Is the site 100% wordpress? (The reason I ask is any other scripts, content management systems, etc.. on the site could have left the door open).
Always keep wordpress updated is the #1 rule. Last I heard there are a half-million installs of the self-hosted version - so it's a big target for hackers -- as soon as they find an exploit, they attack as many sites as possible.
Don't use "admin" for the admin name -- that leaves hackers only having to guess the password (which can be done by automated means).
Don't allow code in comments.
Don't allow new users to post comments until you moderate them.
Don't download plug-ins, themes, or other add-ons from sites that you don't know you can trust.
Make sure there are index.php files in all directories (empty files named index.php, index.html, or index.htm will keep hackers from browsing your site's WP folders looking for attack points).
Don't display "Proudly powered by Wordpress version X.xx" on your web facing pages -- this is just an open invite to hackers and lets them know more than they need to about the site.
Install wordpress somewhere other than the default installation folder.
For more tips, see: [codex.wordpress.org
Create an account and and ask around in the forums at [wordpress.org
...] ... .check the ratings history or updates, visit the author's site, and otherwise "do due dilligence" before installing plug-ins or add-ons -- and only install what you absolutely need -- don't try every cool looking new widget. If you do try something out and don't use it, delete it and everything that came with it.
there's a few ideas...