To lock down the permissions on your WordPress install, from inside the WordPress site directory, run the below commands.
chown -R root:root . chown -R nginx:nginx wp-content wp-admin/update.php wp-admin/update-core.php wp-admin/network/update.php wp-admin/network/update-core.php
Note, the above command assumes you are running under Nginx, if you are under Apache, please run the 2nd command replacing nginx with apache
The above command will change all the files in your WordPress root to the ROOT user, then change only the needed files back to user your web server is running as. This will allow you to update themes & plugins, and will also let you upload images, but you will not be able to update WordPress without changing the owner/group back to nginx on your WordPress root.