I've met several of the WordPress developers through Word Camp. Based upon my experience, these guys are not security people. Most of the security fixes that they add to updates come from reports from contributors outside of their circle. Yeah, they are way too focused on adding bells and whistles that users really do not need. My impression is that they are constantly striving to push the limits of their programming skills. For the most part, they have done a good job with that and we can't complain about the price.
Originally Posted by Shenron
Most of the updates in recent years have included numerous security fixes. WordPress security is a lot tighter than it once was, but when you are dealing with open source code any really good hacker can find some way to break in.
If you adhere to good security "best practices" to harden your sites, you will probably never have a problem. I have several WP blogs and have never had anyone break into any of them. If you have you have a VPS or dedicated server, a firewall is something that is absolutely necessary. You can use the best security practices in the world with your web site, but if the server security is lax, it won't protect your sites.
"It's inexcusable for scientists to torture animals; let them make their experiments on journalists and politicians." -Henrik Ibsen