Operating System

If Ecommerce - Install WordPress to a different directory than default WordPress
Add the secret keys to wp-config.php
Change Database prefix
Delete install.php in admin

Check wp-config.php for auto_update entries

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

Update / Add the files
humans.txt
robots.txt

https://www.askapache.com/htaccess/
https://codex.wordpress.org/htaccess
https://perishablepress.com/stupid-htaccess-tricks/
.htaccess { Permissions 0644 -rw-r--r--}

Example .htaccess

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

#Protect Sensitive Files
#This denies all web access to your wp-config file, error_logs, php.ini,
# and htaccess/htpasswds.

<FilesMatch "^.*(debug\.log|error_log|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

# BEGIN gmgj per TAO

# BLOCK NO-REFERRER SPAM
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_REFERER} !(.*)cookdotcom.com(.*) [NC]
RewriteCond %{REQUEST_URI} /wp-comments-post\.php [NC]
RewriteRule .* https://cookdotcom.com/wrong [R=301,L]
</IfModule>

# END gmgj per Tao

# Wordfence WAF

<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>

# END Wordfence WAF