[porker]

Good tip. The other two changes I recommend are:

1. Disable PHP execution in the uploads directory (hmm, wonder if it'd work if I disabled it in the entire wp-content folder?).

2. Run PHP as a different user to the file owner.

Both of these are to minimise damage when an extension is exploited by a hacker (if it hasn't happened to you yet, it will do) and to reduce the damage done to the server/site.