By Philip Knerr
Introduction
Installations of the WordPress content management system (CMS) do not necessarily update themselves. While automatic updates can be enabled, this only works for minor and patch releases on some server configurations.
When hardening a server, you can improve security by frequently updating the WordPress CMS to the latest version. This is useful because many updates to WordPress patch security holes and generally fix bugs. Newer versions of WordPress also frequently add new functionality which you can use to improve your WordPress site.
The context and caveats in the Foreword apply to this article.
This information is current as of July 19, 2017.
Requirements
This article assumes you have already installed the WordPress CMS on a server which is based on one of the following:
- The Linux operating system.
- Another *nix operating system.
- The macOS (or OS X) operating system.
This article also assumes a basic familiarity with using and administering the WordPress CMS.
The instructions below were tested on an Amazon EC2 instance based on the Amazon Linux operating system. However, nothing in this article is specific to this configuration.
Backing Up First, Just In Case
It is wise to back up the database for, and files in, the WordPress instance before it is upgraded. This reduces the risk of losing data in the unlikely event that something goes wrong with the upgrade.
The following shell script can be executed to back up the database:
#!/bin/sh -
#
# Backs up the database for a WordPress instance.
#
# This script must be executed in the directory in which the backup
# should be stored.
#
# The backup will be written to a file named
# `wordpress-db-backup-TIMESTAMP.sql`,
# where `TIMESTAMP` is the date and time of the backup.
#
# The script may be executed as the database user as which WordPress
# authenticates, unless the privileges of that database user have been
# restricted to improve security.
#
mysqldump --comments --dump-date --user=root --password wordpress > wordpress-db-backup-`date +%Y%m%d%H%M`.sql
In the code above, if your database has any name other than wordpress, change all instances of wordpress to the actual database name.
The following shell script can be executed to back up the files:
#!/bin/sh -
#
# Backs up the files in a WordPress instance.
#
# This script must be executed in the directory in which the backup
# should be stored.
#
# The backup will be stored in a subdirectory named
# `wordpress-files-backup-TIMESTAMP.sql`,
# where `TIMESTAMP` is the date and time of the backup.
#
# The script may be executed as any user who has read access to
# all files in the WordPress installation.
#
cp -r /mnt/data1/vhosts/wordpress wordpress-files-backup-`date +%Y%m%d%H%M`
In the code above, if your WordPress instance exists in any directory other than /mnt/data1/vhosts/wordpress, change that directory to the actual directory containing your WordPress instance.
Please note the caveats in the shell scripts above.
These instructions can also be followed as needed to create backups for their own sake. Ideally, you should back up your WordPress instance on a regular basis.
Upgrading WordPress from the Dashboard
WordPress can be updated from its own Dashboard. However, this works only if the web server executes as a user who has write access to the files for the WordPress instance. (This is easier but suboptimal for security.) To do so, follow these steps:
Log in to the WordPress Dashboard.
In the left navigation, click on “Updates”.
You can optionally click the “Check Again” button to confirm which version of WordPress is the most recent.
If you are not running the most recent version of WordPress, a message will appear in large letters: “An updated version of WordPress is available.” If you see this message, click the Update Now button.
On this page, you can also update any plugins and themes that are out of date.
Upgrading WordPress using WP-CLI
WordPress can also be updated using WP-CLI, the command line interface for WordPress. This will work even if the web server does not execute as the user who owns the files for the WordPress installation.
To learn more about using WordPress from the command line, see Command line interface for WordPress | WP-CLI.
Before proceeding, you’ll need to:
- Open a shell or Terminal instance to the web server.
- Log in as the user who owns the files for the WordPress installation.
To do so, follow these steps:
Installing or Upgrading WP-CLI
If WP-CLI is not already installed, install it using the instructions at the link above.
If WP-CLI is already installed, upgrade it using the instructions at the link above. This is necessary because newer versions of WP-CLI are periodically released. Outdated versions of WP-CLI may be incompatible with the most recent version of WordPress. For example, using an outdated version of WP-CLI with the most recent version of WordPress resulted in the following error:
PHP Fatal error: Uncaught Error: Call to undefined function apply_filters() in [WordPress root directory]/wp-includes/load.php:316
Stack trace:
#0 phar:///usr/local/bin/wp/php/utils-wp.php(22): wp_debug_mode()
#1 phar:///usr/local/bin/wp/php/wp-settings-cli.php(59): WP_CLI\Utils\wp_debug_mode()
#2 phar:///usr/local/bin/wp/php/WP_CLI/Runner.php(807): require('phar:///usr/loc...')
#3 phar:///usr/local/bin/wp/php/WP_CLI/Runner.php(755): WP_CLI\Runner->load_wordpress()
#4 phar:///usr/local/bin/wp/php/wp-cli.php(21): WP_CLI\Runner->start()
#5 phar:///usr/local/bin/wp/php/boot-phar.php(5): include('phar:///usr/loc...')
#6 /usr/local/bin/wp(4): include('phar:///usr/loc...')
