Can I use the Apache Server directive "Require all denied" to lock down the writable directories "albums/", "include/", "logs/", and "plugins/" ???
As long as the script can still read and write to those directories it should no be a problem. Linux security is a bit of a dark art I am afraid. Last time I did a course in Red Hat there was an exam going on in the room next door. Grown men were in tears.