I have a little demo site (admin details are listed publicly), and I’ve configured the wp-config.php to disallow file edits, so in theory no one can install a theme / plugin.
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );
Yet lately I’ve noticed strange plugins & themes being installed on my demo site. I can see in the apache logs that they’ve been trying to access plugin-install.php but failing with a 500 error.
The folder permissions are 755 on both plugins & themes, so the files can execute but only the user has write access.
Does anyone know how they might be doing it / where I’m going wrong?
Thanks
I would convert the site to a subsite on a multi-site instance, you can then have an approved list of plugins and themes. This answer might help more.
You could also create a new user type that does not have access to the plugins/themes areas and only publish those details.