Do you remove Installer and Config files after installation?

Here is some basic security guidelines.
https://codex.www.ads-software.com/Hardening_WordPress

Thanks,
That completely answers my question.
You got 5 stars from me for your reply and help ??
Regards,
Nick.

Definitely some good advise there, but I’m still wondering whether there’s any reason to leave files like /wp-config.php, /wp-admin/install.php, and /wp-admin/upgrade.php on the server once the initial install is complete?

I can imagine that, even with write access disabled, if someone could manage to read the php code in wp-config, that would be bad.

Thanks!

Shane

umm, well since your posts and pages are stored in a mysql database, and since the connection info for MySQL is stored inside your wp-config.php, you cannot delete that.

you can and should delete install.php and upgrade.php

fwiw, the only way your wp-config.php will be ever read as plain text in a browser session is if the php interpreter goes nuts up, or, for some reason, someone makes a bad edit to the httpd.conf, and perhaps comments out the include php.conf file (apache 2.x) — I mention that, because Ive actually done it.

you can move the sensitive bits in your wp-config.php to another file though that is outside of any web accessible directory though, if that really worries you.

Thanks, whooami. I’m not going to go crazy w/ the security stuff — moving wp-config file to a non-web-accessible directory might be worth the trouble, but I’d have to look into it.

My concern was what you mentioned — that I’d screw up something & the contents of wp-config would be displayed for all the world to see. (Kind’a freaked me out the first time I made a mistake in php and – oops — there’s my code, right there in the browser!)

Thanks for the info on install & upgrade. I’ll put upgrade back next time it’s needed, & delete install now.