What permissions should I give directories if I want to make WordPress more secure?

The WP-Security plugin is pretty good for this, and a few other wordpress security related things, it is my solution to lock down basics on security for every wordpress install I do.

Related Posts:

  1. Securing a multi-user permission structure
  2. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  3. Folder Permissions + Security Concerns
  4. Definitive wordpress directory ownership and permissions on linux
  5. How to change permissions of WordPress and/or apache on macOS securely?
  6. On new server, site got hacked, permissions a bit strange? Please help
  7. Privilege escalation bugs in 2.9?
  8. wp-content – permissions for files/folders created by apache
  9. Should I change the default file and folder permissions?
  10. Malware/Permission bug removal?
  11. Default installation permissions for wp-config.php
  12. WordPress – tracking options
  13. SSL Error: unable to get local issuer certificate
  14. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  15. Why does the URL http://a/%%30%30 crash Google Chrome?
  16. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  17. Can an attacker use inspect element harmfully?
  18. Where does Internet Explorer store saved passwords?
  19. WordPress 4.7.1 REST API still exposing users
  20. Should I escape wordpress functions like the_title, the_excerpt, the_content
  21. Why does WordPress need my private ssh key to update?
  22. When to use esc_html and when to use sanitize_text_field?
  23. Why does WordPress have more than one salt?
  24. What is the ideal setup to address security concerns?
  25. Will there be security updates for 3.1 once 3.2 is released?
  26. WordPress it’s cleaning a custom query_var to avoid sql injections?
  27. Tips for finding SPAM links injected into the_content
  28. Is WordPress vulnerable to the httpoxy?
  29. Prevent setup-config.php page from appearing when host blocks database
  30. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  31. WordPress and Security
  32. Is there a security risk giving someone temporary access to my blog’s code?
  33. How to properly sanitize/secure a WP Query coming from the front end
  34. brute force attack even though it is limited by IP
  35. What should I do about hacked server?
  36. Website is being flooded [closed]
  37. Standard permissions for wordpress; Plugin installation asks for FTP credentials
  38. Which WordPress scripts need to be executable for a fresh installation?
  39. Is there any point setting the keys and salts in wp-config.php?
  40. Auth cookie value security risk?
  41. Where to store OAuth 2.0 client id and secret?
  42. Security – Shortcode injection attack
  43. Restricting user login by IP address
  44. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  45. Security threat with `home_url`?
  46. How to combat flooding admin-ajax.php?
  47. Moving away from MD5: Where to declare the custom global $wp_hasher?
  48. Would it be dangerous to send all the wp_options to javascript file?
  49. Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php
  50. Should I disable directory listing for wp-includes?
  51. Safety side of storing emoji into database
  52. Verifying that I have fully removed a WordPress hack?
  53. Large Session Tokens
  54. How can I safely hide the fact that my website runs on WordPress? [closed]
  55. Cannot execute php files in wp-content
  56. How can I display nickname instead username in links
  57. My WordPress Websites are always under attack
  58. Is there value in using a wp_nonce for POST requests?
  59. Using an Encryption class in a WordPress Plugin
  60. How to hide easy access to my website temporarily?
  61. Can I Remove xmlrpc.php completely?
  62. Config file with no Keys..?
  63. How much should I worry about these messages?
  64. WordPress sites being filled with random PHP files
  65. Uploading .webm format on WordPress results in security guidline breach and fail
  66. Any any insecure http:// URLs left in wordpress?
  67. White screen of death on admin pages after moving wp-config up two levels for security
  68. Session Cookie security questions
  69. Storing FTP details in wp-config.php
  70. Can a WordPress administrator see other users’ passwords?
  71. Why my plugins are updating automatically?
  72. Spam injected in w3 total cache page cache [closed]
  73. Content-Security-Policy blocks WordPress check boxes from being activated
  74. How to distinguish between a hack and an encoding error?
  75. Prevent editor from adding script or form
  76. How to change location of wp-config.php to folder or 2 folders up?
  77. Finding where a snippet of code is coming from
  78. wordpress admin security
  79. Remove hacked code – out of ideas! [closed]
  80. Why do people use “admin” username by default? [closed]
  81. WordPress Database Re-installed (Hacked)
  82. WordPress Security tools
  83. Robots.txt file not updating
  84. Where to store sensitive uploaded file?
  85. Security: Critical backend outside of wordpress
  86. Advice On How to Backup WordPress
  87. How can I stop other plugins from using my class’ sensitive methods?
  88. What are WordPress Current Security Issues in 2017?
  89. wp-config.php moved above root results in no plugin updates
  90. Password-protect feed and make it usable in major aggregators
  91. WordPress exploited theme is causing high io load on server
  92. how to find the way they hacked my WP site
  93. How to set custom validation for WordPress Passwords?
  94. How to stop repeated hack on header.php of custom theme? [closed]
  95. is this code properly secured
  96. nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
  97. How to get real password (before encrypt) when register a user?
  98. Possible to change email address in keypair?
  99. SSH keypair generation: RSA or DSA?
  100. Why is SSH password authentication a security risk?