I attempted to get WordPress to update plugins automatically on my Debian server today, and found it a bit less than trivial due to the number of configuration gotchas.

[Update August 2014: Please create the ftpsecure user with -s /usr/sbin/nologin, otherwise it can log in over ssh!]

Assuming you're running a Debian server (I have 6.0 Squeeze), on which WordPress is installed in /var/www/site/public_html:

1) Install required packages. I used vsftpd.

sudo apt-get install vsftpd openssl

2) Configure vsftpd. I set the following options in /etc/vsftpd.conf

# Enable only local users, no anonymous
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022

# Allow only our special FTP user
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.allow_list

# Here's the security trick -- listen only on the local interface to 
# prevent external connections
listen_address=127.0.0.1

# Enable debugging until everything works :)
log_ftp_protocol=YES

3) Add a user for ftp access

# Add the user
sudo useradd ftpsecure -d /var/www -s /usr/sbin/nologin

# Set a password. Since vsftpd is only listening on localhost, the 
# security of this password isn't too important.
sudo passwd ftpsecure

# Add to the vsftpd allow list
echo "ftpsecure" | sudo tee -a /etc/vsftpd.allow_list

4) Turn on vsftpd:

sudo /etc/init.d/vsftpd restart

5) Set permissions for ftpsecure to access your wordpress files. I use access control lists (ACLs), but you could use chown/chmod if you want. These may seem like a bit to permissive -- keep in mind that the only way ftpsecure can log in is from your server.

setfacl -m u:ftpsecure:r-x /var/www/site/

# The updater needs access to the root site
setfacl -R -m u:ftpsecure:rwx /var/www/site/public_html
setfacl -R -d -m u:ftpsecure:rwx /var/www/site/public_html

7) Tell WordPress about your FTP credentials. In /var/www/site/public-html/wp-config.php:

define('FTP_HOST', 'localhost');
define('FTP_USER', 'ftpsecure');
define('FTP_PASS', '');

6) Run an update. If WordPress asks for the connection type, choose FTP. Try getting WordPress to update a plugin or the entire site. If it fails, view the log with

tail -f /var/log/vsftpd.log

and run the update again. You'll be able to tell from the log if there was a permission problem.

7) Disable logging. Remove the line

log_ftp_protocol=YES

in /etc/vsftpd.conf

8) You're done!

Comment below if these steps didn't work for you.

For reference, I used: