The most important things you can do to keep WordPress secure is:
- Keep WordPress itself up to date
- Keep WordPress themes up to date
- Keep WordPress plugins up to date
- Ensure the plugins being installed are legitimate and recently updated
Outside of this, there are a couple of steps one can take to secure WordPress even further:
Disable directory listing
Edit the .htaccess in the main WordPress directory and insert the following at the top of the .htaccess file:
Options -Indexes
Block access to the wp-content/uploads directory
Create a .htaccess file in wp-content/uploads and insert the following:
# Disallow PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all
</Files>
# Completely disable access to all the files
<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
# Add file extensions you want to allow access
<FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Disable access to all file types under wp-content except those specified
Create a .htaccess file in the wp-content and insert the following:
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all
</Files>
Disable access to the wp-includes folder
Create a .htaccess file in the wp-includes folder and insert the following:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Disable access to the wp-config.php file
Create a .htaccess file in the main WordPress directory and insert the following:
<files wp-config.php>
order allow,deny
deny from all
</files>
Protect all .htaccess files
Add the following in all the .htaccess files mentioned above:
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>