Disallow file edit not preventing plugin install

I have a little demo site (admin details are listed publicly), and I’ve configured the wp-config.php to disallow file edits, so in theory no one can install a theme / plugin.

define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );

Yet lately I’ve noticed strange plugins & themes being installed on my demo site. I can see in the apache logs that they’ve been trying to access plugin-install.php but failing with a 500 error.

The folder permissions are 755 on both plugins & themes, so the files can execute but only the user has write access.

Does anyone know how they might be doing it / where I’m going wrong?

Thanks

I would convert the site to a subsite on a multi-site instance, you can then have an approved list of plugins and themes. This answer might help more.

You could also create a new user type that does not have access to the plugins/themes areas and only publish those details.