I recently had to move a bunch of Wordpress sites. Wordpress, generally, is terribly insecure. Here are my notes for configuring and hardening Wordpress. Certainly these measures are incomplete. I gathered them from several sources. I write them here, for posterity, and so I don't forget in the future.
find ./ -type f -exec chmod 644 {} \; find ./ -type d -exec chmod 755 {} \;
Add to /wp-content/uploads/.htaccess
# Kill PHP Execution <Files ~ "\.ph(?:p[345]?|t|tml)$"> deny from all </Files>
add to .htaccess
<files wp-config.php> order allow,deny deny from all </files> # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress AddHandler application/x-httpd-php56 .php .php5 .php4 .php3
And of course:
chmod 660 wp-config.php