Best practice from my experience when it comes to WordPress and permissions is:
• Owner: SFTP/site user
• Group: apache
• Directory Permissions: 02775 (drwxrwsr-x)
• File Permissions: 0664 (-rw-rw-r–)
• Directory ACLs: default:user:siteUser:rwx, default:user:apache:rwx, user:siteUser:rwx, user:apache:rwx
• File ACLs: user:siteUser:rw-, user:apache:rw-
The following lines added to wp-config.php help as well:
define(‘FS_METHOD’,’direct’);
will allow you to update any part of the WordPress installation from within the control panel without having to log in manually
define(‘FS_CHMOD_DIR’,02775);
define(‘FS_CHMOD_FILE’,0664);
The reason for the ACLs are that new files are created with a umask of 0022 on CentOS5 when utilizing SFTP (SSH FTP) so Apache would slowly lose write capability on these files as you created new ones via SFTP otherwise. This is also the optimum configuration for allowing WordPress to update itself via the control panel. If that is unnecessary or undesired, you can remove the group write and ACL write fields for Apache on files and directories that should not be able to be modified by the PHP code.
The allow_url_fopen option does not need to be set to enabled for fopen()s on files, by the way. Only if you need to do something along the lines of fopen(http://…) to pull in a resource from another site (and this is strongly deprecated as it builds a dependency on that other resource that can cause timeouts in rendering your page if the site that resource exists on goes down or such.)
