Auto update wordpress plugins using WP-CLI

Posted on August 11, 2017 by rolandow

After installing Wordfence to all of my wordpress sites, I receive a dozen e-mails a day about plugins that should be updated. I don’t use many plugins, so usually I just go ahead and update them with wp-cli, because I feel they are safe to update. Main advantage of the wp-cli is that I don’t get http timeouts or stuff like that.

Updating all the plugins for multiple sites (I think I have about 10 of them) did become a repetitive task, so I wrote a little shell script for it. Of course you have to make sure that all the websites can be auto updated, or if there may be a plugin that will break after an update. So only use this if you are certain you just want to go ahead and take a little risk of breaking things.

I added an .auto-update file in each document root of the site I want to update automatically. I changed the owner permissions of .auto-update to root:webuser so that the webuser cannot remove this file, but still I can use this file to determine the owner of the wp-content folders. I need this to change the ownership back to the website owner after updating.

Very simple and easy script, but well, the stackoverflow generation (myself included) just loves to copy ans paste right? ;-)

#!/bin/bash
for wppath in $(find /home/ -name '.auto-update');
do
  echo $wppath
  dirname=$(dirname "${wppath}")
  owner=`stat -c "%G" $wppath`
  /usr/local/sbin/wp-cli.phar --allow-root --path=$dirname plugin update --all
  chown -R $owner:$owner $dirname/wp-content
done

#!/bin/bash

for wppath in $(find /home/ -name '.auto-update');

echo $wppath

dirname=$(dirname "${wppath}")

owner=`stat -c "%G" $wppath`

/usr/local/sbin/wp-cli.phar --allow-root --path=$dirname plugin update --all

chown -R $owner:$owner $dirname/wp-content

done

I put this script in my /root folder with 700 permissions. I didn’t put this in a cronjob, I keep monitoring the e-mails that Wordfence sends me to see if I need to take action.

Fail2Ban on CentOs 6.6 with SELinux

Posted on March 5, 2015 by rolandow

So, I kind of manage a server for somebody else, running on CentOS and Plesk. Today I found out again why I hate this combo so much. The box auto-updates Plesk and other stuff, and all of the sudden my fail2ban wasn’t working anymore. I accidently found out because of all the password errors in de syslog.

Turns out there is a problem with SELinux. I have heard of that name before, but never knew what it was or what it did. Now I do, although I still don’t really understand. All I wanted was to get fail2ban running again.

So when you google for SELinux and fail2ban you get a lot of posts about this error. The suggestion I saw most was to run sudo /sbin/restorecon -v -R -F /sbin but for me this had no effect. The label was still bin_t after that.

Then I tried to create my own module. This didn’t succeed in the beginning, but after adding and adding stuff from the log, I finally got to the point where a restart of fail2ban didn’t give me errors. First I had to install audit2allow, because that wasn’t on my system.

Eventually, I came up with this. Save this under /root/myFail2ban.te :

module myFail2ban 1.0;

require {
        type mail_spool_t;
        type insmod_exec_t;
        type home_root_t;
        type var_t;
        type auditd_log_t;
        type fail2ban_t;
        type sendmail_t;
        type sysfs_t;
        type inotifyfs_t;
        type postfix_cleanup_t;
        type ldconfig_exec_t;
        type tmp_t;
        type sysctl_modprobe_t;
        type system_cronjob_lock_t;
        type system_mail_t;
        type sysctl_kernel_t;
        type postfix_master_t;
        class capability { net_admin net_raw };
        class lnk_file read;
        class dir { read search getattr };
        class file { execute read execute_no_trans write getattr open };
        class rawip_socket { setopt getopt create };
}

#============= fail2ban_t ==============
allow fail2ban_t auditd_log_t:dir { getattr search };
allow fail2ban_t auditd_log_t:file read;
allow fail2ban_t home_root_t:dir search;
allow fail2ban_t insmod_exec_t:file { read execute open };
allow fail2ban_t ldconfig_exec_t:file { read execute open getattr execute_no_trans };
allow fail2ban_t self:capability { net_admin net_raw };
allow fail2ban_t self:rawip_socket { setopt getopt create };
allow fail2ban_t sysctl_kernel_t:dir search;
allow fail2ban_t sysctl_modprobe_t:file read;
allow fail2ban_t sysfs_t:dir search;

