To add to @Emufarmers's comment:

"World-writable" doesn't mean that anyone in the world can write to that directory. Setting permissions to 777 doesn't make the directory a public bulletin board for the entire world. The "world" in "world-writable" means "any user of this computer". In order for a remote attacker to write something to a "world-writable" directory, he first needs to gain access to a program that is already running as one or another user of your Linode. Typically, this is a PHP script with an unfixed security vulnerability. If an attacker knows how to exploit that script, he will be able to do whatever the script's functionality and permissions allow it to do. If you don't have any vulnerable scripts, a permission of 777 is harmless (although it's still not a good idea).

WordPress is a security minefield, even with the latest version. The core itself has historically contained a very large number of vulnerabilities. Even worse, when such vulnerabilities are found, they are often patched in a haphazard manner instead of fixing the underlying problem (such as not using prepared statements for DB queries, or not using a proper HTML sanitizing function).

Plugins have an even worse track record, because 1) they're developed and maintained by third-parties who often don't know enough about security; 2) plugin code gets much less critical scrutiny than WordPress itself; 3) bugs in plugins are often not fixed quickly enough; 4) even when bugs are fixed, users often don't update plugins as frequently as they need to; and 5) plugins often try to bypass security measures built into WordPress, exacerbating all of the above problems. As for themes, they are a disaster the scale of Chernobyl. A significant percentage of free WordPress themes found on the Internet contain obfuscated code with advertising and other shady functions, which may also contain unknown vulnerabilities.

So keep every plugin and theme up to date, and remove anything you don't really really need. That little plugin that gives you some innocuous-looking eye candies? Dump it. That theme you tried out for 5 minutes a couple of years ago? Dump it. Also, when you remove plugins and themes, don't just disable their functionality. Delete them without a trace. Nuke them from orbit. It's the only way to be sure.

Never, ever trust WordPress to keep your server safe.