File and Folder permissions

I’m having all sorts of problems with hackers putting files on my server due to the file and folder permissions suggested by PIWIK. I have owner set to apache with folders @755 and files @644. Every day I have to fight off the hacker’s new files on my server, all inside the piwik folders.
Can anyone tell me which folders can really be locked down and what my permission levels should be for Piwik to still work properly?

You should be able to lock down all folders except piwik/tmp folder which needs to be writable.

WHY does this need to be writable? This is a major security problem and my server is constantly under attack because of it. Every time I open this up I get hackers putting spam scripts on my server. And I can’t seem to find any settings that let Piwik run without this directory open.

How can I prevent them from doing this? What is the system writing? Is there another way?

I’m running a non-profit and need the functionality. I really like what Piwik offers and have customized the actions to work quite well for our needs. Please help.

Thank you!

Piwik needs to be able to write in some directories, it is needed for Piwik to work.

your server is actually under attack because there is some other software running on your server, that is used to penetrate your server and write files in the tmp folder. What I would do is to look for original cause of the hack and solve this problem (eg. update the software(s) causing the hack).

@matthieu I would disagree with your assessment of why my server is under attack. My issues only began when I started using Piwik. I like the product but I have to monitor my server daily to remove and clean files that are sending out spam.
When I lock down my folders I have no issues. Why do you not use temp tables in the database or some other method?