Okay, it is probably me and my odd way of doing things, but the “easy update” part of WordPress is not easy.
I only allow access to management functions on the server via ssh with pre-shared keys. Password login is disabled. FTP is disabled. SFTP is done through ssh and again requires the id_rsa.pub key for each of my allowed users.
But WordPress does not come configured for that. And a cursory web search did not turn up a quick config change to make it do that.
I ended up doing for this blog what I have done for all my other web sites: Put a bare git repository on the server with a post-receive hook to check out all changes into the actual web directory. When I want to make a change, I do it first on my laptop and when I am satisfied I commit the change locally then push the change to the server using the standard git commands.
For WordPress I am now downloading the ZIP of their new version to my laptop, updating my local git working directory, checking in the actual changes, do a local commit and then push the result to the web server. Seems to work but is a bit annoying.
Now I can go on and do the post I logged in to do instead of looking at that update notice.