Check whether wp-admin/install.php is publicly reachable on the live site.
WordPress installer accessible
This check verifies whether the WordPress installer endpoint, typically wp-admin/install.php, is still publicly accessible after the site has already been installed. In a finished WordPress setup, that installer path should not normally remain exposed as a meaningful public endpoint.
This page explains what installer exposure means, why it matters, and how PreFlight evaluates the result before launch.
Why it matters
The WordPress installer belongs to the setup phase, not to the normal public life of the website. If wp-admin/install.php is still accessible after launch, it can indicate an incomplete hardening step, a strange environment state, or an avoidable exposure of an installation-related endpoint.
This matters because launch-ready WordPress sites should not leave unnecessary setup paths exposed without a reason. Even when accessibility to that file does not automatically mean compromise, it is still a technical signal worth reviewing before delivery.
What to review
Before marking this check as correct, review the following points:
Confirm that WordPress is already installed and working normally.
Review whether access to the installer path is blocked, restricted, or still exposed unnecessarily.
Make sure the site is not showing installation-related behavior on a production URL.
Confirm that the public environment does not expose setup endpoints that are no longer needed.
How PreFlight checks this check
PreFlight requests the installer-related endpoint and verifies whether it is publicly accessible from the outside. The goal is to detect whether an installation path remains exposed as part of the live WordPress setup.
This check does not replace a full hardening audit, but it helps flag a technical condition that often deserves review before launch or handoff.
PASS / WARN / FAIL
The installer path is not publicly exposed in a way that suggests the live site still leaves installation access available.
The endpoint is reachable or behaves unusually, and the setup should be reviewed to confirm that the installer path is not exposed without a valid reason.
The live site leaves the installer endpoint publicly accessible in a way that suggests unfinished setup, unnecessary exposure, or an unsafe production state.
Common mistakes
Leaving wp-admin/install.php accessible after the site is already installed.
Assuming installation endpoints do not matter once the site appears to work.
Confusing a working homepage with a fully hardened WordPress setup.
Ignoring setup-related files and paths during final launch review.
Treating old installation behavior as harmless just because no obvious error appears.
FAQ
Is it normal for wp-admin/install.php to exist in WordPress?
Yes, as part of the installation system. The question is not whether the file exists in WordPress core, but whether it remains meaningfully accessible on a live site that is already installed.
Does accessible install.php always mean the site is vulnerable?
Not automatically, but it is still a signal that the setup should be reviewed. A production site should not leave installation-related access exposed without a clear reason.
Why is this part of a pre-launch technical checklist?
Because it helps catch unfinished setup states and unnecessary public exposure before the site is considered ready for delivery. That is why it belongs in a pre-launch technical checklist.
Check your WordPress site before delivery
Reduce rework, catch last-minute issues and review critical points before launch.
Run analysis