i dont use the media uploads either – maybe i need to delete those files – i store everything on s3

Example: Say I’m an admin on your site, and you have it fully locked down. How do I hack you?

Answer: I go to the Media section, and upload a file. That file contains PHP code. I then access that code via a direct request to it at example.com/wp-content/uploads/whatever.php . Voila, I have written PHP code to your site and run it in the server context. The theme editor lets you do nothing more than that, really. And my PHP code can do more or less anything, including unlocking your theme and inserting spam links, etc, etc.

It’s not any more complicated to script this process, and I have indeed seen it done this way a lot. So making the theme read-only, while it makes sense from a certain perspective, doesn’t actually protect you from an attack that happens via the WP administration screens. If they have access to the theme editor, then they have admin rights already and don’t need it.

On the other hand, making files read-only will indeed protect against a direct attack from other users on a shared hosting environment. But that attack vector doesn’t involve WordPress at all.

So how were the links hidden in your footer CSS-wise? And what kind of link “goodness” did they leave for you? :)