Basic Checklist:
- SSL + Headers
- Updates (Alerts or Auto)
- Wordfence
- Login Limit
- 2FA (Two-Factor Authentication)
- Password Strength
- CDN (optional – to prevent DDOS and hotlinking)
- Hide WP-admin (optional)
- Disallow File-Editing
- Whitelist Admin (optional)
Advanced (may mess with functionality):
- Disabling PHP Execution in Specific Folders
- Change the Default WordPress Database Prefix
- Disable XML-RPC
- Hide the WordPress Version
- Manage File Permissions (755)
- Disable PHP Error Reporting
- More Details