By default, this is wp-content upload, and it can be configured to anything that is beneath your document root if you want to...
But plugins etc, to be updatable you ca make everything and the directory to be non-writable..
Then you make the folder owned by that user $ chown -R path to webroot wp-content upload.
By user on your system the user you are using to deploy updates to, All other files and folders should be owned WordPress and plugins..
But you still need to be able to manage and update plugins, themes and WordPress itself..
If this is the case, you do not want to run automatic updates, except use some kind of deployment system..
I know BackupBuddy and Gravity Forms works fine, and the plugins from Yoast does not...
BTW, 2 is the same as the automatic updates feature WordPress..
To not confuse users in WordPress dashboard to think they can do updates or install plugins directly, is is possible to add constant to wp-config php to disable plugin and theme update and installation. define.
This will remove links and buttons in WordPress dashboard to actions that requires file modification permissions...
Read more
Related items:
