Wordpress.org has a nice section on Hardening Wordpress detailing which directories can be "deny to all" etc on the apache server. Does one exist for Q2A?
What is the minimum public folder access required to have a functioning site but still be closed for file writes by less than favourable surfers?
I presume the plugins directory should be read only to apache and owner for a start. I also dont allow avatar or image uploads.