set the rights to the files to 640, to the directory to 750
as the owner of user1, the group www-data
In this case, nginx must be run as the user www-data, and php-fpm as the user user1. Log in via Ftp as user1.
user1 does not need to be added to the www-data group.
If you have several sites, then for the second site, set the owner to user2, the www-data group, connect via ftp from user2.
If there are several sites, then each has its own php5-fpm pool, each of which is run from different users.
Result: the php processes, and hence WordPress, will have full access to the files of their own project only and will not have access to the files of neighboring VPS projects. Nginx will have read-only access to all projects. Through ftp, each user will have full access only to their own projects. Unnecessary file permissions have been removed. If one of the VPS sites is hacked, then the hacker usually gets the access rights of the user who runs the php-fpm pool. (Hacking nginx is unlikely) I.e. when hacked, the hacker gets full rights to one project, but cannot even read, much less write to another project. To further secure the server, use chroot in your php5-fpm and ftp settings. This greatly improves security. But setting up a chroot in php5-fpm usually requires additional dancing with a tambourine (changing the configs of other services,
I used to be careless about security settings, until I accidentally found the same shell script on my VPS in two projects. After I realized what kind of script it was, I launched it (I just typed the appropriate address in the browser) and was really stunned. The shell script made it easy to navigate through all project folders (individual sites) located on the VPS, allowed you to arbitrarily write and delete files in these projects, allowed you to go to the root of the file structure, for example, to the /etc folder and read all configs in this folder. Although the configs were read-only, they actually store a lot of confidential information. For example, some passwords of standard services in such configs are stored in unencrypted form. The script allowed to display a list of running processes and randomly kill processes launched by the same user, etc. In addition, all the main methods necessary for finding vulnerabilities and further sabotage in the script are automated. Those. in many cases it was more convenient for me to work with the server through this shell script than through putty and winscp. And in the future, I used this shell script to test the security of each project. Those. in addition to solving a local problem, I recommend that you immediately check the security in the complex.

pure-ftpd and a virtual user that will match under the real one from which nginx is running.

Can be replaced with proftpd .
There you can create virtual users and override their uid\gid with real ones (for example, www-data). It turns out that they will have the same rights as nginx.
It is configured very easily with a couple of lines in the standard config.