Web Folder Ownership and Permissions for Apache
I'm wondering if anyone can give me some advice on ownership and permissions for web folders for Apache. All my web folders were owned by root root. I changed that to www-data www-data (my Apache group and user). I did this so I could change the permissions on some upload folders to 775, instead of 777, which they were before.
However, it occurs to me now that, if Apache gets hacked somehow, the hackers could, conceivably, alter the contents of all my web folders, whereas before with the owner being root root, the only folders that could have been altered were the upload folders. However, I suspect with 777 permissions, the chances of those upload folders being compromised were much higher than they are presently for the web folders.
This is not a situation where I am offering a service to clients. I have read that in that case I should have the web folders owned by the client user, so they can upload to them, etc. Am I better off to create a separate user account anyway, and assign ownership of the web folders to that user (in which case I would have to return to 777 permissions), or is what I have done a good solution?