Animate your life. Don't be static.
Every WordPress site running with default config is being hammered right now by brute-force scripts hitting xmlrpc.php and wp-login.php. If you run multiple sites on a single OpenLiteSpeed (LSWS) box, dropping a per-site .htaccess rule on each one is …
If you run more than one WordPress site on a single server and every wp-config.php has DB_USER = 'root', your eight sites are effectively one site as far as a compromise is concerned. One vulnerable plugin on any of …
By default every WordPress install since 4.7 leaks usernames over a public, unauthenticated REST endpoint. Anyone — no login, no auth header, just a browser — can hit https://yoursite.com/wp-json/wp/v2/users and get a JSON array of every user the site considers …
wp-content/uploads/ is the most predictable target on a WordPress install. It’s writable by the web server (so any compromise that gets a file uploaded lands here), it’s almost never inspected by malware scanners with the same vigilance as wp-includes/, …
OpenLiteSpeed’s admin panel runs on port 7080 by default and binds to *. That means anyone with your server’s IP can hit https://your-ip:7080/ and reach the admin login form. The form has authentication, sure — but having a login …