In the installation guidance [https://docs.moodle.org/33/en/Installation_quick_guide], it says
Check the permissions and make sure that the web server does not have permissions to write to any of the files in the Moodle code directories (a very common root cause of sites being hacked).
I am interpreting this as the /var/www/moodle directory which is the webroot for our 3.4 installation on Ubuntu 16.04. If I set this directory to be read-only to the Apache2 user (www-data), surely installing plugins etc will not work? And thus upgrading existing plugins won't work?
Not sure how these two clash. Any advice appreciated.