There are a few WordPress files that you can delete after installation. They are not needed to run any part of your site, and in one case, they reveal the WordPress version you are using, which could tip hackers off to any security vulnerabilities on your site.
You’ll need FTP or SFTP access to your web server in order to delete these files. You can download a free FTP program like FileZilla, if you don’t already have one. If you don’t have access to FTP, or would rather not mess with files on your server, you could ask your hosting company to delete them for you. They may or may not honor your request, depending on the support contract you have with them.
This is part of our series on WordPress security. Learn how to secure your WordPress site from hackers & other threats.
Unnecessary WordPress Files
Delete wp-config-sample.php
wp-config-sample.php
is found in the root of your WordPress installation. If your hosting company offers a one-click installation, you will see both wp-config.php
AND wp-config-sample.php
in the root folder. Just go ahead & delete wp-config-sample.php
. Your hosting company has already setup & created wp-config.php
, and the sample file is not needed.
If you are installing WordPress on your own, you will only have a wp-config-sample.php
file. You need to rename this file to just wp-config.php
. If you rename it, then the sample file will not be there anymore, which is what you want. No need to delete anything.
Surprisingly, even managed WordPress hosts like WP Engine, who install & configure WordPress for you, still leave the wp-config-sample.php
on the server.
Delete readme.html
The readme.html
file is also located in the root of your site. It provides basic information about installation, upgrading, system requirements & resources. It also displays the WordPress version you are running, which can be used by hackers to exploit vulnerabilities. You should delete this file.
This file gets added back every time you update WordPress (ex: from 3.7 to 3.7.1). To be on the safe side, you can delete it each time you perform an update.
Delete /wp-admin/install.php
This file is used when first installing WordPress. It contains the form where you enter your blog title, create a username & password, etc. If your web host has a one-click WordPress install, they have already taken care of all this for you. This file is not needed after the initial install, so you should delete it.
We Recommend
https://kinsta.com › wordpress-hosting
Fast and secure infrastructure, worldwide CDN, edge caching, 35 data centers, and enterprise-level features included in all plans. Free site migrations.
https://gravityforms.com › features
Create custom web forms to capture leads, collect payments, automate your workflows, and build your business online. All without ever leaving WordPress.
Leave a Comment