Enable WordPress Automatic Updates on a Debian Server

I attempted to get WordPress to update plugins automatically on my Debian server today, and found it a bit less than trivial due to the number of configuration gotchas.

[Update August 2014: Please create the ftpsecure user with -s /usr/sbin/nologin, otherwise it can log in over ssh!]

Assuming you’re running a Debian server (I have 6.0 Squeeze), on which WordPress is installed in /var/www/site/public_html:

1) Install required packages. I used vsftpd.

sudo apt-get install vsftpd openssl

2) Configure vsftpd. I set the following options in /etc/vsftpd.conf

# Enable only local users, no anonymous
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022

# Allow only our special FTP user
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.allow_list

# Here's the security trick -- listen only on the local interface to 
# prevent external connections
listen_address=127.0.0.1

# Enable debugging until everything works :)
log_ftp_protocol=YES

3) Add a user for ftp access

# Add the user
sudo useradd ftpsecure -d /var/www -s /usr/sbin/nologin

# Set a password. Since vsftpd is only listening on localhost, the 
# security of this password isn't too important.
sudo passwd ftpsecure

# Add to the vsftpd allow list
echo "ftpsecure" | sudo tee -a /etc/vsftpd.allow_list

4) Turn on vsftpd:

sudo /etc/init.d/vsftpd restart

5) Set permissions for ftpsecure to access your wordpress files. I use access control lists (ACLs), but you could use chown/chmod if you want. These may seem like a bit to permissive — keep in mind that the only way ftpsecure can log in is from your server.

setfacl -m u:ftpsecure:r-x /var/www/site/

# The updater needs access to the root site
setfacl -R -m u:ftpsecure:rwx /var/www/site/public_html
setfacl -R -d -m u:ftpsecure:rwx /var/www/site/public_html

7) Tell WordPress about your FTP credentials. In /var/www/site/public-html/wp-config.php:

define('FTP_HOST', 'localhost');
define('FTP_USER', 'ftpsecure');
define('FTP_PASS', '<password>');

6) Run an update. If WordPress asks for the connection type, choose FTP. Try getting WordPress to update a plugin or the entire site. If it fails, view the log with

tail -f /var/log/vsftpd.log

and run the update again. You’ll be able to tell from the log if there was a permission problem.

7) Disable logging. Remove the line

log_ftp_protocol=YES

in /etc/vsftpd.conf

8) You’re done!

Comment below if these steps didn’t work for you.

For reference, I used:

Posted in Software | Tagged , | 6 Comments

6 Responses to Enable WordPress Automatic Updates on a Debian Server

  1. JW says:

    Thanks for the informative post.

    I’m wondering if you would be kind enough to show the commands to use chown/chmod to set the permissions as stated. I’m just learning Debian and I’m having trouble with this part of the post. Thanks so much.

  2. AE says:

    This was really very helpful, but there seems to be a step missing: You have to add the new user ftpsecure to the file /etc/vsftpd.allow_list

  3. Vasek says:

    Thanks for very helpful post and thanks AE for the update. Work like charm now!!!

  4. Worked a treat on Debian Squeeze 6.0.7. Many thanks!

  5. Pingback: Get WordPress Going on Amazon EC2 with Linux | Johnsonism

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>