Skip to main content

There are multiple ways to protect the WordPress installation file, and it is highly recommended you do so to protect your site from malware and attackers. You do not want anyone unauthorized to have entry to your website if and when something goes wrong with the server.

The file you want to protect is located in the wp-admin directory. This is no longer necessary after installation and should be removed or protected after the installation is complete.

So, let’s protect your WordPress installation file from hackers!

Please note we will not use any plugin solution, everything done here is through pure coding.

Solution 1: Delete the File

Perhaps the quickest and easiest way to prevent outsiders from gaining access to your file is to delete it completely. You do not need to keep the file, so there is no need to hesitate in removing it.

To do this, navigate to wp-admin folder from the WordPress installation file and then rename the local copy of your install.php. You can rename it to install-backup.php or anything you like.

It is always safe to keep the backup before we do anything in case something goes wrong and we need it back.

We can always delete it later after making sure everything is working properly.

Ok, now that we have the backup the next step is to delete the install.php file located on the server using an FTP client.

Delete Wordpress Installation File
This process is super simple; the only drawback is WordPress may try to replace the file during your next update, so you will want to set a reminder to remove the file with each update.

Solution 2: Deny Access

The second solution is to deny access to the WordPress installation file via .htaccess. To do this you will protect your file at the server level.

Using an FTP client locate your .htaccess file, (if you do not have one, create it.)

Next, copy and paste the below code into your .htaccess file, near the top.

Make sure you do not delete any WordPress default code inside .htaccess file, past your code above any other codes.

# Secure the installation page
<Files install.php>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Files>

Save and upload the file to the server.

This code will protect your WordPress by preventing access to the install.php file. It will work with both older and newer versions of Apache.

After you upload the file to the server, check your browser to ensure everything is implemented correctly.

If it is working properly requests to access the WordPress installation file will be blocked and you will receive the following message: Forbidden, you do not have permission to access the requested file.

403 Forbidden Error

Solution 3: Replace the File

In order to replace your install.php file, first duplicate the original file, located in the wp-admin directory, and rename the duplicate (install-backup.php, for example).

To duplicate, simply right click on the original file and select “Duplicate.” After you have duplicated and renamed the file, go back into the original install.php file. Delete the current code, and copy and paste the below code.

<?php
/*
WordPress install.php replacement page
@ https://perishablepress.com/important-security-fix-for-wordpress/
Place in /wp-admin/ directory
*/
header('HTTP/1.1 503 Service Temporarily Unavailable');
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 3600'); // 3600 seconds = 60 minutes
mail('[email protected]', 'Database Error', 'There is a problem with the database!');
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Site offline for maintenance</title>
</head>
<body>
<h1>We'll be right back..</h1>
<p>The site is currently offline for maintenance.</p>
</body>
</html>

You will need to make one change to this code, replace “[email protected]” with your email address.

Save the code to the server and check to confirm everything is working correctly. Refresh your browser page, and if the code loaded correctly your browser will display the message, “We’ll be right back.”

We Will Be Right Back

Behind the scenes, the code is running a 503 status code, and you will be notified with an email that you need to take action against the nasty happenings.

This code also allows for customization, so you can edit your messaging or any other aspect of it to suit your needs.

Protecting your WordPress installation file isn’t difficult, but it is important. Follow any of these simple methods to safeguard your website and make sure it is safe from assailants.

Also, make sure to take an extra step to protect the following sections of your WordPress site.

  1. How to Protect your Configuration File From Hackers.
  2. How to protect WordPress Admin and Login sections.
Skip to content