WordPress Security

Remove Unuse plugin and themes

htaccess

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set X-FRAME-OPTIONS "SAMEORIGIN"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
</IfModule>

Add htaccess in upload folder to prevent execution of file in there:

<Files *.php>
deny from all
</Files>

Clean Default WordPress

// Disable XML-RPC.
add_filter('xmlrpc_enabled', '__return_false');

// # Block WordPress xmlrpc.php requests
// <Files xmlrpc.php>
// order deny,allow
//  deny from all
//  #allow from 000.00.000.000
// </Files>

remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'start_post_rel_link');
remove_action('wp_head', 'feed_links', 2);
remove_action('wp_head', 'feed_links_extra', 3);
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'adjacent_posts_rel_link');
remove_action('wp_head', 'print_emoji_detection_script', 7);
remove_action('wp_print_styles', 'print_emoji_styles');
remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0);

Make simple login hints

function no_wordpress_errors()
{
  return 'Something is wrong!';
}
add_filter('login_errors', 'no_wordpress_errors');