Faced with pentest, many say that you need to delete these files in WordPress , but what's the vulnerability in them?

For reference, I do not delete the kernel files, with the functionality of the VP sign.

  • one
    Probably so that no one will go to yoursite.com/install.php and reinstall the engine, no? - Jagailo
  • 2
    @Jagailo reinstall the engine from the outside is impossible. - KAGG Design
  • one
    Do not listen to such heresy. Kernel files never touch at all. - SeVlad

3 answers 3

Yes, there is no vulnerability in them. There are no known vulnerabilities in WordPress. And all these tips are from the monkey business series. If there is nothing to do, then you can think of a job - delete some files, hide the WordPress version (which is determined using 10 different methods). I don’t want to breed holivar here, but I don’t want to ignore a lot of bad advice either anywhere, but on Stack Overflow.

Check out the WordFence blog, the world's leading security expert for WordPress. They wrote about xml-rpc back in 2015 . And there people understand security issues better than you and me.

All these brute-force attacks are effectively closed by installing simple plug-ins blocking IP or the same WordFence.

Tips on protecting .php files from access seem more than strange - this is how, interestingly, you can read the contents of wp-config.php outside ???

Tips for removing unused files in WordPress are also definitely harmful. Because after the update you have to repeat this monkey work.

But updating the kernel and plugins is critical, because sometimes vulnerabilities are still discovered, and the WordPress team promptly releases security updates.

It is better to spend your time so that your code in WordPress does not depend on updates - i.e. was rendered into a child theme or plug-ins, did not use deprecated functions, was well documented and was easily modified.

  • Who is minus? Opinion is written very sensible. WordPress is unreasonably considered to be a leaky sieve, but 99% is due to the plug-in holes, which are written by an unknown person and it is not known how. And uncontrolled installation of plug-ins after removing the "holey" upgrade.php files - this is called "security theater". I would like to listen to the substantiations of the minus - preferably a separate answer. - AK ♦
  • @AK Yes, and those minus, who are captured by popular notions about WP))) They consider themselves smarter than the team that supports the engine for 25% of sites on the Internet)) - KAGG Design
  • I plyusanul, the answer is sensible, but about the fact that in WP there are no known vulnerabilities - this is doubtful. What about the REST API from WP? - Klimenkomud
  • @Klimenkomud in the REST API is also no known vulnerabilities. Read about the latest security updates. Basically close the little things very peculiar character. - KAGG Design
  • @KAGGDesign you have the way the layout on the site goes = ( - Lex Hobbit

many say that you need to delete these files

They say that chickens are milked ..
And by the name of upgrade.php really unclear what file is needed for updates? And install.php needed both for installing plugins and themes and for updates. And in general, it is found in many distribution files. It is worth thinking what will happen if he suddenly is not found.

Kernel files can not be touched, if there is no strong desire to break the site and spawn holes. None can be. If you need to change the functionality, it is done in other ways, rather than deleting files.

  • Thanks, of course, for the clarification of what is needed and why, but even without you I know why these files are needed. Your answer is absolutely off topic. - Klimenkomud
  • And to be honest, I don’t see in the body of my question even the slightest hint of deleting these files. Many quite authoritative (from my point of view) resources claim that these files are a potential backdoor, but I haven’t found anywhere their vulnerability. Your answer concerns a question as a young “defender” of the site not to break wood. I hope it is clear why I thought your answer off topic - Klimenkomud
  • Do not you see in your question about the removal ? this is the number !!! Well, I'm sorry I wanted to help. A. Yes, those are not your authorities. Here they even tell us about vulnerabilities and which ones they don’t. Once again, I'm sorry, I don’t like this again. - SeVlad
  • Yes, about the removal was not at all. Well, you and .. beetle. i.imgur.com/xRXB8Yj.jpg - SeVlad

The files you specify from the installation process can be a potential backdoor.

The following files are recommended to delete:

  • readme.html - this file allows you to determine which version of WordPress you are using. The less information the attackers know about your site, the better. This applies to all readme* files, especially when your WordPress , including themes and plugins, is not updated regularly. The software version can be used to search for common vulnerabilities. The procedure for deleting the readme* files must be repeated after each update of WordPress , plugins, themes, etc.
  • wp-admin/install.php - since the site is already installed, you no longer need this file. In general, the wp-admin/install.php and wp-admin/install-helper.php do not pose security risks after the installation process has been completed. Because wp-admin/install-helper.php will return a blank page, and wp-admin/install.php will inform you that the installation has already been completed and will offer to login.

  • /wp-admin/upgrade.php - theoretically could give the opportunity to update the site, and cause a "denial of service" using a direct request.

  • wp-config-sample.php is amazing, but many people leave this file filled with real data. It is also not needed after installation.

  • license.txt - in this file, of course, the exact version of WordPress is not indicated, but it is not difficult to guess from the text that the blog is made on WordPress . Also a clue for a cracker, especially if there are no obvious signs in your blog that you used this engine.
  • xmlrpc.php - few people remember that, in combination, the default active XML-RPC protocol gives crackers an easy way to access a site using a brute force attack.

The basic principle: if the file is no longer REQUIRED , it MUST NOT be there.

Files that recommend protecting:

  • wp-config.php is a holy grail for hackers that contains all sensitive information about your WordPress site, including passwords and databases.

  • wp-login.php is another file that is prone to brute-force attack, so you should limit the number of attempts to enter a login / password, and if there is no user registration on Wordpress , then you can restrict access to wp-login.php

Here is a good blog for further research on this issue.

  • 3
    No, sir, well, you wrote nonsense. Let's also delete the robots.txt - the admin panel is listed there. Access from outside to the contents of .php files - wildly - Vyacheslav Potseluyko
  • @VyacheslavPotseluyko CVE sheets look. and in different years for different versions of WordPress, you will find exploitation of vulnerabilities through the files described above. - Lex Hobbit
  • 2
    let's talk about your delirium in detail. readme.html - site version. Delay me as a hacker for five minutes. Have you heard anything about brute force? The next two - you write yourself that they are safe. Upgrade.php - theoretically. Theoretically, the pentagon is already mine. Config file with an example - so what? No, seriously, how do you get it? The output from it will be empty, and with a source leak its absence will not change anything. License.txt ?? And the meaning? Near robots.txt, from which everything is clear. Xmlrpx - perhaps sober. Wp-config - again a fierce nonsense. Show at least one cve for him - Vyacheslav Potseluyko
  • @VyacheslavPotseluyko you somehow harshly perceive everything, I’m not saying that these are obvious holes, and if you don’t delete these files, you will be hacked. Whatever the defense, if they want to hack you, they will find ways to do it, just a matter of time and money. As for wp-config.php, here is an example of hackinsight.org/news,613.html . So I do not consider my answer to be nonsense, while you are foaming at the mouth trying to prove the opposite. - Lex Hobbit
  • @LexHobbit is an example of the Revolution Slider slider vulnerability, not the WordPress core. Panamanian archives broke through this slider: kagg.eu/mossack-fonseca-breach - KAGG Design