I’m not the developer and do not know him/her/them, but here’s my thoughts, for what they’re worth …
There is no really perfect way to protect your files. Sure, you can make most of them read-only, but that then keeps you from using the built-in editing capabilities in WP (theme editor, plugin editor, etc.). Plus, some plugins need to be able to write to files as part of their legitimate operation.
The problem is that if you write-rrotect the directories and files, you and your plugins cannot edit them. If you leave them unlocked, a “bad person” (TM) can, for example, find a plugin with poor security on your site and use it to mess with your files. That’s the Catch-22.
It’s like nailing the doors and windows shut on your house. Sure it’s more secure, but then the burglar will just crawl down the chimney. Just when you think it’s secure, along comes a more determined burglar. Plus, I find that doorknob awfully handy when I want to leave or enter the house! This plugin is more like an alarm system than those nails. It doesn’t make the house inaccessible (including to me), but it lets me react faster when there is a break-in.
By giving me an earlier heads-up to file changes, this plugin at least lets me get to the fix-up and deal with the problem sooner. I can check the logs to do some forensic investigation to determine point of entry, source of the attack, etc., and take my own steps to prevent it in the future.
In the case I aluded to in my previous post, a small site that has little traffic and to which I don’t pay much attention, fell victim. I didn’t notice it for about 2 months. Oh, sure I logged in to the admin panel many times during that period. But there was no obvious indication anywhere that a few lines of code had been added to one of the theme’s files. And the stuff that was added was not easily noticeable (“invisible” links to nasty sites and such helping provide SEO “legitimacy” to those sites). Two months is a lot of time for my little site to be advertising those — ahem — “products.”
So secure your house (see Hardening WordPres on this site and search for “securing WordPress” or similar online), but use this plugin as your “alarm system.”
Regarding security “lock-downs,” have you looked at the Better WP Security plugin? It’s worth a look.
Again, just my own thoughts. Hope this helps… 🙂
Good luck!
