Should any of these files be removed? Topic is solved

[pschmehl]

All of these files are in the root directory of our Joomla installation. Can any of these files be removed without affecting the functionality of Joomla? I understand why .htacess is there, but some of the others are worrisome. phpinfo.php, for example, will divulge a tremendous amount of useful information to a hacker. (I've changed its permissions to 000 as well as the phpunit.xml.dist, web.config.txt, and README.txt files.)

Are the two composer files being used? What about karma.conf.js?

I don't like the idea of exposing, unnecessarily, useful information for hackers.

.htaccess
appveyor-phpunit.xml
build.xml
composer.json
composer.lock
configuration.php
error_log
htaccess.txt
index.htm
index.html
index.php
karma.conf.js
LICENSE.txt
phpinfo.php
phpunit.xml.dist
README.txt
robots.txt
robots.txt.dist
web.config.txt

[Per Yngve Berg]

The files needed to run Joomla is: configuration.php, index.php, .htaccess and robots.txt.


Files such ad phpinfo.php does not came from Joomla.

[sozzled]

The following is a list of files created with a new installation of J!

• configuration.php
• htaccess.txt
• index.php
• LICENSE.txt
• README.txt
• robots.txt
• robots.txt.dist
• web.config.txt

With the exception of configuration.php and robots.txt in the above list, all these files are replaced (with new versions) when you update J!. The file error_log is created and updated whenever there is an error or warning condition. You can delete this file but if there's an error the file will be re-created.

As a minimum you need the two files configuration.php and index.php; a J! website cannot work without these. Depending on whether you use URL rewriting (with SEF URLs) or if you locate your J! website in a sub-folder of another J! website, you may also require the file .htaccess or web.config (depending on the server software you're using); see https://docs.joomla.org/Preconfigured_htaccess.

I would not think about deleting the files listed above. The other files mentioned in the opening post are unnecessary for J!.

[pschmehl]

Thank you.

[AMurray]

I would suggest subscribing to mysites.guru. It has a function to identify those sorts of files as you ask about and a handy utility to remove them because, as mentioned, they will be replaced any time you update Joomla. (Just one of the many dozen useful features of mysites.guru, not counting its primary function of security auditing). Just mentioning this as a satisfied customer of this service, no affiliation.

[pschmehl]

I would suggest subscribing to mysites.guru. It has a function to identify those sorts of files as you ask about and a handy utility to remove them because, as mentioned, they will be replaced any time you update Joomla. (Just one of the many dozen useful features of mysites.guru, not counting its primary function of security auditing). Just mentioning this as a satisfied customer of this service, no affiliation.

I will check it out.

[Webdongle]

phpinfo.php definitely should NOT be in the root!!! Consider the possibility that you have been hacked.

[AMurray]

I should correct myself - and mention that the files you were asking about are 'flagged' as part of the full, or snapshot audit scan, it's not a separate utility.

[Per Yngve Berg]

phpinfo.php was probably left by the person who installed and forgot to remove it.

[leolam]

phpinfo.php definitely should NOT be in the root!!! Consider the possibility that you have been hacked.

This is very often installed by a hosting company to review the site's PHP-info which does not need to reflect the server PHP. It is not a direct threat but should be removed. We have never seen this in an actual hacked site

Leo

[remi111]

I have seen a hacker gain access through phpinfo.php. I've only seen it once, and I'm not sure if they had a backdoor into the web developers company, but it definitely provided a backdoor to the hacker.

[Per Yngve Berg]

phpinfo itself does not give anyone access to the server, but it can give valuable info to the hacker on how to get access.