1. (Author) /

      You probably could without any issue, but I haven’t researched it enough to be able to recommend it.

  5. /

    Ok Sir, My question is should I delete all files in the public_html folder before I install WordPress?

    → Reply
    1. (Author) /

      Ashik — No, I would not delete all of the files in your public_html folder. While some of them are probably not necessary to run WordPress, they shouldn’t be a security concern either.

  6. /

    Hi,
    Thanks for discussing this. What about the license.txt file? Should that be deleted or should a redirect be created so that hackers can’t simply look for that file and immediately tell that it’s a WordPress site?

    Thanks,
    Rob

    → Reply
    1. (Author) /

      Hey Rob — This post hasn’t been updated in a while, and honestly, I wouldn’t bother with deleting these files. Especially the license.txt file. There is really no benefit to doing so.

      Trying to hide your WordPress version in any way, including by deleting files, is not a worthwhile security measure, and not worth your time.

    2. /

      Dear Dave, Thanks

  7. /

    Hello,
    I see some files that Sucuri lists as “not an official WordPress file” e.g. bestside.php
    license.php
    wp-admin/RUxMV09PREdST1VQLkNPTQ==.txt (several variations of that)
    wp-admin/error_log
    wp-admin/functions.php
    wp-includes/error_log
    wp-includes/js/mediaelement/mediaelement-and-player.minBK.js

    and also three files that have been modified including index.php, wp=load.php.

    Do you think that I should delete all the files that are not official WordPress files? I Can’t find any information on Sucuri’s site to explain what that message means.

    Thank you!

    → Reply
    1. (Author) /

      I can’t say for sure, but it sounds like you’ve been hacked. Those are common tactics and filenames that hackers use to disguise malicious files. Simply deleting them probably won’t fix it.

      I recommend you hire Sucuri to clean your site. Then look into some further security, and/or better hosting.

  8. /

    OK thanks Dave. In the meantime would I cause my site any harm if I did delete these files? I recognize that I do need to get professional help for the bigger problem.

    → Reply
    1. (Author) /

      Your site should be fine if you delete them. They are not necessary WordPress files.

  9. /

    Must be some snippet to automate it on every wordpress update, isn’t it?

    → Reply
    1. (Author) /

      Not that I’ve seen but I’m pretty sure it’s possible to write one.

  10. /

    Hello everyone In my root folder index.php automatically updated what is the issue.

    → Reply
    1. (Author) /

      It will be updated every time there is a WordPress update. There’s no way around it.

      Also, this article is quite old and I don’t really think deleting these files is worth it any more.

What Are Your Thoughts?

All fields are required. Your email will not be published.

You can use standard <code> and <pre> tags to post code examples, or a service like codepen.io.