3
I'll echo Herko's statement. The core is pretty secure and attention is paid to these unseen details. The latest 2.07 release fixes one that is being targeted right now. Thank you X.
Some things to do:
try to run as much if not all your site with PHP's Register_Globals = Off
Monitor your server logs and look for suspicious activity.
Run the latest and greatest versions of Apache, PHP, MySQL etc.
Firewall
Consider excluding certain modules from search engines (robots.txt) if the module has little relevance on a search engine or if in doubt about the security. Crackers use the search engine to find specific modules in a targeted attack.
Keep up to date with news about cracks and updates. The crackers do and so should you.
Don't go overboard with bling on the site if it doesn't actually enhance the content. Statistics, chat/shout, beta/alpha releases, and some other underdeveloped apps left open to anonymous users can be risky.
I can tell you that my server is targeted almost daily with XOOPS specific crack attempts. For now I'm safe since I know what they are doing and I'm not vulnerable to the attacks I've seen so far. But I don't relax.