Tips to Install a Secure WordPress

All of us know that WordPress is the most common CMS and it is the easiest one ever, Now I will put here some tips to install a secure WordPress

1. Install WordPress CMS platform Here is the link 
2. https://wordpress.org/plugins/advanced-nocaptcha-recaptcha

Important tips:

1. the readme.html file should be removed from the site root directory
2. Administrator username should not stay as "admin"
3. PHP error reporting should be disabled
4. database error reporting should be disabled
5. WordPress version should be hidden
6. an empty index.php should be inserted in these directories to prevent listing
1. /wp-content/
2. /wp-content/plugins/
3. /wp-content/themes/
4. /wp-content/uploads/
5. Example index.php content

<?php 
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden' );
die( '403 Forbidden' );

1. RSD meta tag should be removed from head sections of the site
   add this to function.php in your theme

remove_action('wp_head', 'rsd_link');

1. WLW meta tag should be removed from head sections of the Child Site
   add this to function.php in your theme : 

remove_action('wp_head', 'wlwmanifest_link');

Now the next step is to make your website secure as much as possible,

• Change your "Display name publicly as" for each user to not allow use the username : this will allow the hackers to know your username and allow them to start figure out the passwords
• Follow this WIKI to configure Cloudflare
• Block wp-includes folder and files Wordpress follow this WIKI 
• Protect wp-admin by Cloudflare or by Basic Auth follow this WIKI 
• Follow this WIKI if you want to share your posts in Facebook
• prevent execute PHP code in specifc folder "Prevent execute PHP file in wp-content/uploads directory | WIKI CODE (wikicoode.com)"
• deny xml-rpc and wp-json click here

Some important tips

Hide Wordpress version

By default WordPress uses the Generator meta tag in the website’s html <head> section to disclose the version number, as seen in the below example:

<meta name="generator" content="WordPress 4.5.0" />

add this code to remove the version from the website and from the rss

remove_action('wp_head', 'wp_generator');

function remove_wp_version_rss() {
    return'';
}

add_filter('the_generator','remove_wp_version_rss');

Hide All Meta Generators

//Remove All Meta Generators
function remove_meta_generators($html) {
    $pattern = '/<meta name(.*)=(.*)"generator"(.*)>/i';
    $html = preg_replace($pattern, '', $html);
    return $html;
}
function clean_meta_generators($html) {
    ob_start('remove_meta_generators');
}
add_action('get_header', 'clean_meta_generators', 100);
add_action('wp_footer', function(){ ob_end_flush(); }, 100);

Disallow file editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at very end of the file):

define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', false); 

 Disable directory listing with .htaccess

If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.

For example, if you create a directory called “data”, you can see everything in that directory simply by typing http://www.example.com/data/ in your browser. No password or anything is needed.

You can prevent this by adding the following line of code in your .htaccess file:

Options All -Indexes

How to Disable WP-Cron

To disable WP-Cron, add the following to your wp-config.php file, just before the line that says “That’s all, stop editing! Happy blogging.” Note: This disables it from running on page load, not when you call it directly via wp-cron.php.

define('DISABLE_WP_CRON', true);

Hide author page 

function redirect_to_home_if_author_parameter() {

	$is_author_set = get_query_var( 'author', '' );
	if ( $is_author_set != '' && !is_admin()) {
		wp_redirect( home_url(), 301 );
		exit;
	}
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );

using htaccess

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

To remove the version number from scripts and styles:

function remove_version_from_style_js( $src ) {
if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
$src = remove_query_arg( 'ver', $src );
return $src;
}
add_filter( 'style_loader_src', 'remove_version_from_style_js',9999);
add_filter( 'script_loader_src', 'remove_version_from_style_js',9999);

List of the directory to check in WordPress 

/wp-content/

/wp-content/plugins/

/wp-content/themes/

/uploads/

/images/

Prevent SQL Injections And URL Hacking

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

Deny Access To Sensitive Files in WordPress

Options All -Indexes

<files .htaccess>
Order allow,deny
Deny from all
</files>

<files readme.html>
Order allow,deny
Deny from all
</files>

<files license.txt>
Order allow,deny
Deny from all
</files>

<files install.php>
Order allow,deny
Deny from all
</files>

<files wp-config.php>
Order allow,deny
Deny from all
</files>

<files error_log>
Order allow,deny
Deny from all
</files>

<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>

<files fantversion.php>
Order allow,deny
Deny from all
</files>

Remove users from the site map

add_filter( 'wp_sitemaps_add_provider', function ($provider, $name) {
    return ( $name == 'users' ) ? false : $provider;
}, 10, 2);

Disallowed Comment Keys

examples:

http
https
.com
.org
.net