What files and directories do you remove in production?

[kiatng]

My list:

/app/etc/local.xml.additional
/app/etc/local.xml.template
/app/design/install
/skin/install/
/.all-contributorsrc
/.htaccess.sample
/CODE_OF_CONDUCT.md
/composer.json
/index.php.sample
/install.php
/LICENSE_AFL.txt
/LICENSE.html
/LICENSE.txt
/php.ini.sample
/README.md
/RELEASE_NOTES.txt
/SECURITY.md

[ADDISON74]

If you are using Apache webserver you can use RedirectMatch directive in .htaccess file located in OM root directory. You are able to block accessing these files you want to delete also Magento routes. Bots are still looking for downloader, mage, RELEASE_NOTES.txt, install.php. Here is an example:

## Close security breaches for RSS
RedirectMatch /rss/catalog/notifystock https://www.mydomain.tld/404.php
RedirectMatch /rss/catalog/review https://www.mydomain.tld/404.php
RedirectMatch /rss/order/new https://www.mydomain.tld/404.php
RedirectMatch /index.phprss/catalog/notifystock/ https://www.mydomain.tld/404.php

## Disable Popular Terms and Advanced Search
RedirectMatch /catalogsearch/term/popular https://www.mydomain.tld/404.php
RedirectMatch /catalogsearch/advanced https://www.mydomain.tld/404.php

## Disable sitemap sections for Products and Categories
RedirectMatch /catalog/seo_sitemap/product https://www.mydomain.tld/404.php
RedirectMatch /catalog/seo_sitemap/category https://www.mydomain.tld/404.php

## Disable loop access to Products and Categories based on URL's
RedirectMatch /catalog/category/view/id https://www.mydomain.tld/404.php
RedirectMatch /catalog/product/view/id https://www.mydomain.tld/404.php

## Disable Directories and Files access
RedirectMatch /downloader https://www.mydomain.tld/404.php

RedirectMatch /shell/abstract.php https://www.mydomain.tld/404.php
RedirectMatch /shell/compiler.php https://www.mydomain.tld/404.php
RedirectMatch /shell/delete_sessions.sh https://www.mydomain.tld/404.php
RedirectMatch /shell/indexer.php https://www.mydomain.tld/404.php
RedirectMatch /shell/log.php https://www.mydomain.tld/404.php

RedirectMatch /.all-contributorsrc https://www.mydomain.tld/404.php
RedirectMatch /.gitignore https://www.mydomain.tld/404.php
RedirectMatch /.htaccess.sample https://www.mydomain.tld/404.php
RedirectMatch /composer.json https://www.mydomain.tld/404.php
RedirectMatch /index.php.sample https://www.mydomain.tld/404.php
RedirectMatch /install.php https://www.mydomain.tld/404.php
RedirectMatch /LICENSE.html https://www.mydomain.tld/404.php
RedirectMatch /LICENSE.txt https://www.mydomain.tld/404.php
RedirectMatch /LICENSE_AFL.txt https://www.mydomain.tld/404.php
RedirectMatch /mage https://www.mydomain.tld/404.php
RedirectMatch /php.ini.sample https://www.mydomain.tld/404.php
RedirectMatch /README.md https://www.mydomain.tld/404.php
RedirectMatch /RELEASE_NOTES.txt  https://www.mydomain.tld/404.php
RedirectMatch /SECURITY.md  https://www.mydomain.tld/404.php

A 404 error tells a bot there is a broken or dead link and it is one of the most recognizable errors encountered on Internet. A 403 error tells a bot the resource is there but it cannot be accessed an invitation for new attempts.

Deleting directories/files is a secured way to protect your installation.