vps

Keeping the Server Updated Safely

How to update Rocky Linux system packages, Nginx, PHP, and MariaDB without taking down a live WordPress site — and what to do when an update breaks something.

Published
· 3 min read · Steven Doan ·
updatesrocky-linuxvpssecurityoperationsdnfbeginners
Terminal showing dnf update output with package list and no errors

Keeping system packages updated is security hygiene. Outdated packages with known vulnerabilities are how servers get compromised — not through clever attacks, but through unpatched software that attackers scan for routinely.

The update itself takes under five minutes. The risk is low but real: occasionally an update introduces a conflict. The snapshot eliminates that risk entirely.

Before Every Update — Take a Snapshot

# In Vultr dashboard: Servers → your server → Snapshots → Take Snapshot

Or via Vultr CLI if you have it configured. Takes 2–5 minutes depending on disk size.

Once the snapshot exists, you can update with confidence. If anything breaks, restore takes less time than the update itself.

The Standard Update

# Check what would be updated first (dry run)
sudo dnf check-update

# Apply all updates
sudo dnf update -y

Watch the output for kernel package updates — lines containing kernel in the package name:

kernel                   5.14.0-427.20.1.el9_4   baseos
kernel-core              5.14.0-427.20.1.el9_4   baseos

If kernel packages were updated, reboot to apply them:

sudo reboot

Reconnect via SSH after ~60 seconds and verify services:

systemctl is-active nginx php-fpm mariadb redis

All should show active.

Updating PHP Version (Minor Updates)

PHP minor version updates (8.3.1 → 8.3.8) happen through the Remi repository automatically with dnf update. These are safe in almost all cases.

PHP major version upgrades (8.2 → 8.3) require explicit steps:

sudo dnf module reset php -y
sudo dnf module enable php:remi-8.3 -y
sudo dnf update php* -y
sudo systemctl restart php-fpm

After a PHP version upgrade, check WordPress is working and check the debug log:

sudo tail -20 /var/www/yourdomain.com/wp-content/debug.log

Plugin compatibility issues show up here immediately. If a plugin throws a fatal error on the new PHP version, update that plugin first — or roll back to the snapshot and wait for the plugin developer to update.

Update Frequency Recommendation

Security updates — apply within a week of release. Rocky Linux separates security updates:

# Apply security updates only
sudo dnf update --security -y

All updates — monthly is sufficient for a personal server. Weekly if you prefer.

Never auto-update everything unattended on a production server with live WordPress sites. Unattended upgrades work well on servers with nothing on them. On a VPS running sites people visit, you want to be present when something updates — so you can catch any issues immediately.

When an Update Breaks Something

Symptoms: site returns 502 or 500 error after update, services fail to start.

Step 1 — Check what broke:

sudo systemctl status nginx php-fpm mariadb
sudo tail -20 /var/log/nginx/error.log
sudo journalctl -u php-fpm --no-pager | tail -20

Step 2 — If it’s a PHP-plugin conflict:

Enable debug log temporarily:

sudo nano /var/www/yourdomain.com/wp-config.php
# Set: define( 'WP_DEBUG', true );
# Set: define( 'WP_DEBUG_LOG', true );
# Set: define( 'WP_DEBUG_DISPLAY', false );

Reload the page. Check /wp-content/debug.log for which plugin is throwing the error. Update or deactivate that plugin.

Step 3 — If the issue isn’t clear, restore the snapshot:

Vultr dashboard → Snapshots → Restore. Server is back to pre-update state in under 5 minutes. Investigate from there.

This is the value of taking the snapshot before updating. The worst case is a 5-minute rollback, not hours of debugging.