Building a Self-Patching WordPress Installation on AWS


I’ve been playing around with AWS for a while, and had worked out a fairly easy way to keep the underlying OS of my EC2 instance patched; but wanted a way to avoid having to manually update WordPress and all its plugins, templates, etc.

I know that it’s generally considered a bad idea to install updates without reading the patch notes, but I’m usually the kind of guy who clicks “Update” without reading them anyway – so, if you’re happy to take the risk, keep reading, otherwise, it’s probably best to update manually (ensuring you still apply your updates regularly!).

In short, the aim of this post is to document how to:

  • Configure WordPress to automatically update itself
  • Configure WordPress to automatically update plugins and themes
  • Run a Cron job to automatically trigger the WordPress update process

Patching WordPress

By default, WordPress will happily update minor versions. To apply major updates as well, you need to add the following to your wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );

To patch plugins and themes, you need to add in some filters, which WordPress recommend you do in a custom plugin. They suggest a must-use plugin for this purpose, which can be configured by adding a “mu-plugins” folder to the “wp-content” directory

Within this folder, you can then create a php file containing the following:

Configuring Cron Jobs

Disable WP-Cron

As I wanted to use cron jobs to manage the update process for me, I disabled wp-cron by adding the following to the wp-config.php file:

define('DISABLE_WP_CRON', true);

Add a Crontab Entry

You can then add the following to the crontab file for the user you want to run the updates as (for ease, this could be “apache”, but I went with a custom user:

*/15 * * * * cd /var/www/html; php /var/www/html/wp-cron.php

This will run every 15 minutes and perform any other actions you have set to run with WP-Cron.

Force Updates

I found that I had issues with getting the updates to trigger reliably though, so discovered the following will force WordPress to update immediately:

About Adam Hiscocks

I'm an IT security consultant working for one of the UK's leading IT security consultancies. My main focus is on penetration testing, but am likely to write about anything computer related here. All thoughts are my own, not those of my employer. More Information