You need to operate your WP site in two modes:
- lockdown mode (the Apache service account owns none of the files)
- admin mode (the Apache service account owns all of the files)
You can write a simple script to handle this so that you will know 100% the state of file ownership and permissions. The only time you would run in admin mode is when you are installing a new plugin/theme, or performing a manual Wordpress update.
In a nutshell, your lockdown mode should look something like this (the wpadmin user/group is a normal account (something other than your httpd service account):
# The web server account should not have ownership of any files
chown -R wpadmin:wpadmin /path/to/docroot/
# Setting full control for owner and group. Setting read-only for everyone else.
chmod -R ug=rwX,o=rX /path/to/docroot
# Allow the web server to write files to the uploads dir
chmod -R a=rwX /path/to/docroot/wp-content/uploads
Your admin mode is simply changing the ownership of all files to the web server service account:
# Apache should only own the files if needed (for updates or installs)
# Allow Apache to own files for updates and installs
chown -R apache /path/to/docroot
If you have developers that need to run this command, you can do so with sudo. You can further write a script that allows the developers to specify a particular top-level directory under your Apache document root (assuming you have multiple vhosts on the server).
Lastly, If you want to control the group ownership of files that are uploaded via Wordpress (and you probably will), it's best to configure a custom php upload directory (in the php.ini) and then use the setgid permission on the folder so that new files will pickup your group of choice. I think this is a better and safer solution over trying to configure suexec.