This is a work in progress. We are currently using this to deposit any tips that we currently recommend for harding wordpress installations.
Disable xmlrpc.php access
Outside access to xmlrpc.php should be disabled unless you have a very good reason to allow it. If so, only allow from a minimal set of IP addresses if possible.
Edit your wordpress main .htaccess file and add the following snippet:
# Block WordPress xmlrpc.php requests<Files xmlrpc.php>order deny,allowdeny from allallow from xxx.xxx.xxx.xxx</Files>Important! Change xxx.xxx.xxx.xxx to IP address you wish to allow access xmlrpc.php or remove this line completely to block from everywhere.
Disable file editing in the Wordpress Dashboard
File editing should rarely if ever be allowed in the Wordpress dashboard. If can be disabled by appending the following line to the wp-config.php file.
define( 'DISALLOW_FILE_EDIT', true );
Use WordFence
Use a good WordPress security scanner. We recommend WordFence.
If you have any trouble with any of these recommendations or have questions, please open a ticket and ask.
