I followed all the WordPress recommending security measures for the manual install of WordPress and everything is currently okay. I have questions though as to how far one should go in preventing attacks. I am hoping someone can read my questions and see if I am clear on doing everything within reason to prevent an attack.
1. To gain access to my WordPress site or database they would have to either know my WordPress, or hosts user name and password that I use right? Changing these often isn't enough?
2. FTP uploading is only dangerous to attack during the actual uploading right? After you disconnect things shouldn't matter?
3. I have been told to not upload to many themes you are not currently using, but how is this worthy of attack if they are not active? Shouldn't it not matter how many themes you have sitting around? Only the one that is Active would be at risk right?
4. I heard moving the config.php file out of the root directory and placing it somewhere else is a good way to prevent bots from guessing its location, but doesn't that also screw up your server file hierarchy causing problems for WordPress to run? Or is that not a problem to move?
Thanks all for your time and advice.