Harden WordPress: disable file editing, hide login URL, block xmlrpc.php, and install Wordfence.
WordPress Security Hardening
# wp-config.php
define('DISALLOW_FILE_EDIT', true); # disable theme/plugin editor
define('DISALLOW_FILE_MODS', true); # disable installs from admin
define('WP_AUTO_UPDATE_CORE', true); # auto-update minor versions
# .htaccess -- protect sensitive files
Deny from all
Deny from all
Options -Indexes # disable directory listing
# Recommended security steps
# 1. Change table prefix from wp_ to custom
# 2. Change login URL (/wp-login.php to something else)
# 3. Limit login attempts
# 4. Use strong passwords + 2FA for admins
# 5. Keep WP core, themes, plugins updated
# Plugins
# Wordfence -- WAF + malware scanner
# iThemes Security -- hardening + file change detection