[Ayesh]

This is a shameless self-plug. I have written a few WP plugins because it is not as secure I wanted it to be:

- WordPress does not come with proper password hashing, and uses the phpass library. https://wordpress.org/plugins/password-hash/ will change this to use bcrypt/Argon2ID

- Comment forms do not have CSRF tokens, and hackerone/tickets for them have been neglected as trivial. https://wordpress.org/plugins/comment-form-csrf-protection/ This plugin adds a CSRF token to comment forms.