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t var_t:lnk_file read;

#============= postfix_master_t ==============
allow postfix_master_t mail_spool_t:file read;
allow postfix_master_t var_t:lnk_file read;

#============= sendmail_t ==============
allow sendmail_t system_cronjob_lock_t:file { read write };
allow sendmail_t tmp_t:file write;
allow sendmail_t var_t:file write;

#============= system_mail_t ==============
allow system_mail_t inotifyfs_t:dir read;
allow system_mail_t var_t:file write;
allow system_mail_t var_t:lnk_file read;

module myFail2ban 1.0;

require {

type mail_spool_t;

type insmod_exec_t;

type home_root_t;

type var_t;

type auditd_log_t;

type fail2ban_t;

type sendmail_t;

type sysfs_t;

type inotifyfs_t;

type postfix_cleanup_t;

type ldconfig_exec_t;

type tmp_t;

type sysctl_modprobe_t;

type system_cronjob_lock_t;

type system_mail_t;

type sysctl_kernel_t;

type postfix_master_t;

class capability { net_admin net_raw };

class lnk_file read;

class dir { read search getattr };

class file { execute read execute_no_trans write getattr open };

class rawip_socket { setopt getopt create };

}

#============= fail2ban_t ==============

allow fail2ban_t auditd_log_t:dir { getattr search };

allow fail2ban_t auditd_log_t:file read;

allow fail2ban_t home_root_t:dir search;

allow fail2ban_t insmod_exec_t:file { read execute open };

allow fail2ban_t ldconfig_exec_t:file { read execute open getattr execute_no_trans };

allow fail2ban_t self:capability { net_admin net_raw };

allow fail2ban_t self:rawip_socket { setopt getopt create };

allow fail2ban_t sysctl_kernel_t:dir search;

allow fail2ban_t sysctl_modprobe_t:file read;

allow fail2ban_t sysfs_t:dir search;

#============= postfix_cleanup_t ==============

allow postfix_cleanup_t var_t:lnk_file read;

#============= postfix_master_t ==============

allow postfix_master_t mail_spool_t:file read;

allow postfix_master_t var_t:lnk_file read;

#============= sendmail_t ==============

allow sendmail_t system_cronjob_lock_t:file { read write };

allow sendmail_t tmp_t:file write;

allow sendmail_t var_t:file write;

#============= system_mail_t ==============

allow system_mail_t inotifyfs_t:dir read;

allow system_mail_t var_t:file write;

allow system_mail_t var_t:lnk_file read;

Now, as root, compile this thing. Enter this while you are in /root:

make -f /usr/share/selinux/devel/Makefile

Output should be something like this:
[root@web ~]# make -f /usr/share/selinux/devel/Makefile Compiling targeted myFail2ban module /usr/bin/checkmodule: loading policy configuration from tmp/myFail2ban.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/myFail2ban.mod Creating targeted myFail2ban.pp policy package rm tmp/myFail2ban.mod.fc tmp/myFail2ban.mod

Now, enable the module:

semodule -i myFail2ban.pp

Restart fail2ban and check your fail2ban logs for errors, and your /var/log/audit/audit.log if ACL’s are still denied. This worked for me, with just the ssh jail active. Maybe if you enable other jails, extra acl’s are needed to those logfiles.

If it doesn’t work, you probably want to remove the module again. Just type:

semodule -r myFail2ban

You can list all active modules with semodule -l.

WP All Import cron from CLI (update)

Posted on November 25, 2014 by rolandow

My previous post about executing the WP All Import cron jobs with PHP cli didn’t work too well. Apparently the processing part still stops executing after a while. I ended up with import jobs stating “last activity 5 hours ago”.

Still I don’t want to run this through the webserver. So I wrote a little wrapper shell script to execute my imports in cron. It checks if the line “is not triggered” was partially returned. The wp cron script would return “<p>Import #26 is not triggered. Request skipped.</p>” if you execute the processing action without triggering it first. In other words: the import is really complete now.

