Comment Re:High profile target and popular CMS' (Score 5, Informative) 219
I run a fairly high profile drupal site - and this has always been a large concern for us.
Our solution was basically to disable user logins completely. An overwhelming number of the exploits require you to login, so by removing this prerequisite, we basically avoided the problem.
Security isn't exactly a priority for drupal either, it's almost added as an afterthought. To put things in perspective, their login page doesn't even support SSL by default in either drupal 5 or drupal 6. To me that's verging on pathetic.
We were lucky because user logins weren't a core part of our site concept when we implemented the site, but I am now thinking that it might be a good way to go in the future, but I'm mostly petrified of this problem.
On the bright side of things they include a large number of extensions, and things mostly work as advertised, so we found this to be our best option out of all the open source CMSes we tried.