So, to apply some basic hardening, this is what I did:
Disable Options +Indexes
on /wp/wp-content/uploads
Because WordPress is not in /, I chose to allow overrides by .htaccess for just Indexes
in the /-configuration and fix this through a simple .htaccess
in /wp/wp-content/uploads
.
Disable XML RPC
I don’t like these kind of things and I fail to see the point of it for my specific use case. Therefore, it must go. For the WordPress-location, I added this directive to the Apache-configuration:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Updates through PHP-method
Appearantly, WordPress needs to be told to directly download updates instead of utilizing FTP. Fixed in wp-config.php
by adding:
define('FS_METHOD','direct');