WordPress injection, directory traversal etc. vulnerabilities?

So one of my clients wants me to check his wordpress site for a list of common vulnerabilities such as SQL injection, OS command injection, directory traversal etc. My only problem is that I’m not knowledgeable in this area, I just install WordPress and tweak themes, and looking around on the internet I can’t seem to find any clear answer on whether these issues should be a concern or not (though I was always confident that WordPress takes care of whatever it can in terms of core vulnerabilities).

If possible, can someone give me a brief answer in terms of what I should do/think about when it comes to these issues (I have roughly translated this list from Japanese, some of these might not make sense):

SQL injection
– all user input fields should use placeholders for queries
– application variables should be used as SQL literals?

OS command injection
– there should be no way to access a shell

Directory traversal
– there should be no way to access server file names or structures
– when files are opened they shouldn’t give away their directory?

Session management
– it should be difficult to guess a session ID
– session ID shouldn’t be stored as a URL parameter
– HTTPS cookies’ attributes should be secure
– after logging in, confidential information should be sent separately from session ID

Cross site scripting
– all input should be escaped
– in URL input fields, only URLs starting with http:// or https:// should be accepted
– anything between <script> tags shouldn’t be dynamically created
– style sheets shouldn’t be imported from any other sites
– all input should be analysed for correct syntax
– HTTP response headers’ content-type should specify charset

Cross site scripting forgery
– all pages that do any processing should be accessed via POST methods, confidential information should be in “hidden parameters”, previous page automatically generated and checked against current page for discrepancies?
– before any processing ask for a password and recheck it against previous password
– only execute when referrer link is correct

HTTP header injection
– headers should be not directly output but output with use of APIs

There’s actually more to this list than what I’ve posted here but I want to know if these kinds of concerns have any merit at all before going through the trouble of translating the rest of the document. The site in question is also pretty simple and maybe some of this stuff doesn’t apply.

I’m also aware of the “hardening WordPress” article, are the steps outlined within enough to deal with all these issues or is there something else I should know? Thanks