[eksith]

That's usually the first mod done for clients who insist on using WP. For a few clients specifically, we don't let any users set their passwords at all; they get a randomly generated password upon registering or reset;

WP is a good platform that does a lot out of the box (performance could use some work too though), so I don't think we should throw the baby out with the bathwater. There's just some housekeeping that needs to be taken care of beforehand.

The alternative, of course, is building something custom with the bare minimum of necessities server-side and scrubbing all input/global vars. A lot of flexibility can still be retained by implementing a taxonomy system that define what posts can be (which is pretty much a very loose Entity-Attribute-Value model).

[Lifescape]

Which particular plugin would you recommend?

[medell]

I've been using Better WP Security, one of the two linked in the article, and have nothing but good things to say. And the developer is on top of it.

[eksith]

Ditto for BWPS. You always want to pick plugins where the developers are actively participating in the community and regularly staying on top of any potential security issues.

[navs]

http://www.wordfence.com/ here. Implemented it ever since I started noticing these attacks.