Ubuntu Server: chown user:www-data /var/www or not?

I set up a basic Ubuntu Server box to run WordPress but am having some problems, e.g. not being able to sFTP in and upload content to /var/www. After some searching I found that the way to get around this is to change the group or owner to www-data, but then somebody told me this was a big security risk. The problem is that if I don’t do this I don’t know how else WordPress is going to be able to write to the wp-content folder to install plugins and themes. Any tips or suggestions?