I have dealt with a couple different situations where a users WordPress site has been hacked. I understand there are a number of factors that can play into this, but I am curious about what you do during your installation process to keep your WordPress install secure.
I subscribe to the Digging into WordPress way, where you install an a separate directory other than the root. What about you?
I can not say for sure that these sites were hacked because of something that I did, but I would like to make sure that I am doing what I can to protect each site I setup.
I had a situation recently where someone gained access to several critical files in the wp-includes directory through a thumbnail function (tinthumb) within a slider that was installed with a security hole. They didn’t have any real lasting or good control over anything, but they were able to insert malicious code into a few of the files.
Another plus 1 for “website defender”. Also I lock down my admin root with a .htaccess that only allows me to log in from certain IP addresses. Also running a “stop” bad queries script in my plugins folder.