To be fair to biturd, the less you're willing to trust Wordpress defaults, the more hassle it is. Once you get to the point of writing a child theme and writing your own code to enforce an html whitelist (as I do) and setting secure defaults in the config file etc. then you're basically swimming against the current of Wordpress' own practicality. You might as well just pick up slim + twig + phpass and roll your own, and it would probably be more secure anyway.

Although I do wonder, if there isn't a good static blogging solution in PHP, why there isn't.