05) Security

For security, consider blocking direct access to your files by adding the following line of code at the top of each file:

defined('ABSPATH') or die("permission denied!");

or

if (!defined('ABSPATH')) exit;

Direct access to your files could cause PHP errors which would disclose your WordPress install path.

The ABSPATH constant is set in the bootstrap file wp-load.php. It will define ABSPATH as wp-load.php’s directory:

define( 'ABSPATH', dirname(__FILE__) . '/' );

Here are the first two files executed when your WordPress site is accessed:

wordpress/index.php
wp-blog-header
wordpress/wp-blog-header.php

And at the top of wordpress/wp-load.php you will find this:

wp-load
wordpress/wp-load.php

index.php > wp-blog-header.php > wp-load.php > wp-config.php > wp-settings.php > functions.php