Note that you could tell me that Wordpress has changed drastically for the better since I stopped paying attention to it. I would concede that you might be right, but wouldn't change my recommendation at all. It's simply not worth arguing about. Here goes:
* It's written in PHP, a platform on which "remote file inclusion" vulnerabilities --- where attackers can source code to run on the server from MySpace --- continue to be found. I hesitate to bring this up, since (for instance) the last public vBulletin flaw that would have cost you your site goes back to 2008.
* It has an authentication design that uses the same database tables to track administrators who can run code on the site and anonymous Internet commenters.
* It has a template language that allows graphic designers to write templates that run code on your server.
* It hand-codes SQL statements largely out of concatenated queries.
* It is internationalized but has no coherent strategy for dealing with character sets and input filtering, on which it relies heavily, resulting in relatively recent vulnerabilities enabled by for instance UTF-7 inputs.
* It includes in the admin interface an editor for site templates that amounts to a remote login to the server, since, again, templates can run code.
* It has a vibrant community of plugins implemented by people who know exactly enough PHP to get their code working, which means every one of these flaws is repeated for every plugin developer.
Also: it's impossible to move or rename the admin directory in Wordpress without modifying a bunch of its code. This IMO is grievously stupid, because attackers can (and do) throw injection attempts all day long at the admin bits of Wordpress sites.
I was referencing that correct file permissions, on a dedicated server, with a well-selected user (NOT admin) will do a LONG way in making it safer. Also, putting in the time to shore up the main holes is 100% worth it. Sure, there are holes in it, just like ANY framework. Simply setting it up right helps a ton. My comment is directed to people who just unzip, dump it on a shared GoDaddy server, and wonder why it gets hacked.
Everything that you just mentioned, at best, protects the server environment from Wordpress vulnerabilities -- and that's assuming that a novice could set up a dedicated server as tightly as good hosting companies set up shared hosts.
None of your recommendations do anything to make Wordpress itself any safer, and if the Wordpress db gets compromised (which happened recently to a lot of folks), then you still don't have much of a site left.
