For WordPress in particular, the majority of website breaches result from unpatched versions and vulnerable from plugins, another common hack is from WordPress data exposure. For example, Directory Browsing.
It is imperative to restrict access to your wp-includes.php file. Hackers can exploit files in your directory to reveal files with known vulnerabilities and gain unauthorized access.
Simply, add this code to your .htaccess document to restrict access to your wp-includes.php file.# Block wp-includes folder and files
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]