Let's step back to the original comment about the website "updating itself." How does this happen in practice?

I write pretty much exclusively in PHP. My websites are dynamic since much of the content comes from SQL database records or editable component files which reside outside the DocumentRoot. Most of my sites consist of a simple index.php shell that uses include() or require() to load the component parts of the page and send the result to the browser. There is never any need to write a file anywhere in this arrangement.

I make it a point to put as little as possible in the publicly-visible directories like /var/www. Usually these directories include an index.php file, a CSS stylesheet, an /images/ subdirectory, and maybe a couple of other files that are safe to display to the public. All of the website code is locked away in other directories outside the DocumentRoot and included into the page shell.

I rarely have the need for applications to generate files, but when they do, I write these files to directories again outside the DocumentRoot to which the www-data user has write privileges. That user should never have write privileges in /var/www. That kind of insecure arrangement leads to websites being defaced or, as Charles suggests, worse things like malware distribution.

So what, exactly, are the files you need to write, and why do you need to do so? Without specifics it's pretty difficult to determine what kinds of security policies make sense for your site. I will reiterate, though, that letting www-data write into /var/www is never a good idea.