It's annoying to have to remember all my dumb WP sites scattered all over and then logging in and keeping all those updated, so I set up a script I can run as root to update everything.
For each site, I have a stanza like this in a little bash script.
#!/bin/bash
echo "Updating blog.schoolfield.org"
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html core update
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html core update-db
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html plugin update --all
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html theme update --all
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html transient delete --expired
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html cache flush
So just run that and it'll apply any updates for WP core, the database, all plugins, and all themes. And then clean up expired transients and flush the cache, for good measure.
[root@miss anna]# bash wp-update
Updating blog.schoolfield.org
Success: WordPress is up to date.
Success: WordPress database already at latest db version 57155.
Success: Plugin already updated.
Success: Theme already updated.
Success: 1 expired transient deleted from the database.
Success: The cache was flushed.
Never, never, never ever run wp-cli commands as root, not even to list the version. Note in all these wp-cli commands I’m doing it as sudo for the username. So even though I’m running this script as root, the wp-cli commands are executed as the user.
I did another little script to list the versions for everything.
#!/bin/bash
echo "Versions for blog.schoolfield.org"
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html core version --extra
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html plugin list
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html theme list
Which spits out a nice little list.
[root@miss anna]# bash wp-versions
Versions for blog.schoolfield.org
WordPress version: 6.5.2
Database revision: 57155
TinyMCE version: 4.9110 (49110-20201110)
Package language: en_US
+------------+--------+--------+---------+----------------+-------------+
| name | status | update | version | update_version | auto_update |
+------------+--------+--------+---------+----------------+-------------+
| tablepress | active | none | 2.3 | | on |
| wordfence | active | none | 7.11.5 | | on |
+------------+--------+--------+---------+----------------+-------------+
+------------------+----------+--------+---------+----------------+-------------+
| name | status | update | version | update_version | auto_update |
+------------------+----------+--------+---------+----------------+-------------+
| twentysixteen | active | none | 3.2 | | off |
| twentytwentyfour | inactive | none | 1.1 | | off |
+------------------+----------+--------+---------+----------------+-------------+
While I was at it with scripting wp-cli stuff, I set up a script to verify checksums for WP core and plugins (nothing like that is available for themes) and list the users.
#!/bin/bash
echo "Verifying blog.schoolfield.org"
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html core verify-checksums
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html plugin verify-checksums --all
sudo -u blog /usr/local/bin/wp --path=/home/blog/domains/blog.schoolfield.org/public_html user list
So that's a handy way to check all that to see if there have been any intrusions.
Verifying blog.schoolfield.org
Success: WordPress installation verifies against checksums.
Success: Verified 2 of 2 plugins.
+----+------------+--------------+----------------------+---------------------+---------------+
| ID | user_login | display_name | user_email | user_registered | roles |
+----+------------+--------------+----------------------+---------------------+---------------+
| 1 | anna | anna | anna@schoolfield.org | 2015-03-03 15:53:51 | administrator |
+----+------------+--------------+----------------------+---------------------+---------------+
This site got compromised a few years ago with a malicious redirect and despite my best efforts, I couldn’t track it down and had to restore from a backup. The intrusion vector was an outdated gallery plugin that I’ve since uninstalled since all I had on it was a bunch of silly memes.
Since then, I've tried to be better with keeping stuff up to date, but it's tedious when I've got 4 WP sites on this server. So time consuming to have to log into all the sites and manually click on all the updates. I know better, why am I annoying myself with all that. Took me about half an hour to script all this and some of that was confirming where my WP installations are.
My sites are all really simple with few plugins so I’m not really concerned about updates breaking stuff. If it does, I'll just fix it, whatever.
This should be a fast, easy way for me to keep all my WP up to date and also check if there's been any funny business with site files and user accounts.