#7 {main}
thrown in [WordPress root directory]/wp-includes/load.php on line 316
Updating the WordPress core
First, change to the root directory for the WordPress installation. All commands listed below should be executed from this directory. For example, if WordPress is installed in /mnt/data1/vhosts/wordpress/web, you could execute the following command:
cd /mnt/data1/vhosts/wordpress/web
To confirm which version of the WordPress core is the most recent, execute the following command:
wp core check-update
If you are running the latest version of the WordPress core, this command will output:
Success: WordPress is at the latest version.
If you see this message, congratulations! No further action is required for the WordPress core.
If you are not running the latest version, this command will output a list of relatively recent versions of the WordPress core. This output will look like:
+---------+-------------+-----------------------------------------------------------------------+
| version | update_type | package_url |
+---------+-------------+-----------------------------------------------------------------------+
| 4.7.5 | minor | https://downloads.wordpress.org/release/wordpress-4.7.5-partial-2.zip |
| 4.8 | major | https://downloads.wordpress.org/release/wordpress-4.8.zip |
+---------+-------------+-----------------------------------------------------------------------+
If a newer version is available, update the WordPress core by executing the following command:
wp core update
If successful, the output of this command should look something like this:
Updating to version 4.8 (en_US)...
Downloading update from https://downloads.wordpress.org/release/wordpress-4.8-no-content.zip...
Unpacking the update...
Cleaning up files...
No files found that need cleaned up.
Success: WordPress updated successfully.
Updating plugins
To list installed plugins, along with information about any available updates, execute the following command:
wp plugin list
The output of this command should look something like this:
+-------------+----------+-----------+---------+
| name | status | update | version |
+-------------+----------+-----------+---------+
| akismet | inactive | available | 3.1.11 |
| hello | active | none | 1.6 |
| wp-markdown | active | none | 1.5.1 |
+-------------+----------+-----------+---------+
To update a plugin, execute the following command, where <pluginName> is the name of the plugin in the list:
wp plugin update <pluginName>
If successful, the output of this command should look something like this:
Downloading update from https://downloads.wordpress.org/plugin/akismet.3.3.3.zip...
Unpacking the update...
Installing the latest version...
Removing the old version of the plugin...
Plugin updated successfully.
+---------+-------------+-------------+---------+
| name | old_version | new_version | status |
+---------+-------------+-------------+---------+
| akismet | 3.1.11 | 3.3.3 | Updated |
+---------+-------------+-------------+---------+
Success: Updated 1 of 1 plugins.
Updating themes
To list installed themes, along with information about any available updates, execute the following command:
wp theme list
The output of this command should look something like this:
+----------------+----------+-----------+---------+
| name | status | update | version |
+----------------+----------+-----------+---------+
| aplos | active | available | 1.1.2 |
| twentyfifteen | inactive | available | 1.5 |
| twentyfourteen | inactive | available | 1.7 |
| twentythirteen | inactive | available | 1.9 |
+----------------+----------+-----------+---------+
To update a theme, execute the following command, where <themeName> is the name of the theme in the list:
wp theme update <themeName>
If successful, the output of this command should look something like this:
Enabling Maintenance mode...
Downloading update from https://downloads.wordpress.org/theme/aplos.1.2.0.zip...
Unpacking the update...
Installing the latest version...
Removing the old version of the theme...
Theme updated successfully.
Disabling Maintenance mode...
+-------+-------------+-------------+---------+
| name | old_version | new_version | status |
+-------+-------------+-------------+---------+
| aplos | 1.1.2 | 1.2.0 | Updated |
+-------+-------------+-------------+---------+
Success: Updated 1 of 1 themes.
Installing plugins
You can even use WP-CLI to install and activate plugins. For example, the WP-Markdown plugin is highly recommended because it enables Markdown syntax in WordPress content. To install and activate this plugin, follow these steps:
Install the wp-markdown plugin by executing the following command:
wp plugin install wp-markdown
If successful, the output of this command should look something like this:
Installing WP-Markdown (1.5.1)
Downloading install package from https://downloads.wordpress.org/plugin/wp-markdown.1.5.1.zip...
Unpacking the package...
Installing the plugin...
Plugin installed successfully.
Then, activate the wp-markdown plugin by executing the following command:
wp plugin activate wp-markdown
If successful, the output of this command should look something like this:
Success: Plugin 'wp-markdown' activated.
New plugins often require configuration. For example, to activate Markdown syntax, you’ll need to access the WordPress Dashboard in your browser. Then, under the Settings menu in the left navigation, select Writing. This page will now have a section, under a heading of MarkDown, which allows you to selectively enable Markdown syntax.
Conclusion
You now have the latest version of the WordPress CMS. Your WordPress installation is now more functional and more secure. Congratulations!
You also now have a straightforward way to back up your WordPress installation. This should be used on a regular basis.
You also now have a powerful command line interface (CLI) for your WordPress installation. You also know some of the most commonly used commands for this CLI.
–Phil Knerr