Securing your web server running WordPress is very important, this tutorial will show you how to automatically install the latest security updates for Debian even while you sleep using the UnattendedUpgrades package. Configuring automatic security updates for your web server hosting WordPress can mean your server is not exploited using some vulnerability. This is highly recommended to prevent any potential headaches like your server going down. It is just like keeping WordPress and its plugins and themes up-to-date, better safe than sorry!
How to Configure Automatic Security Updates for Debian
Install the package unattended-upgrades, set auto updates to true before installing
sudo apt-get update
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
sudo apt-get install unattended-upgrades -yDouble check the auto upgrades are enabled
cat /etc/apt/apt.conf.d/20auto-upgradesYou should see these two values set to 1 meaning they are enabled
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";If the file is empty or doesn’t exist you can tell unattended-upgrades to create it with this command
sudo dpkg-reconfigure --priority=low unattended-upgradesTo add custom origins for packages, I found this useful snippet.
Enter your apt lists directory
ls -ls /var/lib/apt/listsI see the dotdeb repository that I want to enable upgrades for
/var/lib/apt/lists/packages.dotdeb.org_dists_jessie_InReleaseWe just need to extract the Origin and Label for unattended-upgrades
cat /var/lib/apt/lists/packages.dotdeb.org_dists_jessie_InRelease | grep Origin
cat /var/lib/apt/lists/packages.dotdeb.org_dists_jessie_InRelease | grep LabelYou will see these outputs which we will add to unattended-upgrades
Origin: packages.dotdeb.org
Label: packages.dotdeb.orgWe need to add this to the unattended-upgrades allow list in this file
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesAdd the origin line for the dotdeb reposistory.
// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
"origin=Debian,archive=stable,label=Debian-Security";
"origin=Debian,archive=oldstable,label=Debian-Security";
"origin=packages.dotdeb.org,label=packages.dotdeb.org";
};Make sure in the same file that automatic reboot is set to false (source)
Unattended-Upgrade::Automatic-Reboot "false";Test Unattended Upgrades will Work
Testing it will work was derived from this excellent tutorial
To make sure unattended-upgrade will work as intended, when you know that there are updates available you can do a test run
sudo unattended-upgrade --debug --dry-runYou will see this output
Initial blacklisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,archive=stable,label=Debian-Security', 'origin=Debian,archive=oldstable,label=Debian-Security', 'origin=packages.dotdeb.org,label=packages.dotdeb.org']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
InstCount=0 DelCount=0 BrokenCout=0
No packages found that can be upgraded unattendedIf you do have packages to update
Allowed origins are: ['origin=Debian,codename=jessie,label=Debian-Security', 'origin=packages.dotdeb.org,label=packages.dotdeb.org']
Checking: debhelper ([])
Checking: exim4 ([])
Checking: exim4-base ([])
Checking: exim4-config ([])
Checking: exim4-daemon-light ([])
Checking: libdbd-mysql-perl ([])
Checking: libgd3 ([])
Checking: libintl-perl ([])
Checking: libmodule-build-perl ([])
Checking: libmysqlclient18 ([])
Checking: libperl5.20 ([])
Checking: mariadb-client ([])
Checking: mariadb-client-10.0 ([])
Checking: mariadb-client-core-10.0 ([])
Checking: mariadb-common ([])
Checking: mariadb-server ([])
Checking: mariadb-server-10.0 ([])
Checking: mariadb-server-core-10.0 ([])
Checking: mysql-common ([])
Checking: openssh-client ([])
Checking: openssh-server ([])
Checking: openssh-sftp-server ([])
Checking: perl ([])
Checking: perl-base ([])
Checking: perl-modules ([])
Checking: php5-cli ([])
Checking: php5-common ([])
Checking: php5-readline ([])
Checking: php7.0-cli ([])
Checking: php7.0-common ([])
Checking: php7.0-curl ([])
Checking: php7.0-dev ([])
Checking: php7.0-fpm ([])
Checking: php7.0-gd ([])
Checking: php7.0-json ([])
Checking: php7.0-mysql ([])
Checking: php7.0-opcache ([])
Checking: php7.0-readline ([])
Checking: php7.0-xml ([])
Checking: tzdata ([])
pkgs that look like they should be upgraded: debhelper
exim4
exim4-base
exim4-config
exim4-daemon-light
libdbd-mysql-perl
libgd3
libintl-perl
libmodule-build-perl
libmysqlclient18
libperl5.20
mariadb-client
mariadb-client-10.0
mariadb-client-core-10.0
mariadb-common
mariadb-server
mariadb-server-10.0
mariadb-server-core-10.0
mysql-common
openssh-client
openssh-server
openssh-sftp-server
perl
perl-base
perl-modules
php5-cli
php5-common
php5-readline
php7.0-cli
php7.0-common
php7.0-curl
php7.0-dev
php7.0-fpm
php7.0-gd
php7.0-json
php7.0-mysql
php7.0-opcache
php7.0-readline
php7.0-xml
...
Option --dry-run given, *not* performing real actions
Packages that will be upgraded: debhelper exim4 exim4-base exim4-config exim4-daemon-light libdbd-mysql-perl libgd3 libintl-perl libmodule-build-perl libmysqlclient18 libperl5.20 mariadb-client mariadb-client-10.0 mariadb-client-core-10.0 mariadb-common mariadb-server mariadb-server-10.0 mariadb-server-core-10.0 mysql-common openssh-client openssh-server openssh-sftp-server perl perl-base perl-modules php5-cli php5-common php5-readline php7.0-cli php7.0-common php7.0-curl php7.0-dev php7.0-fpm php7.0-gd php7.0-json php7.0-mysql php7.0-opcache php7.0-readline php7.0-xmlYou can check the logs of unattended upgrades in these files
cat /var/log/unattended-upgrades/unattended-upgrades.logSources
Brightbox Unattended Upgrades
Ubuntu Automatic Security Updates
Debian Unattended Upgrades
Stop Unattended Upgrades from Rebooting