In the same vein as my Drupal permissions setup script, here's a script that should set up a Wordpress install with file permissions that are secure, except Wordpress will allow editing of the files through the admin backend. Permissions are locked down in the same way as with Drupal, except wp-content is set up like Drupal's files directory with write permissions for the webserver. Then one final quirk is that Wordpress requires wp-admin scripts to be owned by www-data for the plugin updating, etc to work, so the last few lines change the owner but leave write permissions locked down on that directory.
If you want to upgrade Wordpress core, I suggest running
chown -R www-data:www-data /home/username/public_html
Once that's done, do the upgrade through the web interface and then run the script below again to fix permissions. If you'd like to be more secure than that you could do a manual download + upgrade via the command line.
Here is the script:
#!/bin/bash #assumes your site is installed at /home/username/public_html USERNAME=username WEBSERVER_USER=www-data INSTALL_DIR=public_html if [ "$1" != "--really" ]; then cat $0 exit 0 fi cd /home/$USERNAME/ chown -R $USERNAME:$WEBSERVER_USER $INSTALL_DIR find $INSTALL_DIR -type d -exec chmod u=rwx,g=rx,o= '{}' \; find $INSTALL_DIR -type f -exec chmod u=rw,g=r,o= '{}' \; #this code handles multisite install files directories chown -R $WEBSERVER_USER:$USERNAME $INSTALL_DIR/wp-content chmod ug=rwx,o= $INSTALL_DIR/wp-content find $INSTALL_DIR/wp-content -type d -exec chmod ug=rwx,o= '{}' \; find $INSTALL_DIR/wp-content -type f -exec chmod ug=rw,o= '{}' \; #for some reason Wordpress wants wp-admin to be owned by www-data #for automatic updates, etc to work chown -R $WEBSERVER_USER:$USERNAME $INSTALL_DIR/wp-admin chmod u=rx,g=rwx,o= $INSTALL_DIR/wp-admin find $INSTALL_DIR/wp-admin -type d -exec chmod u=rx,g=rwx,o= '{}' \; find $INSTALL_DIR/wp-admin -type f -exec chmod u=r,g=rw,o= '{}' \;