I know that being open source does not necessarily make the program more / less secure than a closed source (let's say this neutrality to keep the flames from this message). Fact: since the source code is open, everyone knows your default URLs, default admin logins, etc.
I use Wordpress and Joomla in some projects of my clients, and I always try to create some additional security. Excluding always updating your files to the latest version, what do you usually do to add extra security to this scenario? Some of my thoughts:
I always change the admin name when applicable;
I would not want to explain what technologies I use, but since I want to promote cms (I think this is the minimum that I should do), I just donβt tell the exact version so the attackers donβt know which vulnerabilities they can attack (wordpress automatically creates a meta tag in html saying "Wordpress 2.8.4", for example);
Set the correct permissions in the directories and bash scripts on my server that work every day when setting 0h to 755 in a directory, which I may have changed to 775 during the day and forgot to return;
When applicable, I set the apache configuration to limit ips.
What else should I do? What out of the box solutions do you usually make for your installations?