James Huff on "very alarmed - possible site compromise?"

for example, .htaccess should be 400, not 644, but that causes problems for allot of people when setting a permalink structure, etc.

On a properly secured server, nothing needs to be lower than 644.

The problem here, and the reason I have to say "in general" is that there are billions of ways to configure a server, none of which we have any control over.

As you say, setting .htaccess to 400 causes some problems for some people, that's because of how the server is configured. And, I say 644 should be fine, because that's how the server *should* be configured.

Just like you can't really control the crime level of the community you live in, and can therefore only take reasonable steps to protect your home at a good balance between security and convenience, the same is true for any web software existing on any server.

And, that's the slightly longer explanation for why a lot of these recommendations are "in general."

seems like it might be a good idea for WP to set file permissions/ownership

WordPress itself can't really set file permissions/ownership, as those are initially set during file transfer and according to the server configuration.