The folks of Textpattern fail to include a simple measure to deny hackers direct access to certain PHP scripts in include directories.
.htaccess file with this one liner:
deny from all
Copy that file to these directories:
textpattern/include/ textpattern/lib/ textpattern/setup/ textpattern/update/
Dead simple, but why deny access anyway?
As a rule of thumb, good policies deny everyone as a first measure and then, grant access to select individuals as needed. Direct access is unnecessary for Textpattern to work in this case, so, deny access to those directories to prevent any abuse of their scripts.