WordPress Security Checklist

.htaccess

<IfModule mod_headers.c>
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always edit Set-Cookie (.*) "$1; HTTPOnly"
  Header always edit Set-Cookie (.*) "$1; Secure"
</IfModule>

checklist.md

Core

• Update WordPress to the latest version

Themes

• Remove all unused themes
• Update themes to the latest version available
• Check for mixing content

Plugins

• Delete all deactivated plugins
• Deactivate all unused or unecessary plugins
• Install Limit Login Attempts plugin (https://wordpress.org/plugins/login-lockdown/)

Users

• Update password of all users
• Delete users that are not being used

URLs

• run wp search-replace "stage-url.rockstage.io" "domain.com" to update all urls
• run wp search-replace "http://stage-url.rockstage.io" "https://domain.com" to force all urls to use HTTPS
• Always use SSL (HTTPS)

Code

• Add mod_headers extra security code to .htaccess (file attached)
• Disable file edit in wp-config define('DISALLOW_FILE_EDIT', TRUE);
• Disable XML-RPC (See https://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/)