[neurotech1]

Part of the problem is that a lot of security advisories basically say "run the latest version".

Restricting access with .htaccess is a good idea; http://www.themepremium.com/wordpress-security-restrict-wp-c...

[snewe]

If you fail to upgrade immediately, malware is often installed and remains after an upgrade. I missed one site by a day and got infected. The default option to print the WP version in the <head> of each blog would certainly lower the likelihood of a script finding an outdated site. Unfortunately once hacked, truly cleaning the site requires

1. Backing up theme, making list of plugins installed 2. Inspecting theme for any hacks. (difficult if you wrote your own) 3. Deleting _all_ files 4. Walking through the wp_options table for any leftover holes (very difficult) 5. Re-install WP 6. Re-install theme and plugins.

The WP team needs to work in something like you linked to into the core.

[neurotech1]

I'm actively reviewing WordPress 3.0 beta for upgrade and plug-ins. Once I've got the .htaccess fix working in 3.0 beta I'll post the patch.

There are a few ideas I'm considering for securing and monitoring WP installations for intrusions.