Make php-fpm run as "nobody" user or equivalent in order to serve website read-only in a persistent way
Joel van der Voort commented
This would enable us to lock down permissions on the website. Especially for eCommerce this is becoming a hard requirement. We're seeing increased hacking attempts (with some of them succesful). Offering the site in read-only would make it impossible to edit the files on the application level and therefore increase security for the enduser, even when there's an exploit which would allow filesystem writes under normal execution. In this scenario we would allow some directories to have 777 permissions (for example images or other uploads and don't allow php execution on those directories) and don't allow writes on anything else by the PHP-FPM user.