nginx

HTTP Config

/etc/nginx/nginx.conf:
server_tokens off Stop the server from advertising versions
add_header X-Frame-Options SAMEORIGIN always Stop the website to be framed into other websites
add_header X-Content-Type-Options nosniff Avoid MIME type sniffing by saying that the MIME types are deliberately configured
add_header X-XSS-Protection "1; mode=block" lock pages from loading when they detect reflected XSS attacks
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; enable HSTS

Server Config

location /(wp-admin|wp-login\.php) {\ allow 1.2.3.4;\ deny all;\ } Block access to /wp-admin/, unless source IP is 1.2.3.4