Sarah Gooding has a piece of solid advise on how to protect the WordPress installation from clients who can’t contain their urge to tinker with things:
Protecting WordPress from Dangerous Clients
The best part of it is that it does not involve any plugins. All work is done in the wp-config.php file.