Ok so I looked at a number of resources, per Google, and questions on here an none seem to be what I require.
I come from a Windows IIS background so maybe my thought process is flawed and that Apache does things differently.
Basically on IIS it is recommended to set up a dedicated application pool per web user, or website even, and have their files/folders stored under their own path and work with that dedicated application pool.
I am setting up Apache for testing, and learning purposes, and came across the situation of segregating users. Does Apache need to be forked per user or is the 'www-data' sufficient?
Seeing as the 'separate' webdirs are in separate 'home' directories I assume this is safe? My understanding is that if you can't access a directory somewhere in the path, anything behind that can't be accessed - is this correct?
Lastly, I noticed, and is the reason why I am asking this, that Wordpress when making files, or cache files, is creating them as user 'www-data' and group 'www-data'. This is what prompted me to ask as I am assuming now that the 'user' doesn't have access to those files now?
My advice is to use apache-itk patch. You can use user home dir per site and execute apache with different user permissions - that is very safe for multiple site hosting.
Firstly, The user running apache needs to be able to read the files in order to show them to a client. When you're using user directories, this usually means giving write access to the user themselves, and read access either specifically to the group "www-data" (or whatever group the user running apache belongs to), or to all users on the server. In order to not show any files outside of the user's public_html directory hierarchy, you would use the apache config file to only allow the public_html and its sub directories to be used for user web sites.
Secondly, since you want to be sure that the apache user is not able to edit anything (in case the server gets cracked, or someone writes a faulty scripts and runs it as a cgi, or something), you want to run it as a user who has no write access to user directories. That user will still need to be able to write logs and temporary data, and it should have its own directories where it does that.
If you were to run one apache instance for each user, and have that apache owned by the user, you'd thereby grant apache permissions to write to all of the user's directories. That's generally not considered a good idea at all.