How to harden WordPress install

Note: paths below assume subdirectory install in wordpress subdirectory and WordPress multi-environment configuration.

Prevent full path disclosure

See: Why are there path disclosures when directly loading certain files?

Add the following to .user.ini (or similar):

# Turn off display of errors to prevent full path disclosures in WordPress
# https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files
display_errors = Off

Block access to configuration files

Add the following to wordpress/.htaccess:

# Block access to wp-config.php
<Files "wp-config.php">
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
	<IfModule !mod_authz_core.c>
		Deny from all
	</IfModule>
</Files>

Add the following to wordpress/wp-config/.htaccess:

# Block access to all files in this directory
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Deny from all
</IfModule>

Limit access to login page (if applicable)

Add the following to wordpress/.htaccess:

# Restrict access to login form only to certain IPs
<Files "wp-login.php">
	<IfModule mod_authz_core.c>
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Require ip 1.2.3.4 5.6.7
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order deny,allow
		Deny from all
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Allow from 1.2.3.4 5.6.7
	</IfModule>
</Files>

Limit access to debug log

Add the following to wordpress/wp-content/.htaccess:

# Restrict access to debug.log only to certain IPs
<Files "debug.log">
	<IfModule mod_authz_core.c>
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Require ip 1.2.3.4 5.6.7
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order deny,allow
		Deny from all
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Allow from 1.2.3.4 5.6.7
	</IfModule>
</Files>

Disable execution of PHP files from within uploads folder

Add the following to wordpress/wp-content/uploads/.htaccess:

# Block access to .php, .php3, .php4, .php5 and .phtml files
<FilesMatch "\.(?:[Pp][Hh][Pp][345]?|[Pp][Hh][Tt][Mm][Ll])$">
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
	<IfModule !mod_authz_core.c>
		Deny from all
	</IfModule>
</FilesMatch>

Add plugin do block xmlrpc.php

Modificar arquivo wp-config pra impedir a modificação dos arquivos.

/** Proteção contra modificação de arquivos e atualizações automáticas. */ define('DISALLOW_FILE_EDIT', false); define('DISALLOW_FILE_MODS', false); define('AUTOMATIC_UPDATER_DISABLED', true); define('WP_AUTO_UPDATE_CORE', false);

Desativar comentários via functions.php

<?php 

// First, this will disable support for comments and trackbacks in post types
function df_disable_comments_post_types_support() {
   $post_types = get_post_types();
   foreach ($post_types as $post_type) {
      if(post_type_supports($post_type, 'comments')) {
         remove_post_type_support($post_type, 'comments');
         remove_post_type_support($post_type, 'trackbacks');
      }
   }
}
# https://keithgreer.uk/wordpress-code-completely-disable-comments-using-functions-php

add_action('admin_init', 'df_disable_comments_post_types_support');

// Then close any comments open comments on the front-end just in case
function df_disable_comments_status() {
   return false;
}
add_filter('comments_open', 'df_disable_comments_status', 20, 2);
add_filter('pings_open', 'df_disable_comments_status', 20, 2);

// Finally, hide any existing comments that are on the site. 
function df_disable_comments_hide_existing_comments($comments) {
   $comments = array();
   return $comments;
}
add_filter('comments_array', 'df_disable_comments_hide_existing_comments', 10, 2);