Correct wp-content ownership and permissions

By default, all files added by the Apache itself will be owned by the server’s user, in your case www-data. But since your users use FTP to deploy, those files are owned by them, and it makes the Apache scream for your attention. Changing the ownership of wp-content folder to www-data isn’t insecure at all, as this is a default user used only by the Apache, but as you said, it is only a temporary solution.

For a permanent solution, I’d recommend Tom‘s solution from this post on ServerFault:

Attempting to expand on @Zoredache’s answer, as I give this a go
myself:

  • Create a new group (www-pub) and add the users to that group

    groupadd www-pub 
usermod -a -G www-pub usera    # must use -a to append to existing groups
usermod -a -G www-pub userb
groups usera    ## display groups for user

  • Change the ownership of everything under /var/www to root:www-pub

    chown -R root:www-pub /var/www    # -R for recursive

  • Change the permissions of all the folders to 2775

     chmod 2775 /var/www

    2=set group id, 7=rwx for owner (root), 7=rwx for group (www-pub), 5=rx for world (including apache www-data
    user)

    Set group ID (SETGID) bit (2) causes the group (www-pub) to be copied to all new files/folders created in that folder. Other
    options are SETUID (4) to copy the user id, and STICKY (1) which I
    think lets only the owner delete files.

    There’s a -R recursive option, but that won’t discriminate between files and folders, so you have to use find, like so:

    find /var/www -type d -exec chmod 2775 {} +

  • Change all the files to 0664

    find /var/www -type f -exec chmod 0664 {} +

  • Change the umask for your users to 0002

    The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by
    editing the umask line at the bottom of /etc/profile in my case)
    means files created by one user will be writable by other users in the
    www-group without needing to chmod them.

Test all this by creating a file and directory and verifying the
owner, group and permissions with ls -l.

Note: You’ll need to logout/in for changes to your groups to take
effect!

EDIT:
If you are serious about running a hosting server for different clients, perhaps consider setting up and running your PHP differently then it is by default (as mod_php). I’d recommend running it as PHP-FPM service, as it can be tweaked to use the user’s permissions, which will further prevent PHP server to have a full ownership and rights over literally all files from the web root.

This is an excellent article explaining different ways for running PHP. I am not an expert on the matter, and you can get more help from the ServerFault.

Related Posts:

