Enable WordPress Automatic Updates on a Debian Server
I attempted to get WordPress to update plugins automatically on my Debian server today, and found it a bit less than trivial due to the number of configuration gotchas.
[Update August 2014: Please create the ftpsecure user with -s /usr/sbin/nologin, otherwise it can log in over ssh!]
Assuming you're running a Debian server (I have 6.0 Squeeze), on which WordPress is installed in /var/www/site/public_html:
1) Install required packages. I used vsftpd.
sudo apt-get install vsftpd openssl
2) Configure vsftpd. I set the following options in /etc/vsftpd.conf
# Enable only local users, no anonymous anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 # Allow only our special FTP user userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd.allow_list # Here's the security trick -- listen only on the local interface to # prevent external connections listen_address=127.0.0.1 # Enable debugging until everything works :) log_ftp_protocol=YES
3) Add a user for ftp access
# Add the user sudo useradd ftpsecure -d /var/www -s /usr/sbin/nologin # Set a password. Since vsftpd is only listening on localhost, the # security of this password isn't too important. sudo passwd ftpsecure # Add to the vsftpd allow list echo "ftpsecure" | sudo tee -a /etc/vsftpd.allow_list
4) Turn on vsftpd:
sudo /etc/init.d/vsftpd restart
5) Set permissions for ftpsecure to access your wordpress files. I use access control lists (ACLs), but you could use chown/chmod if you want. These may seem like a bit to permissive -- keep in mind that the only way ftpsecure can log in is from your server.
setfacl -m u:ftpsecure:r-x /var/www/site/ # The updater needs access to the root site setfacl -R -m u:ftpsecure:rwx /var/www/site/public_html setfacl -R -d -m u:ftpsecure:rwx /var/www/site/public_html
7) Tell WordPress about your FTP credentials. In /var/www/site/public-html/wp-config.php:
define('FTP_HOST', 'localhost');
define('FTP_USER', 'ftpsecure');
define('FTP_PASS', '');
6) Run an update. If WordPress asks for the connection type, choose FTP. Try getting WordPress to update a plugin or the entire site. If it fails, view the log with
tail -f /var/log/vsftpd.log
and run the update again. You'll be able to tell from the log if there was a permission problem.
7) Disable logging. Remove the line
log_ftp_protocol=YES
in /etc/vsftpd.conf
8) You're done!
Comment below if these steps didn't work for you.
For reference, I used:
9 comments:
JW at 2012-09-26 16:29:18 -0400
Thanks for the informative post. I'm wondering if you would be kind enough to show the commands to use chown/chmod to set the permissions as stated. I'm just learning Debian and I'm having trouble with this part of the post. Thanks so much.
AE at 2012-10-02 17:12:48 -0400
This was really very helpful, but there seems to be a step missing: You have to add the new user ftpsecure to the file /etc/vsftpd.allow_list
Vasek at 2013-01-04 12:58:32 -0500
Thanks for very helpful post and thanks AE for the update. Work like charm now!!!
Devin Lane at 2013-05-05 14:40:23 -0400
Thanks for noticing that AE -- updated.
Andy Teh CPHQ at 2013-06-04 03:42:37 -0400
Worked a treat on Debian Squeeze 6.0.7. Many thanks!
Get WordPress Going on Amazon EC2 with Linux | Johnsonism at 2014-01-20 02:23:06 -0500
[...] Get vsftpd going: http://shiftedbits.org/2012/01/29/enable-wordpress-automatic-updates-on-a-debian-server/ [...]
randy bastian at 2015-04-18 22:43:10 -0400
Thanks for your info... Great...
James Vasile at 2015-06-02 13:29:22 -0400
BTW, because ftpsecure specifies a user with the nologin shell, I had to edit /etc/pam.d/vsftpd to remove the auth required line. If the instructions fail with the ftpsecure user but work with a normal user that can log in, this is likely your culprit.
Jamie at 2017-01-25 17:33:26 -0500
Hi, I followed the instructions, but I'm getting 530 errors-- client can't connect. Invalid login. However, I am quite certain that the credentials are correct. Any advice? Thanks!