Topic title is flatly wrong.
If someone’s WordPress site is down every month because of hacking, it is either (a) a matter of the craftsman and not the tools or (b) there is something about the site content that is particularly inviting to hackers.
Regarding (a)
Of the web site tools available, WordPress is easily the best for security, particularly for the non-technical web admin. Alternatives such as Joomla may have their place, but they do get hacked and often the consequences are sweeping.
If you are a person who wants to do absolutely nothing with your site, nothing such as keeping it updated or subscribing to relevant news feeds for the occasional notice, then you should not operate a web site. Use something like Google Sites or WordPress.com. They give you free blogs and maintain all the code for you, for heaven’s sake. For free.
There are lots of WordPress security hardening tools that require very minimal effort to use and LOTS of free help in using them. I recommend ZBBlock for its extensive security capabilities, but there are easier ones like the recently much discussed Bullet Proof.
So @amarbir, when you change to an alternate platform, please come back and report on the decrease in attacks. I predict there will be none. I own quite a few domains myself with more than a dozen set up purely as traps. They host no WordPress or other actual web site code. Just an index.php page and ZBBlock. They get hit with the same number of attacks as the domains running WordPress. This is not an abstract speculation, it is my real world experience. Certainly lots of the attacks are against wp-login.php, but many target Joomla, lots against phpmyadmin and a dizzy array of form submission attack types.
WordPress is the most widely used so it is to be expected that hackers will include it most heavily in their hacking campaigns. So it’s just factually wrong to talk about
alternative blogging scripts that are not that hacker friendly and are more secure
There are none that accurately fit those criteria.
The 3.5 upgrade did throw one significant curve ball, which was the introduction of square brackets [] into http strings. Which the team identified in the update checklist: http://wordpress.org/support/topic/troubleshooting-wordpress-35-master-list, although one might skip over by accident as it titles that segment as “PerishablePress “5G” blacklist.” Some of my own custom htaccess rules broke as well so some other internals may have changed too. But it was enough to know to trial those rules and I was fully operational in perhaps half an hour.
Regarding (b)
Sites that actively host web mail are highly prized by hackers and therefore highly targeted. Sites that run file sharing are highly prized by hackers and therefore highly targeted. URLs that are posted to Facebook or Twitter result in an immediate flood of automated bot attacks.
Even certain keywords trigger sustained hacking attacks. For example on a site I host there is a mildly amusing article detailing the historical view of garlic as an aphrodisiac. About two months after that article went live, Russian- and Chinese-origin bots starting flocking to the url. It’s been up for a year and they still come even though they are invariably redirected to their localhost. My speculation is that the bots use the results of search engine queries and one of their included triggers is “aphrodisiac.”
Conclusion
There could be a number of reasons why WordPress may not be the right platform for a given person, but security is not one of them.
