- move wp-config up 1 dir, perms of 600 http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php
- disallow into wp-includes/wp-admin dirs
- move mu-plugins into wp-content
- if a new site, move htaccess file into place. If existing site, check and merge htaccess