Should websites live in /var/ or /usr/ according to recommended usage?

According to the FHS, /usr is for shareable, read-only data - not where you want to put the website. This is where you should put your code (for example Fedora does this for Wordpress). See also the web assets packaging guide for Fedora.

/var is "variable data files. This includes spool directories and files, administrative and logging data, and transient and temporary files." -- better, but still not quite right -- but a lot of systems will use /var/www, so even if you're wrong to put it there you're in good company.

/srv is for "site-specific data which is served by this system." -- which seems like a good match, but is much less common than /var/www.

The other common place to put the site files is under /home -- by creating a special user called website or such, then placing the files inside that user's homedir (e.g., /home/website).

Take a look at the Filesystem Hierarchy Standard (Wikipedia). I myself use /srv/web/$domain/{htdocs,logs,cgi-bin,...}.

Websites should live in users' home directories. They're user data, should be isolated by one-user-per-site, and dynamic content should run as a separate user again, with files that the dynamic content needs to read and modify given the appropriate permissions to do so.

Update:

Just because it's not a shared hosting server doesn't mean that you shouldn't engage in good security practices and separate independent roles into their own security zones.

The definitive guide is the Filesystem Hierarchy Standard which says that /srv is the proper place.

Where they live on disk has little matter. It's where you want them.

I have a symlink from /www on all my machines to where they really live, so I never have to wonder from machine to machine. Some older machines have /u0 and /u1 for user disks, and I place the web things there. Some have /home mounted directly, so they go there, but /www always points to the right place.

I also do not put any configuration in /usr nor in /var. It goes in /local (which, you guessed it, is a symlink somewhere on /u0 or /u1 typically). This makes backing up things easy. I just back up the user disks.

Of course, I have a master distribution site for my OS of choice, NetBSD. I make the system like I want it on this main machine (really a xen instance) and rsync /usr around. Makes my life easy.

Apache web server have default website under /var/www/ but it is suggesting to put other websites under /srv/

I noticed this on Ubuntu Server 14.04 LTS. Its default apache2.conf file contains commented block:

#<Directory /srv/>
#   Options Indexes FollowSymLinks
#   AllowOverride None
#   Require all granted
#</Directory>

According to me you should NEVER and NEVER put any Internet Services on the common system zone.

Your Internet Services (Apache / Tomcat / SSH etc) are a front door, then if you put those services into your System zone you'll be potentially vulnerable to some attacks.

More than if you have put your differents services into a safe sandbox zone like another detach partition.

Here is an exemple of structure you could use:

/ --> Root System --> On SDA1 --> Root and System security operator access only
 |
 | -->/usr /etc /var etc.

/SRV --> Web Root --> On SDB1 --> Web users access with minimal rights access.
 |
 |-->/srv/bin & /srv/dta
      |
      |-->/srv/bin/apache (or any other APPLICATION Binaries)
      |-->/srv/dta/SQL (or any other APPLICATION Datas like a 
                        database or web PHP files etc.)