diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47396cb2..8d44190f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@
     * Allow to fallback to `docs:` instead of `readme:`
     * Backported finder/pages navigation from 1.10 (you will still need 1.10 for the fancy Parent Picker)
     * Forward a `sid` to GPM when downloading a premium package
+1. [](#bugfix)
+    * Fixed unused task RemoveMedia, it cannot be used directly anymore
+    * Tightened checks when removing a media file
+    * Removed unused parameter in file field
 
 # v1.9.17
 ## 10/07/2020
diff --git a/classes/adminbasecontroller.php b/classes/adminbasecontroller.php
index e3828a55..88ddd883 100644
--- a/classes/adminbasecontroller.php
+++ b/classes/adminbasecontroller.php
@@ -913,11 +913,11 @@ class AdminBaseController
         $uri       = $this->grav['uri'];
         $blueprint = base64_decode($uri->param('blueprint'));
         $path      = base64_decode($uri->param('path'));
-        $filename  = basename($this->post['filename'] ?? '');
-        $proute    = base64_decode($uri->param('proute'));
+        $route     = base64_decode($uri->param('proute'));
         $type      = $uri->param('type');
         $field     = $uri->param('field');
 
+        $filename  = basename($this->post['filename'] ?? '');
         if ($filename === '') {
            $this->admin->json_response = [
                 'status'  => 'error',
@@ -929,7 +929,7 @@ class AdminBaseController
 
         // Get Blueprint
         if ($type === 'pages' || strpos($blueprint, 'pages/') === 0) {
-            $page = $this->admin->page(true, $proute);
+            $page = $this->admin->page(true, $route);
             if (!$page) {
                 $this->admin->json_response = [
                     'status'  => 'error',
@@ -1039,10 +1039,7 @@ class AdminBaseController
         }
 
         if (null === $filename) {
-            $filename = base64_decode($this->grav['uri']->param('route'));
-            if (!$filename) {
-                $filename = base64_decode($this->route);
-            }
+            throw new \RuntimeException('Admin task RemoveMedia has been disabled.');
         }
 
         $file                  = File::instance($filename);
diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index 05b9bfc7..83287166 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -1821,14 +1821,10 @@ class AdminController extends AdminBaseController
             return false;
         }
 
-        $filename = !empty($this->post['filename']) ? $this->post['filename'] : null;
+        $filename = !empty($this->post['filename']) ? basename($this->post['filename']) : null;
 
         // Handle bad filenames.
-        if (!Utils::checkFilename($filename)) {
-            $filename = null;
-        }
-
-        if (!$filename) {
+        if (!$filename || !Utils::checkFilename($filename)) {
             $this->admin->json_response = [
                 'status'  => 'error',
                 'message' => $this->admin::translate('PLUGIN_ADMIN.NO_FILE_FOUND')
diff --git a/themes/grav/templates/forms/fields/file/file.html.twig b/themes/grav/templates/forms/fields/file/file.html.twig
index ccc3953c..d30c4e76 100644
--- a/themes/grav/templates/forms/fields/file/file.html.twig
+++ b/themes/grav/templates/forms/fields/file/file.html.twig
@@ -40,7 +40,6 @@
         {% set remove = global.file_task_remove ? global.file_url_remove : uri.addNonce(
             global.file_url_remove ~
             '/media.json' ~
-            '/route' ~ config.system.param_sep ~ base64_encode(global.base_path ~ '/' ~ real_path) ~
             '/task' ~ config.system.param_sep ~ 'removeFileFromBlueprint' ~
             '/proute' ~ config.system.param_sep ~ base64_encode(route) ~
             '/blueprint' ~ config.system.param_sep ~ blueprint ~