Enabling unattended security upgrades

Having up to date software plays a critical role in server security, even if you're away on vacation for two weeks. In this lesson we'll make sure unattended security upgrades are running daily on your WordPress server.

Note that this covers software you install using the apt package manager on your system, and not WordPress itself, themes or plugins. We'll cover those in a different module.

This lesson is brought to you by Cherry Servers: a wide range of dedicated and virtual servers at a great price, with fast delivery and outstanding 24/7 human support.

This lesson is brought to you by DigitalOcean: If you want fast VPS provisioning and clear, no-surprise pricing for your next WordPress box, DigitalOcean is a solid pick.

Installing unattended-upgrades

If you're working with a reputable VPS or dedicated server provider, chances are that unattended-upgrades is already installed and enabled as part of the server provisioning process.

However, some vendors still choose to not install or enable this package by default for stability reasons, as upgrading a package without supervision is still a risk, which may result in service disruption or downtime.

Unless you're willing to manually perform updates every day, I highly recommend acknowledging this risk and enabling unattended upgrades. In future modules we'll put some monitoring systems in place to alert us when things go wrong.

sudo apt update
sudo apt install unattended-upgrades

Enable it with:

sudo dpkg-reconfigure --priority=low unattended-upgrades

This will create a /etc/apt/apt.conf.d/20auto-upgrades file with the following contents:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

This simply states that apt should update package lists before running unattended upgrades, and that unattended upgrades are enabled.

The more interesting configuration lives in /etc/apt/apt.conf.d/50unattended-upgrades which I encourage you to skim through. There are quite a few interesting options you could consider, like Automatic-Reboot. You can set this to true to reboot your system automatically when needed, and use Automatic-Reboot-Time to make sure that reboot doesn't happen during peak traffic.

If you don't enable automatic reboots, the updates will still apply, but you'll see a System restart required message every time you log in. I don't recommend ignoring this message. Reboot at your earliest convenience.

You can also set it to send email reports or errors, but you'll need some mail software configured before you can do that. We'll configure mail delivery in a future module.

If you are going to change this file I recommend making a full copy to keep in your config repository, and symlinking it with a higher sort order, such as /etc/apt/apt.conf.d/60-wpshell-unattended-upgrades.

Testing & logging

Unattended upgrades will run daily, which on modern systems is done through timers. You can check the current daily timers using:

sudo systemctl list-timers apt-daily* --all

You should see two timers: the apt-daily.timer updates the package lists every day, and the apt-daily-upgrade.timer runs unattended upgrades. You can simulate a run to verify your configuration using:

sudo unattended-upgrade --dry-run --debug

You can drop the --dry-run flag if you'd like to actually apply some updates.

The log files for unattended upgrades are in /var/log/unattended-upgrades/, and if installed from official packages, you should have a logrotate configuration for it as well in /etc/logrotate.d/unattended-upgrades.