I'd like to open a discussion about wordpress sites and their security on the recent wave of mulitiple site attacks and compromises I have to deal with. As it stands, more and more customers (including their "web agencies") are using wordpress without proper knowledge, using free plugins and themes of dubious quality and ultimately forgetting to update and secure their sites after the initial setup. Things like default wp-admin directory, loose permissions, writable upload directoires are common weak points. The result is that the sites get compromised after a few months/years and the customer starts to blame the host for not being secure enough. I've been struggling to find a way to secure the sites on the ispconfig server-side to try to avoid as much of the damage that is caused and hopefully be able to prevent as much damage as possible. Perhaps we could apply a custom server config to wordpress sites that can mitigate the damage? I've been looking at this article: https://wordpress.org/support/article/hardening-wordpress/ and it looks like a good starting point. However, several things seem hard to implement under ispconfig in a transparent to the customer way. There must be a way as even some cheap hosts seem more immune to "libertine" wordpress installations as we are. Where do we start?