One of the main vectors of attacks in WordPress is due to the misuse of this library.

The idea is to inform the user that timthumb.php is present in your project as a warning.

Within the project structure is a mixture of different variable names. The idea is to normalize all these names.

The list is stripped to improve recognition of projects in WordPress

Implement option WP_MEMORY_LIMIT in wp-config-wphardening.php

Reference

http://codex.wordpress.org/Editing_wp-config.php#Increasing_memory_allocated_to_PHP

The idea is to create a new option for changing the owners and groups of files and directories

As the use of new option is proposed --chown

https://github.com/elcodigok/wphardening/blob/master/lib/wpconfigWordPress.py#L135

The idea is to show information such as the version of the library and the values ​​of some variables.

Reference

http://timthumb.googlecode.com/svn/trunk/timthumb.php

Tthat way we can upload all files to web server

Change wp_admin_css() function of /wp-include/general-template.php because the css file calls giving the version of WordPress.

Example:

<link rel='stylesheet' id='buttons-css'  href='http://misite.com/wp-includes/css/buttons.min.css?ver=3.9.1' type='text/css' media='all' />

Fix bug in regular expression detected in the file lib/pluginsWordPress.py

Thanks to the collaboration of @Jsitech

Load options from a configuration INI file --load-conf

Example

./wphardening.py --load-conf /path/complet/wphardening.conf

Instead of looking for a WordPress project from a local directory, it would be possible to start the project by downloading WordPress from its official website.

The idea is to move those out of a WordPress project that hidden to later retrieve directory.

https://github.com/elcodigok/wphardening/blob/master/lib/pluginsWordPress.py#L133

Improve malware scanner including the following functions

assert, file_get_contents, curl_exec, popen, proc_open, unserialize, eval, base64_encode, base64_decode, create_function, exec, shell_exec, system, passthru, ob_get_contents, file, curl_init, readfile, fopen, fsockopen, pfsockopen, fclose, fread and file_put_contents

The idea is to change the end of stream remove option

Reference

https://github.com/elcodigok/wphardening/blob/master/wphardening.py#L147

It is advisable to change the contents of the $wp_version variable in the wp-includes/version.php file?

https://wordpress.org/news/2014/09/benny/

http://wordpress.org/news/2014/08/wordpress-4-0-release-candidate/

Compressing static files .css and .js

This way we can have the application in multiple languages.

The idea is to recommend not to use the root user for MySQL databases in class wpconfigWordPress.py

Reference

https://github.com/elcodigok/wphardening/blob/master/lib/wpconfigWordPress.py#L83

Error login messages may expose and give hackers an idea if they’ve gotten username correct/incorrect, vice versa. It is wise to hide it from unauthorized login.

To hide login error messages, simply put the following code in functions.php

add_filter('login_errors',create_function('$a', "return null;"));

Reference

http://blog.petermcdonald.co.uk/2013/04/25/wordpress-full-path-disclosure-issue/

should show the status of downloading plugins, status bar

The idea for this issue is to store the information of all the options that were executed.

The idea is to look at the whole project of WordPress and its source code's base64_decode(); function where it is usually a backdoor attempt encode or malware.

Check all the problems that can arise in the process of updating

Reference

https://github.com/elcodigok/wphardening/blob/máster/lib/updateWPHardening.py#L32

This requires learning about variables WP_CONTENT_DIR and WP_CONTENT_URL

http://wordpress.org/news/2014/08/wordpress-3-9-2/

The idea is to recommend a default value in the URL of the file robotsWordPress.py

Reference

https://github.com/elcodigok/wphardening/blob/master/lib/robotsWordPress.py#L44

The idea is to Download from the official WordPress repository instead of using the -d option for the PATH.

https://wordpress.org/news/2014/11/wordpress-4-0-1/

Botnet scripts that automatically look for vulnerabilities in your software are sometimes identified as User-Agent libwww-perl. By blocking access from libwww-perl you can eliminate many simpler attacks. Read more on blocking Libwww-perl access and improving your website's security.

RewriteCond %{HTTP_USER_AGENT} libwww-perl.* 
RewriteRule .* – [F,L]

http://www.cyberciti.biz/tips/the-rise-of-bots-spammers-crack-attacks-and-libwww-perl.html

implement a more detailed output information to the verbose mode all options

The idea is to find all Themes of the project and give the user the option to remove them.

Class reference

removeWordPress.py

The idea is that the tool recognizes all themes and delete those that are not going to use.

The controls that are already in the project are very weak and may improve.

The current code when running wphardening.py generates a default output to the console line. The idea is to export to a more user-friendly HTML format.

The idea is sicronizar with GitHub and keep always updated the code on the client side.

https://github.com/ElevenPaths/latch-plugin-wordpress

The idea is to separate with a menu class source code in wphardening.py

Generate file doc/CHANGELOG.md

This script goes in your .htaccess and will attempt to prevent malicious string attacks on your site (XSS). Please be aware some of these strings might be used for plugins or themes and doing so will disable the functionality. This script from perishablepress is fairly safe to use and should not break anything important. A more advanced one can be found on askapache.com.

RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.([|]|(|)||'|"|;|?|).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.(%22|%27|%3C|%3E|%5C|%7B|%7C). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(%0|%A|%B|%C|%D|%E|%F|127.0). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(globals|encode|config|localhost|loopback). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(request|select|insert|union|declare|drop). [NC]
RewriteRule ^(.*)$ - [F,L]

Reference

http://wpsecure.net/secure-wordpress-advanced/

Interface for users who do not understand the command line applications.

in flag --wp-config add

/* Disable reporting errors */ 
error_reporting(0); 
@ini_set(‘display_errors’, 0); 

Thaks Andres @p4ter0