hugodias/.htaccess

## .htaccess
<IfModule mod_headers.c>
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always edit Set-Cookie (.*) "$1; HTTPOnly"
  Header always edit Set-Cookie (.*) "$1; Secure"
</IfModule>

## checklist.md

      
    Raw
  

              checklist.md
            
          
    Core


 Update WordPress to the latest version

Themes


 Remove all unused themes
 Update themes to the latest version available
 Check for mixing content

Plugins


 Delete all deactivated plugins
 Deactivate all unused or unecessary plugins
 Install Limit Login Attempts plugin (https://wordpress.org/plugins/login-lockdown/)

Users


 Update password of all users
 Delete users that are not being used

URLs


 run wp search-replace "stage-url.rockstage.io" "domain.com" to update all urls
 run wp search-replace "http://stage-url.rockstage.io" "https://domain.com" to force all urls to use HTTPS
 Always use SSL (HTTPS)

Code


 Add mod_headers extra security code to .htaccess (file attached)
 Disable file edit in wp-config define('DISALLOW_FILE_EDIT', TRUE);
 Disable XML-RPC (See https://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/)
	<IfModule mod_headers.c>
	Header always set X-XSS-Protection "1; mode=block"
	Header always set X-Frame-Options "SAMEORIGIN"
	Header always set X-Content-Type-Options "nosniff"
	Header always edit Set-Cookie (.*) "$1; HTTPOnly"
	Header always edit Set-Cookie (.*) "$1; Secure"
	</IfModule>