Quick fix

WordPress auto-update in hardened installs with wp-cli

WordPress has had it’s share of security holes, and to be fair the dev community has worked hard to plug them pretty quick, but until auto-updates where introduced there was still a significant lapse before those updates reached the installations. And sometimes that was too late.

Auto-updates are great, but they come with one big caveat: the user that runs php has to have write access to the directory where wp is installed; to a lot of people (including me) that doesn’t seem like a very good idea. Many users caution against giving a WordPress install any more permissions than are necessary, which normally means that the owner of the files should not be your web server (or php, depending on your setup); they only need to read them and shouldn’t be able to modify anything outside of the uploads folder.

This means goodbye to automatic updates, and we all know that if we have to do something by hand, again and again, there will eventually be a point when we forget, or something else comes up.

I was looking for a solution with two objectives in mind: I wanted it to be fully automatic and I didn’t want to relax the permissions on my server. I found Liz Quilty’s WordPress Upgrade shell Script and I loved that it cleverly scanned for WordPress installs, but it’s conservatively hesitant about installing anything without your consent and in regards to plugins and themes (which are the major source of wp vulnerabilities), it only installs them (by shotgun approach: just overwriting all of them) when a core update is triggered.

Then I found wp-cli, an excellent tool to manage wp installs from the command line that diligently checks for updates against the WordPress API and installs them in a much more rationalized manner, including caching downloads. Check their website for install info. I instantly had the happy idea to use Liz’s directory scanning and frankenstein them together:

#!/bin/bash -e
#
# Core, plugin and theme updater for WordPress
# (C) 2017 Robert Sanchez
#
# Uses wp-cli to update wp installations, their plugins and their themes.

# Find all the WP installs
FINDDIR="/var/www/"
wplist=$(find ${FINDDIR} -wholename "*wp-includes/version.php" )

# Now let's check each one
for file in $wplist ; do
    wp_root=$(echo $file | sed s@wp-includes/version.php@@)
    #enter the WordPress folder
    cd $wp_root
    wp core update --allow-root
    wp core update-db --allow-root
    wp plugin update --all --allow-root
    wp theme update --all --allow-root
    wp language core update --allow-root
done

Now this script can be added to a regular cron job and we don’t have to worry about manually updating all our WordPress installs or plugins.

Disclaimer: there are probably a hundred reasons why this is a very bad idea; a broken plugin or theme could break your site, exposing valuable data. Use at your own risk.

Leave a Reply

Your email address will not be published. Required fields are marked *