Props to both Jason Judge and Paul Duffy for thorough comments on this issue. Jason Judge is right on the money. Giving write permissions to apache user for the entire WordPress structure is equivalent to saying “Hey, I want anyone who attempts an XSS or Sql Injection attack on my site to also be able to write anything they want to my wordpress folders.” You might THINK you’re making it easy on yourself to keep your site updated. In reality, you’re creating a big security hole. So what if you keep your stuff up to date? What if your current theme of choice doesn’t have updates but it DOES have an XSS or SQL Injection hole? You want someone to stick a little snippet of code in your database that causes Apache to fetch a php malware from another server and write it to your wordpress folder?

This is exactly the type of situation that causes things like the famous Pharma attack. Pharma is notorious for having specific malware PHP files in the WP installation. Those files didn’t get there magically. They got there because some user had write permissions to WP.

You can do all the updates you want. But I’d like to point out something here. Its famously known that quite a few security updates happen because SITES GOT HACKED. DUH! And after the hack, programmers scramble to make a security update! If you open yourself up to security holes to begin with, then you’re just making yourself the perfect testbed for the hackers.