hardened wordpress linux install

... can you tell me which bits of auto-updatedness wordpress is likely to need?

WordPress doesn't need any "auto-updatedness". Auto-updating is just a convenience. In fact, the built-in updater is a relatively new thing, though I don't remember at what version it appeared. You can always update manually via (s)FTP and I pretty much always do.

I have looked online and no-one is talking about this

No one is talking about what?

https://wordpress.org/support/article/hardening-wordpress/

Heavily edited from the above link

How to Harden your Word Press if you're a server admin

Bear in mind I am not an expert on Word Press nor even a user of it: you will probably not be able to automatically self update word press (which is by default a massive security issue since vulnerabilities today are published in the future by the open source community and easily viewable/used in the future) by using this method and your may or may not be able to install/update plugins and you will not be able to do this at all on Windows Servers.

/ 
The root WordPress directory: 

all files should be writeable only by your user account (*not Apache*), except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/ 
The WordPress administration area: 

all files should be writeable only by your user account (*not Apache*).

/wp-includes/ 
The bulk of WordPress application logic: 

all files should be writeable only by your user account (*not Apache*).

/wp-content/ 
User-supplied content: 

intended to be writeable by your user account AND Apache.

Within /wp-content/ you will find:

/wp-content/themes/ 
Theme files. 

If you want to use the built-in theme editor, all files need to be writeable by the web server process (Apache). If you do not want to use the built-in theme editor, all files can be writeable only by your user account (*not Apache*).

/wp-content/plugins/ 
Plugin files: 

all files should be writeable only by your user account (*Not Apache*).

so the ACTUAL answer on CENTOS is:

do the following substituting mywordpressplace for your word press installation directory, do the commands as root and use root too if you like it won't matter, the books say you should do the following shell commands in root and then use a 3rd party user as the user in the command line entries below but I think that if you have multiple servers (I have around 40 that I run) and if you have hardened infrastructure it's probably satisfactory to merely use root for both - so long as you have ssh correctly configured etc etc

# chown -R root:root /var/www/html/mywordpressplace/
# chmod -R 744  /var/www/html/mywordpressplace/
# chown -R apache:root /var/www/html/mywordpressplace/.htaccess
# chown apache:root /var/www/html/mywordpressplace/wp-content/ 
# chown -R apache:root /var/www/html/mywordpressplace/wp-content/themes/
# chown -R apache:root /var/www/html/mywordpressplace/wp-content/plugins/

one last gotcha

the last bit is important - since the wordpress malware that can and does exist often uses php to read/write/traverse your directory to insert code and since apache must be able to read the /var/www/html/ dir you also need to ensure that anything ELSE on that server in /var/www/html/ must ALSO be

# chown -R root:root /var/www/html/*

What happens is that WordPress malware will traverse the web root dir and inject code (curl() commands usually) into any index.php/default.php files from OTHER sites that are NON word press at all. Wordpress can often be the vector for other sites on the vhost