Implementing WordPress Security Keys & Salts (and Generating Your Own) in 2019

I have been hardening down my Fortinet firewall and WordPress servers.  I moved the wp-config.php file and added an include into the one on each web site for the new location.   I added the security keys and salts to the moved wp-config.php file for all the web sites.  I changed all the SQL passwords for each site.  I changed the .htacess to stop browsing.  I added some plugins for brute force login attacks.   I removed the webalizer servers, logs, and other etc files from the servers.   I removed other directories and files that are no longer need and could pose and issue to security.  I changed all files to chmod 644.   Directories are 755.   I keep all the LAMP components up to date and check weekly. I keep the WordPress components up to date like themes, plugins, etc.  The Fortinet firewall has web filter blocks for wp-admin and other private directories.

 I have two .htaccess files:  In the web site base folder and one in wp-admin to stop access to it. 

base folder :  You can add Options – Indexes to stop browsing.

WP-Admin folder: I add

Require ip for both ipv4 and ipv6.   I add my workstation, server that hosts the web site, external addresses that I might use.   You also add these into /etc/hosts or your Windows hosts file.  

Both WordPress servers have been duplicated and moved to Ubuntu 20.04.1 and latest components.  

 I add the repository for Digital Ocean MariaDB 10.x,  PHP 7.4.x, Apache 2.4.x.   I install phpMyAdmin’s latest version after installing the base product in Ubuntu.   phpMyAdmin is a quick way to create the WordPress databases and user for each web site.   I have pages dediicated for each of these.    I copy in The Hacker News bug reports on all the components I use.  It is best to stay on the latest components for WordPress.