[greypowerOz]

i second this (but also as a learner not a guru) i admin a server where nothing is writable by the user the webserver runs as except manually modified items/folders where the cms is expecting to upload images or pdfs etc. The hand-changed folders are non-executable by php . I'm sure there is a smarter solution but since implementing this we haven't had a successful malware/deface incident .

[Vanderson]

Yep, this is my experience as well. I have accounts get compromised because of a weak password. (maybe 2fa will help) But also, accounts can be locked down to IP address (harder to manage but helps more)

But does WP allow php executable on user upload directories by default? I know this is more of a server setting, but it would make sense to test for this in WP admin and alert the user.