on hosting, should have 644 permissions? why not 444 (i might be wrong) i mean fully removing write access to files.. like i have wordpress blog, remove all write access to all phps, so no one can write into them?
644 = Owner can write/read. Everyone else can just read. 444 = Everyone can just read. The reason why 644 is common because an owner can simply change the permissions to do whatever anyway. If you are on shared hosting and are trying to stop other people on the server from modifying your files and you don't need to modify them via a script chmod 444. It *may* offer slightly better protection. But I'm assuming the attacker isn't using a script that changes the permissions first. I'm not a fan of shared hosting. If you can't go dedicated VPS is the next closest thing.
It doesn't require write access, but you should be perfectly fine with a 644 setting - it will almost always make your life easier as well, as if you change it to 444, no form of automatic update functions will work properly (as the scripts can't change / update other files). If the hosting you're on is set up correctly you're the only user who should have access to your setup / directory, and changing stuff to 444 from 644 shouldn't make much of a difference, since users getting past other security measures most likely will be able to change it as they please. As for unwanted scripts and similar happenings, knowing what you install would be a great first step...
I don't think .php will require write access, you should run php file using webserver like apache. But if you want to upload file to particular folder using php page you will have to give write permission for uploading content at run time