  1. to perform the requested action wordpress needs to access your web server. please enter your ftp
  2. Prompted for FTP details even with FS_DIRECT set to true
  3. How to prevent a post from being deleted?
  4. Is there a way (plugin?) to restrict a user to being able to edit just one page?
  5. Can’t install new plugins because of the error “Could not create directory”
  6. How to stop wordpress from changing default .htaccess permissions to 444
  7. Cannot install plugins even though www-data has write permissions
  8. How does WordPress update plugins, without running into permissions issues?
  9. Plugins won’t auto-update on IIS
  10. Is it possible to block subscriber users to changing its password?
  11. WordPress roles – Protect administrator role
  12. Standard permissions for wordpress; Plugin installation asks for FTP credentials
  13. 403 Forbidden – You don’t have permission to access /wp-admin/admin-ajax.php on this server
  14. Could not create directory
  15. Creating Custom Roles for use on a WordPress Multi-site Instance?
  16. Why does deactivating a plugin cause error: “You do not have sufficient permissions to access this page”?
  17. Can’t use the built-in wordpress install/upgrade plugin feature [closed]
  18. Plugin/Folder permission issues with Azure
  19. Advanced Custom Fields/User Role Editor – how to hide ACF for certain users?
  20. How create a role with admin capability less 1 or 2?
  21. Are these wp-content permissions safe?
  22. Prevent WordPress installing plugins and themes via Admin
  23. Plugin updates change folder permissions
  24. Linux Permissions and Ownership for WordPress
  25. Updating plugins asks for FTP information, why? (this is a new one)
  26. Lock access to plugin options
  27. Can’t Install Standard Plugins on a Local MAMP installation
  28. Add menu page issues (permissions & position)
  29. Advanced Custom Fields – Disable Users to Edit Custom Fields
  30. Is there any way to make myself an admin?
  31. Why is the ‘Gutenberg’ Plugin generating an ‘Inconsistent File Permissions’ error when other Plugins, with the same permissions, do not?
  32. What are the correct permissions so WP doesn’t ask for FTP credentials if installing plugin?
  33. WordPress won’t allow for updates to plugins or WordPress Core
  34. WordPress permissions error with admin account
  35. Why is my WordPress Plugin page requesting my FTP Login Credentials?
  36. Plugins & backup not working correctly on new Digital Ocean server
  37. How to hide plugin options for editors via functions.php
  38. How to write to the plugin’s directory?
  39. See which user role / capability is needed to use a plugin
  40. Plugin updates, change file permissions on WordPress
  41. How to make a plugin api route have permission?
  42. Can’t add or delete plugins – but I’m an admin [closed]
  43. WP Plugin permissions – create new files
  44. Permission Issues regarding Plugin updates & FTP transfers
  45. WordPress Plugin Install / Update Problem
  46. Database error when user logs in
  47. WordPress FTP/media directory permissions problem?
  48. Wordress admin page is fetching error You do not have sufficient permissions to access this page.
  49. Admin page and admin menu. Permissions plugin
  50. SSH vs WordPress
  51. Images not showing on homepage after migration [duplicate]
  52. page creator to leave comments ONLY
  53. Editor have not permissions for a plugin
  54. WordPress Permission Problems on Ubuntu 12.04 with LAMP stack
  55. Plugin not installing properly, functions being redeclared
  56. Problem with permissions in wp-content/plugins
  57. Making plugin to use different table prefix cause permission problem
  58. Two sites one PC
  59. How to give access to the particular page in wordpress for specific username/email NOT roles [closed]
  60. Gravity Forms and Gravity View Permissions
  61. How to implement a customizable free OpenID authentication?
  62. Generate Advanced Custom Fields box in custom admin menu page
  63. Share buttons on article footer
  64. How to prepend to the_title for admin-side plugin’s use
  65. Settings API – input always updates over validation
  66. Creating search filter through plugin
  67. jQuery Plugin to use WordPress functions in AJAX request
  68. audio streaming plugin but with no save option?
  69. Missing argument 3 for wp_register_sidebar_widget()
  70. Pass variable to nested shortcode
  71. Simple plugin for showing RSS subscription links?
  72. How to make my plugin able to be updated from admin panel?
  73. Is there a way I can find wordpress posts that don’t contain a word?
  74. Generate XML Sitemap for Blog on Magento Platform
  75. Display data on Word Press site posts and pages from mysql table
  76. Why is output buffering used here?
  77. What’s the best way to implement AJAX in WordPress?
  78. Cannot find a list of data selectors for Gutenberg editor
  79. Adapt PHP form action for WordPress?
  80. get specific value of a array | PHP
  81. How to save comment name email url fields?
  82. Best practices for user registration with WordPress from an MVC background
  83. How to get a notification when the plugin is installed?
  84. Change the Simple Facebook Connect popup position
  85. WordPress Post HTML after Posting
  86. Custom Meta box change size
  87. The Build menu theme is frozen with the wordpress theme
  88. WordPress PWA with Form
  89. How achive serving multiple concurrent Ajax / Rest calls in plugin?
  90. How to add php plugin code in theme
  91. Need help for creating custom table on wordpress
  92. ound this in Where to edit Custom Content fields to optional if there is no plug in?
  93. Setup SMTP setting in wordpress
  94. Widget redirecting to home page
  95. Creating Features List in WordPress Post
  96. why i cannot see some plugins while they are enabled on network admin page?
  97. WooCommerce Email Customization
  98. How can I properly sanitize the update_option in WordPress?
  99. My Blog page ( posts page ) theme isn’t changing with the new theme [closed]
  100. Why is my menu page not being displayed?