Wordpress Security Settings
=======================================================================================
    #Add code in .htaccess File
  
    #Security Headers
	<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	Header set X-Xss-Protection "1; mode=block"
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-Content-Type-Options "nosniff"
	Header set Referrer-Policy "strict-origin-when-cross-origin"
	Header set Permissions-Policy "geolocation=self"
	Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
	</IfModule>
	
	#X-Frame-Options
	<IfModule mod_headers.c>
		Header always append X-Frame-Options SAMEORIGIN
	</IfModule>
	
	#Protect Against SQL Injection
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
	RewriteRule ^(.*)$ - [F,L]
	RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
	RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
	RewriteCond %{QUERY_STRING} tag\= [NC,OR]
	RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
	RewriteCond %{QUERY_STRING} http\:  [NC,OR]
	RewriteCond %{QUERY_STRING} https\:  [NC,OR]
	RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
	RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
	RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
	RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
	RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
	RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
	RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
	RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
	RewriteRule ^(.*)$ - [F,L]
	</IfModule>
	
	# Blocks some XSS attacks
	<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
	RewriteRule .* index.php [F,L]
	</IfModule>
	
	#BEGIN Block bad hackers
	SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
	Deny from env=block_bad_bots

	# Disable directory browsing
	Options All -Indexes

	# Deny access to all .htaccess files
	<files ~ "^.*\.([Hh][Tt][Aa])">
	order allow,deny
	deny from all
	satisfy all
	</files>
	 
	# Deny access to readme.html
	<files readme.html>
	Order allow,deny
	Deny from all
	</files>
	 
	# Deny access to license.txt
	<files license.txt>
	Order allow,deny
	Deny from all
	</files>
	 
	# Deny access to wp-config.php file
	<files wp-config.php>
	order allow,deny
	deny from all
	</files>
	 
	# Deny access to error_log
	<files error_log>
	Order allow,deny
	Deny from all
	</files>
  
    #Possible Username & Password Disclosure.
  
	<FilesMatch "(^\.|wp-config(-sample)*\.php)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>
	<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
	</Files>

    #OLD#
    #Deny Access To Sensitive Files in WordPress.
  
	Options All -Indexes
	# Protect some other files
	<FilesMatch "(liesmich.html|faq.html|readme.html|license.txt|faq.txt|credits.html|(.*)\.ttf|(.*)\.bak)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>

	<FilesMatch "^.*(error_log|wp-config.php|robots.txt|php.ini|.[hH][tT][aApP].*)$">
	Order deny,allow
	Deny from all
	</FilesMatch>

	<files .htaccess>
	Order allow,deny
	Deny from all
	</files>

	<files install.php>
	Order allow,deny
	Deny from all
	</files>

	<files fantastico_fileslist.txt>
	Order allow,deny
	Deny from all
	</files>

	<files fantversion.php>
	Order allow,deny
	Deny from all
	</files>

  #WordPress XML-RPC Authentication Bruteforce.

	<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
	</Files>

  #Directory Lisitng Enabled.

	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	#WriteCheckString:1562058044_52870
	RewriteRule .* - [E=HTTP_MOD_REWRITE:On]
	<FilesMatch "">

	<IfModule mod_headers.c>
	Header set Cache-Control "max-age=300, public"
	Header add Strict-Transport-Security "max-age=31415926;includeSubDomains;"
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options DENY
	Header set X-Content-Type-Options nosniff
	</IfModule>
	<IfModule mod_headers.c>
	Header unset Server
	Header set Connection keep-alive
	Header always unset X-Powered-By
	Header unset X-Powered-By
	Header unset X-CF-Powered-By
	Header unset X-Mod-Pagespeed
	Header unset X-Pingback
	</IfModule>
	</FilesMatch>
	</IfModule>

--------------------------------------------------------------	
 2) wp-config file
	Add code in wp-config file
	
	header("Set-Cookie: hidden=value; httpOnly");
	define( 'AUTOMATIC_UPDATER_DISABLED', true );
	
	header_remove("X-Powered-By");
	header('X-Frame-Options: SAMEORIGIN');
=====================================================================================
