Today I've found several open WordPress directories, which were accessible via the browser and open to cross site scripting attacks.
All of the bespoken core WP directory files were NOT protected via a .htaccess file, I've tested ten sites with eight (!) open WP directories.

So before accusing your CMS system, rewrite your .htaccess file, make it secure, chmod it, then test it (important point).
The tested sites were all designer sites with portfolio, blog and so on, strange, as it implies that design is a major point, but security is apparently not.

Strongly recommended:

Additional tips:

Tip 1 :

Remove WordPress ‘version string’ in your theme files
Go to WordPress dashboard, click on presentation -> edit themes -> header.php
Find and remove this. bloginfo('version') Save the file.

Tip 2 :

Place empty ‘index.html’ file in the plugins folder
Open Notepad. Click ’save as’ and save the file as index.html (be sure to change the filetype from text files to all files)
Upload the file to the WordPress plugins folder at your web server.

Tip 3:

Upload a copy of .htaccess file in the wp-admin folder
Using FTP program or your webserver file manager, go to the root folder of your server and download .htaccess file (set ’show hidden files’ first if you’re using FTP program such as FileZilla)
Go to your wp-admin folder
Upload the .htaccess file you’ve downloaded just now.

Tip 4:

You can also disallow users pretending to be search engine/ search engines from crawling the core WordPress folders by putting these in your robot.txt file (upload the file to root of your WordPress installation folder when you’ve finished).

# This rule means it applies to all user-agents
User-agent: *

# Disallow all directories and files within
Disallow: /wp-admin/
Disallow: /wp-includes/

Tip 5:

Password protect the wp-admin directory:
Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.
Create a file ABOVE YOUR PUBLIC_HTML directory named “.htpasswd”. Make sure you put this outside the web accessible directory or someone could read your password! Usually this is where you go when you first login to your ftp programm.
Append the following contents to the “.htpasswd” file where xxxx = your username and yyyy = your password:

Tip 6:

Append the following to your “.htaccess” file inside of your wp-admin directory. Make sure you use the absolute path to the “.htaccess” file. If you don’t know, ask your ISP. xxxx = the username that you entered in your “.htpasswd” directory:
AuthUserFile /home/username/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user xxxx

Tip 7:

Restrict access to the wp-content and wp-includes directories:
Create a file within your wp-content and wp-includes directory named “.htaccess” if there isn’t already one.
Append the following to the “.htaccess” file. NOTE: you may have trouble with some plugins with this method:
Order Allow,Deny
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all

Download as PDF

Important Note: Please ensure that your WordPress files and database are backed up before attempting any of these changes.

For more info about how to secure your WordPress installation, please head over to these Security tips or this useful article, where numerous ways are described and how to prevent them.

WordPress security