It’s not possible make your config file read only on our hosting.
My advice? Just ignore the message, it’s nowhere near as big a problem as they claim it is.
PHP code on our hosting is executed under the user of your account. This means that it has access to read and write to any file that you have access to (*). The alternative is to run PHP code under a shared system account, which is much less secure, and requires lot more tinkering with file permissions and whatnot to make your website work.
The only way to block PHP from writing but not reading the file is to block YOU from writing to that file. And that means that you’ll never be able to modify that file ever again, without us having to manually reset it for you. And that’s not something want to do for you.
Also, the security warning vastly overstates the severity of the issue. Hackers cannot just read and write arbitrary files on your account. They would need to get access to your website files in the first place, which requires a very severe security problem in your website code or them getting their hands on your account credentials. Regardless, if that happens, them modifying your configuration file is the least of your problems.
I agree that making website code and configuration immutable is good security practice, but it’s not really practical on shared hosting. If that level of security is of legitimately concern to you, you may want to ask yourself first if shared hosting (with websites from other people on the same server) is a good fit for your use case.
* We use open_basedir to ensure that code running on one domain of your account cannot access files from other domains on the same account.