1) uploads folder – 755
Changing File Permissions
2) hide authors
How to Find a Backdoor in a Hacked WordPress Site and Fix It
WordPress Security with WPScan: Username
Stop User Enumeration in WordPress
.htaccess
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* /? [L,R=302]
</IfModule>
Brute Force Attacks
3) no “admin” user
4) use complicated passwords