Please Update!

Seems like every time I go to post something, which is not all that often, I need to update WordPress again. The post I made this morning was no exception, so I updated to v4.5.0 before making my post.

Annoyingly, only a few hours after updating and verifying that I had the latest, I got the following email:

Please update your site at to WordPress 4.5.1.

We tried but were unable to update your site automatically. Updating is easy and only takes a few moments:

If you experience any issues or need support, the volunteers in the support forums may be able to help.

Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers.

The WordPress Team

Damned right you were unable to automatically update my site for me!

I guess the WordPress team and I have significantly different views on how to keep things secure. For me there are a couple of main items:

  • Make sure that nothing that the web server can access is writable by the web server.
  • Make sure that the only write access or shell logins allowed are via encrypted connections using pre-shared keys.
  • Do not allow other people, including “the WordPress Team”, write access to any place on any of my servers.

So my setup, which I feel is a foundation for server security, breaks the various ways that WordPress can update itself. And that includes me using the management panel provided by WordPress on the web site.

Here is how I manage web site updates (most of the sites I manage I wrote the code for myself):

  • There is a bare git repository on the web server for each web site.
  • I make and test changes on my home laptop. When I am satisfied with the changes, I commit them to the git repository on my laptop.
  • When ready, I push the changes from my laptop git repository to the git repository on the web server.
  • Post commit hooks on the website’s git repository export a new copy of the master branch to the active website directory.

To update WordPress, I download the latest off their website. Pull the files into my laptop workspace, verify the changes, commit them and then push to the server.