How many times do I need to tell people not to use wordpress? :P
1. Put an IP lock on the login page via .htaccess so that it can't be accessed from anywhere else but your IP - this one change alone can stop a significant percentage of intruders.
2. Add this line to the .htaccess file at the top level of your WordPress install - <FilesMatch ^wp-config.php$>deny from all</FilesMatch> - it'll make it harder for your database username and password to fall into the wrong hands in the event of a server problem
3. Create an empty wp-content/plugins/index.html file. Otherwise, you leak information on the plugins you're running. One of the easiest ways to break into a wordpress site is to hack through outdated/unsecure plugins. So don't let anyone see what plugins you're running to begin with.
4. In the header.php file for your theme, look for - <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> - this line reveals the version of your install. Again, hackers look for wordpress sites that haven't updated to the latest version, so delete this line and don't reveal your site's version.
5. Remove 'Really Simple Discovery' and 'Windows Live Writer' - http://falcon1986.wordpress.com/2009/07/15/remove-unwanted-w...
6. Block injection of malicious code with these 2 steps - http://wpcult.com/wordpress-security-hacks/
7. Whenever wordPress patches a security hole or releases a new version, apply it/upgrade to it immediately
The above steps should stop everyone but the most dedicated intruder. This is a lot more efficient than boycotting wordpress altogether.
<?php
// Silence is golden.
?>
> Maybe you should tell them to secure their wordpress install instead
Hence the ":P", my comment was mostly in jest.
> 3. Create an empty wp-content/plugins/index.html file - otherwise you leak information on which plug-ins you run
It's better to just disable indexes on the entire site. That prevents anyone from poking around.
Options -Indexes FollowSymLinks
Wordpress has a history of being extremely vulnerable. I don't know how much of it is user error and how much of it is related to the way php is normally configured and used.
PHP invites uploading malicious scripts. Something like Ruby on Rails (or Django) has the code for the application loaded into ram. Static files are served out of the public folder, away from any code. This makes uploading malicious scripts useless, provided someone hasn't turned on php or cgi for the public folder. (Which you should never do) Every php application I've seen or worked on has mixed code with static files and the webserver had write permissions to every folder in the application. Additionally, anyone that doesn't abstract from the database with a query generator or an ORM is asking for sql injection.
That is why I don't care for wordpress. :)
(Am I bitter? Oh yes, most definitely. :P)