My web host is really negative about sites that update their own code. For Wordpress, they promote using a CLI tool via ssh for installing and upgrading both core code and plugins, in order to avoid giving the web server account the ability to change the code on the site – in the name of preventing hijacking of the site for malicious purposes.
Thinking now about deploying my first Grav-based site. The flat-file nature of Grav is different from Wordpress, of course, and my need for the admin interface makes it impossible to fully lock down the files, but I appreciate the spirit of the security concern.
I need the admin interface for non-technical content maintainers to add and edit pages, so I’m wondering if it makes sense to limit the code-updating stuff (Grav updates, plugins etc) to the Grav CLI or to manual operations, running in ssh. Doing this would let me remove the web account’s write-access from most of the Grav directories. System areas of the admin interface would remain in place but would be non-functional, and could probably be hidden by judicious use of privileges.
Is this worth doing? Does leaving the user/pages subdirectory open to edit by the web account leave fundamentally the same vulnerabilities in place? Does the CLI have enough functionality for this to work smoothly? If I do go down this route, what other directories does the web account need write access to besides user/pages (for page editing via admin) and cache, logs (general operational functionality)?