In order to secure wordpress from many types of hacks I propose the following:
1. Allow the user to generate a unique key stored in their database
2. Make integrated captcha optional whenever a file must be modified on the disk
3. When the user executes any action that will cause a file write to the disk (uploads a file, updates a plugin, adds a new theme, etc.) the captcha will be used to generate a one time unique file_write key (based off of original unique key + captcha by an algorithm).
4. The key would then be written to a write-permitted directory on disk that only the server can access.
5. The action would not be permitted until the site sees that file on the disk (the file would be removed at this point)
Alternatively something like inotify could be integrated to monitor the htdocs folder for any type of modification. If a modification occurs and the file_write_key was not populated properly then the site could be restored to the last known "approved" state (ex: the last known non-hacked backup of db and website)
Of course the user would need to have their wordpress prefix a long unique random string to prevent many types of sql injections from grabbing the unique key. Even so a hacker would still need to pass the captcha authentication.
Comments? Ideas? Modifications?