Wordpress Security Settings
=======================================================================================
1).htaccess File
  Add code in .htaccess
   #Possible Username & Password Disclosure.
	<FilesMatch "(^\.|wp-config(-sample)*\.php)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>
	<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
	</Files>

   #Deny Access To Sensitive Files in WordPress.
	Options All -Indexes
	# Protect some other files
	<FilesMatch "(liesmich.html|faq.html|readme.html|license.txt|faq.txt|credits.html|(.*)\.ttf|(.*)\.bak)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>

	<FilesMatch "^.*(error_log|wp-config.php|robots.txt|php.ini|.[hH][tT][aApP].*)$">
	Order deny,allow
	Deny from all
	</FilesMatch>

	<files .htaccess>
	Order allow,deny
	Deny from all
	</files>

	<files install.php>
	Order allow,deny
	Deny from all
	</files>

	<files fantastico_fileslist.txt>
	Order allow,deny
	Deny from all
	</files>

	<files fantversion.php>
	Order allow,deny
	Deny from all
	</files>

  #WordPress XML-RPC Authentication Bruteforce.

	<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
	</Files>

  #Directory Lisitng Enabled.

	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	#WriteCheckString:1562058044_52870
	RewriteRule .* - [E=HTTP_MOD_REWRITE:On]
	<FilesMatch "">

	<IfModule mod_headers.c>
	Header set Cache-Control "max-age=300, public"
	Header add Strict-Transport-Security "max-age=31415926;includeSubDomains;"
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options DENY
	Header set X-Content-Type-Options nosniff
	</IfModule>
	<IfModule mod_headers.c>
	Header unset Server
	Header set Connection keep-alive
	Header always unset X-Powered-By
	Header unset X-Powered-By
	Header unset X-CF-Powered-By
	Header unset X-Mod-Pagespeed
	Header unset X-Pingback
	</IfModule>
	</FilesMatch>
	</IfModule>

  #Banner Grabbing.

	<IfModule mod_headers.c>
	Header set Cache-Control "max-age=300, public"
	Header add Strict-Transport-Security "max-age=31415926;includeSubDomains;"
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options DENY
	Header set X-Content-Type-Options nosniff
	</IfModule>

  #Error Logs Disclosing.

	<FilesMatch error_log>
	Order Allow,Deny
	Deny from all
	</FilesMatch>
	
 #Missing Anti-clickjacking Header
<IfModule mod_headers.c>
	Header always set Content-Security-Policy "frame-ancestors 'self';"
</IfModule>

#Absence of Anti-CSRF Tokens
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

#Server Side Template Injection - Remove Direct Laungage Translate
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} wp_lang= [NC]
RewriteRule ^(.*)$ / [R=403,L]
</IfModule>

#Block SQL Injection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\%27)|(\')|(\-\-)|(%23)|(#) [NC,OR]
RewriteCond %{QUERY_STRING} (\*|union|select|insert|cast|set|declare|drop|update) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>



#Server Side Template Injection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} wp_lang= [NC]
RewriteRule ^(.*)$ / [R=403,L]
</IfModule>

#SQL Injection

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (^|&)p= [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

#CSP: Wildcard Directive
<Files "sitemap.xml">
    <IfModule mod_headers.c>
        Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';"
    </IfModule>
</Files>
--------------------------------------------------------------	
2) wp-config file
	Add code in wp-config file
	
	header_remove("X-Powered-By");
	header('X-Frame-Options: SAMEORIGIN');
	
	define('COOKIE_SECURE', true);
	define('COOKIE_SAMESITE', 'None');
====================================================================================='
3) Add code in function.php file in theme.
add_action('init', function() {
    if (isset($_GET['p']) && !ctype_digit($_GET['p'])) {
        wp_die('Invalid parameter');
    }
});
