Many attacks can be prevented with proper use of the security features of the operating system running on the web server. Many CMS and blog solutions advice you to give write access to the script files and directories of those packages. This makes it easier to install updates and plugins through the web interface, but the downside is that attacks coming through the web interface also have potential access to those files.

On my Linux server all PHP and other script files are in directories owned by a third user (not root and not the user running the Apache or MySQL processes) and both the directories and script files are set to read only at the operating system level. Updating the software takes a little bit more actions as the files first have to be unlocked, but that is easily compensated by peace of mind that no attack over HTTP will be able to touch the script files.

Frequent updates. I also try to avoid plugins & software that have a history of exploit problems. Some CMS' get a bad rap but most of the time the reason those installations get hacked is because they weren't up to date- user error.