I put the shell script outside my document root, and it uses the “logs” directory to store the log files. So make sure this directory is writable and points to the right path.

#!/bin/bash
 
while getopts ":j:" opt; do
  case $opt in
    j)
      jobId=$OPTARG
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      ;;
   :)
      echo "Option -$OPTARG requires an argument." >&2
      exit 1
      ;;
  esac
done

if [ "$jobId" = "" ]; then
  echo No job id
  exit 1
fi

# Set magic variables for current FILE & DIR
__FILE__="$(test -L "$0" && readlink "$0" || echo "$0")"
__DIR__="$(cd "$(dirname "${__FILE__}")"; echo $(pwd);)"
LOGFILE="${__DIR__}/logs/wpai_cron_${jobId}.log"
CURLOG="${__DIR__}/logs/wpai_cron_${jobId}_current.log"
DONE=0

function log {
  echo "$(date): $*" >>$LOGFILE
}


log "Start import for jobID $jobId"

cd $__DIR__/public_html
php -e -r 'parse_str("import_key=xxYourKeyxx&import_id='$jobId'&action=trigger", $_GET); include "wp-cron.php";' >>$LOGFILE 2>&1
sleep 1

while [ $DONE -eq 0 ]
do
  php -e -r 'parse_str("import_key=xxYourKeyxx&import_id='$jobId'&action=processing", $_GET); include "wp-cron.php";' >$CURLOG 2>&1
  cat $CURLOG >>$LOGFILE
  DONE=$(grep 'is not triggered' $CURLOG | wc -l)
  sleep 1
done
rm $CURLOG

log "End of import for jobId $jobId"
log ""
log ""

#!/bin/bash

while getopts ":j:" opt; do

case $opt in

jobId=$OPTARG

;;

\?)

echo "Invalid option: -$OPTARG" >&2

;;

echo "Option -$OPTARG requires an argument." >&2

exit 1

;;

esac

done

if [ "$jobId" = "" ]; then

echo No job id

exit 1

# Set magic variables for current FILE & DIR

__FILE__="$(test -L "$0" && readlink "$0" || echo "$0")"

__DIR__="$(cd "$(dirname "${__FILE__}")"; echo $(pwd);)"

LOGFILE="${__DIR__}/logs/wpai_cron_${jobId}.log"

CURLOG="${__DIR__}/logs/wpai_cron_${jobId}_current.log"

DONE=0

function log {

echo "$(date): $*" >>$LOGFILE

}

log "Start import for jobID $jobId"

cd $__DIR__/public_html

php -e -r 'parse_str("import_key=xxYourKeyxx&import_id='$jobId'&action=trigger", $_GET); include "wp-cron.php";' >>$LOGFILE 2>&1

sleep 1

while [ $DONE -eq 0 ]

php -e -r 'parse_str("import_key=xxYourKeyxx&import_id='$jobId'&action=processing", $_GET); include "wp-cron.php";' >$CURLOG 2>&1

cat $CURLOG >>$LOGFILE

DONE=$(grep 'is not triggered' $CURLOG | wc -l)

sleep 1

done

rm $CURLOG

log "End of import for jobId $jobId"

log ""

Now just put this in your /etc/cron.d/yoursite:

#
# Run product imports every morning at 6 am
#
0   6 * * *    yourwebsite    /home/yourwebsite/wpai_cron.sh -j 26
5   6 * * *    yourwebsite    /home/yourwebsite/wpai_cron.sh -j 27
10  6 * * *    yourwebsite    /home/yourwebsite/wpai_cron.sh -j 28

# Run product imports every morning at 6 am

0 6 * * * yourwebsite /home/yourwebsite/wpai_cron.sh -j 26

5 6 * * * yourwebsite /home/yourwebsite/wpai_cron.sh -j 27

10 6 * * * yourwebsite /home/yourwebsite/wpai_cron.sh -j 28

Rolandow's development blog

my external memory

Category Archives: Linux

Auto update wordpress plugins using WP-CLI

Fail2Ban on CentOs 6.6 with SELinux

WP All Import cron from CLI (update)