There are multiple ways to protect your WordPress installation file, and it is highly recommended you do so to protect your site from malware and attackers. You do not want anyone unauthorized to have entry to your website if and when something goes wrong with the server.
The file you want to protect is located in the wp-admin directory. This is no longer necessary after installation and should be removed or protected after install is complete. There are three approaches you can implement to protect your WordPress website.
Please note we will not use any plugin solution, everything done here is through pure coding.
Solution 1: Delete the File
Perhaps the quickest and easiest way to prevent outsiders from gaining access to your the file is to delete it completely. You do not need to keep the file, so there is no need to hesitate in removing it.
To do this, navigate to wp-admin folder from the WordPress installation files and then rename the local copy of your install.php. You can rename it to install-backup.php or anything you like.
It is always safe to keep the backup before we do anything in case something goes wrong and we need it back.
We can always delete it later after making sure everything is working properly.
Ok, now that we have the backup the next step is to delete the install.php file located on the server using an FTP client.
This process is super simple; the only drawback is WordPress may try to replace the file during your next update, so you will want to set a reminder to remove the file with each update.
Solution 2: Deny Access
The second solution is to deny access to the file via .htaccess. To do this you will protect your file at the server level.
Using FTP client locate your .htaccess file, (if you do not have one, create it.)
Next, copy and paste the below code into your .htaccess file, near the top. Make sure you do not delete any WordPress default code inside .htaccess file, past your code above any other codes.
# Secure the installation page
# Apache < 2.3
Deny from all
# Apache >= 2.3
Require all denied
Save and upload the file to the server.
This code will protect your site by preventing access to the install.php file. It will work with both older and newer versions of Apache.
After you upload the file to the server, check your browser to ensure everything implemented correctly. If it is working properly requests to access the installation file will be blocked and you will receive the following message: Forbidden, you do not have permission to access the requested file.
Solution 3: Replace the File
In order to replace your install.php file, first duplicate the original file, located in the wp-admin directory, and rename the duplicate (install-backup.php, for example).
To duplicate, simply right click the original file and select “Duplicate.” After you have duplicated and renamed the file, go back into the original install.php file. Delete the current code, and copy and paste the below code.
WordPress install.php replacement page
Place in /wp-admin/ directory
header('HTTP/1.1 503 Service Temporarily Unavailable');
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 3600'); // 3600 seconds = 60 minutes
mail('[email protected]', 'Database Error', 'There is a problem with the database!');
<title>Site offline for maintenance</title>
<h1>We'll be right back..</h1>
<p>The site is currently offline for maintenance.</p>
You will need to make one change to this code, replace “[email protected]” with your email address.
Save the code to the server and check to confirm everything is working correctly. Refresh your browser page, and if the code loaded correctly your browser will display the message, “We’ll be right back.”
Behind the scenes, the code is running a 503 status code, and you will be notified with an email that you need to take action against the nasty happenings. This code also allows for customization, so you can edit your messaging or any other aspect of it to suit your needs.
Protecting your WordPress installation file isn’t difficult, but it is important. Follow any of these simple methods to safeguard your website and make sure it is safe from assailants.
Next, we’ll talk about how to How to Protect your Configuration File From Hackers.