Disable File Editing
By default, WordPress allows administrative users to edit PHP files of plugins and themes inside of the WordPress admin interface.
This is often the first thing an attacker would look for if they manage to gain access to an administrative account since this functionality allows code execution on the server.
Entering the following constant in wp-config.php, disables editing from within the administrative interface.
define('DISALLOW_FILE_EDIT', true);
Prevent WordPress Username Enumeration
In many WordPress blogs, it’s possible to enumerate WordPress users using an author’s archive page. This works if WordPress permalinks are enabled and if the user has published one or more posts.
You can read about WordPress Username Enumeration in greater detail in the article WordPress Username Enumeration using HTTP Fuzzer
In order to prevent WordPress Username Enumeration you can add the following rule to WordPress site’s .htaccess file (this is usually located in your website’s root directory).
RewriteCond %{QUERY_STRING} author=d RewriteRule ^ /? [L,R=301]
Read the entire article on How to prevent a WordPress hack
Get the latest content on web security
in your inbox each week.