Run the following commands:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
chmod 400 wp-config.php
or chmod 440 wp-config.php
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
<files wp-config.php>
order allow,deny
deny from all
</files>
Add the following to wp-config.php
define('DISALLOW_FILE_EDIT', true);
Consider using ufw and fail2ban.
How To Protect WordPress from XML-RPC Attacks on Ubuntu 14.04