Is there a security risk in having dokuwiki directories being writable by www?
I just found a roge php script in one of these directories (a Russian cpanel script)
That depeds on what you mean by www-writeable.
I can only assume you're using linux or some form of unix...
If www-writeable means "world writeable" (e.g. chmod 0777) then it's definitively a security risk.
If www-writeable means "writeable by group/user www", it shouldn't in general be that much of a problem as long as
the only thing running as "www" is your webserver.
Another solution is to make a group that contains the webserver and yourself, so that you can set "chmod 0775" for all pages.
If you don't have root access, this might be a good idea so that you can delete files manually if needed. I've done that myself.
If your wiki is publicly writeable, I'd disable php-includes as well. Let a plugin include php-scripts that you've written yourself instead
(this would probably be a syntax plugin).
Just to add a bit more info, for those who might be in a shared hosting environment as I am. Many php scripts need world writeable directories to run at all. I recently had several accounts running rogue php scripts in world writable directories. Apparently this happened because one of the accounts on the server was hacked and they then gained access to other accounts on the server which had directories with full write permissions. This was solved by deploying php open_basedir, to prevent scripts being able to write outside their own home directory.