wordpress · Check
WordPress installer accessible — locking down /wp-admin/install.php
GET `/wp-admin/install.php` returned 200 with WordPress installer content. On a finished site this endpoint should redirect or 404. If it serves the installer, anyone on the public Internet can attempt to complete the install and seize the admin account.
Why it matters
An accessible installer is one of the most direct paths to full site takeover: an attacker finishes the install with their own credentials and immediately owns every post, plugin, and database connection string in `wp-config.php`.
Real-world risk
An exposed installer is one of the cleanest paths to full WordPress site takeover: an attacker can finish the install with their own credentials and seize every post, plugin, and the database connection string in wp-config.php.
Fix steps (in order)
- Block /wp-admin/install.php at your webserver or CDN (return 404 or 403) once installation is complete.
- Delete or rename /wp-admin/install.php on disk; WordPress does not need it after setup.
- If you saw this on a real site, treat it as a possible compromise: rotate database credentials, audit admin users, and review wp-config.php for unexpected changes.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (wp_install_accessible) clears once the externally-observable signal is in place.