There are regular updates to WordPress or parts of it.
These updates can be installed at the push of a button via an FTP connection. Now FTP is notoriously unsafe, so it is important to pay attention to securing the FTP connection.

Permissions

First of all, we are going to put the security of the WordPress folders and files right. We create a user that we will use for FTP. We ensure that this user is not usable as normal user by nologin and without home directory.
Commands:
sudo groupadd wordpressftp
useradd wordpressftp -g wordpressftp -s /sbin/nologin -d /dev/null
Now the user is created, we will make this owner of all WordPress folders and files. However, the group www-data of the Apache webserver must be able to read those files in order to show the website. Command:
sudo chown -R wordpressftp:www-data /var/www/html/wordpress
However, there is one file that the FTP user can never read or change, so we correct the ownership:
sudo chown root: www-data /var/www/html/wordpress/wp-config.php


However, there is one file that the FTP user can never read or change, so we correct the ownership:
sudo chown root:www-data /var/www/html/wordpress/wp-config.php

Now that the ownership has been set, we must set the permissions correctly;
sudo find /var/www/html/wordpress/ -type d -exec chmod -R 750 {} \;
sudo find /var/www/html/wordpress/ -type f -exec chmod -R 640 {} \;

sudo find /var/www/html/wordpress/wp-content/ -type d -exec chmod -R 770 {} \;
sudo find /var/www/html/wordpress/wp-content/ -type f -exec chmod -R 660 {} \;

The uploads of Media is not done via FTP but via the web browser so write access is granted to the www-data group.
sudo find /mnt/raiddrive/wp-content/uploads/ -type d -exec chmod -R 770 {} \;
sudo find /mnt/raiddrive /wp-content/uploads/ -type f -exec chmod -R 660 {} \;
(Remember in the previous chapter the wp-content/uploads directory was moved to the raiddrive.)

Pure-FTPd

With the help of Pure-FTPd it is possible to set up a secure FTP.
Install Pure-FTPd: sudo apt-get install pure-ftpd.
Then create a virtual user under which the FTP connection will work:
sudo pure-pw useradd wordpressftpuser -u wordpressftp -g wordpressftp -d / var / www / html / wordpress -m
Give this user a strong password !!
Then create a user database for Pure-FTPd: sudo pure-pw mkdb
Furthermore, a link must be made to this data base.
sudo ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/60puredb
We want a mandatory user + password for creating an FTP connection. Check whether file /etc/pure-ftpd/conf/NoAnonymous exists with the following content: yes
Then restart Pure-FTPd: sudo service pure-ftpd restart

After this we can test from the PC whether this basic setup works. Preferably use an FTP client that provides insight into the commands that the Raspberry pi exchanges with the FTP client, so that you can analyze any error.

FTP + SSL/TLS

Now the FTP connection must be secured with the Letsencrypt certificate that is already used for the https connection of Nextcloud. The Certificates are in /etc/letsencrypt/archive/<domainname>.

Pure-FTPd can not simply reuse it, so a copy has to be made with command:
cat /etc/letsencrypt/archive/www.ealse.nl/privkey1.pem /etc/letsencrypt/archive/<domein>/fullchain1.pem > /etc/ssl/private/pure-ftpd.pem

Then put the right permission on pure-ftpd.pem with command:
chmod 600 /etc/ssl/private/*.pem

An FTP connection secured with certificates is an FTPS connection.
By default, FTPS uses port 22. However, this port is already used for the SFTP connection from WinSCP, so that conflicts. (Yes, really, FTPS is something different then SFTP). Pure-FTPd must therefore be linked to another port.
Create file /etc/pure-ftpd/conf/Bind. Put in this file the IP address of the Raspberry pi + the desired port; for example: 192.168.2.11.2222
(It may of course also be another free port.)

FTP always uses two different ports.

  1. A port for commands (which has just been put on port 2222).
  2. A port for sending data

FTP has two variants for determining the data port:

  1. Active mode, where the FTP client indicates which port it will be
    This is the default mod
  2. Passive mode, where the server determines the port

A Firewall or a network router only allows specific ports, so Passive mode is the mode that is needed.
Create file /etc/pure-ftpd/conf/PassivePortRange specifying the start and end ports that we want to allow for data traffic; for example: 40110 40120

In Passive mode, the server also specifies the IP address to which the connection must be made. By default this is the (unreachable) IP address in the local network. FTP clients such as FileZilla can handle this, but not the FTP client of WordPress. So we have to tell Pure-FTPd what the fixed IP address is that the Internet provider has connected to the router.
Create file: /etc/pure-ftpd/conf/ForcePassiveIP and set the fixed IP address of your router.

It must also be indicated that Pure-FTPd may only be used FTPS. Create file /etc/pure-ftpd/conf/TLS with the content of the number 2. (= cleartext sessions are refused and only TLS compatible clients are accepted.)
Then restart Pure-FTPd: sudo service pure-ftpd restart
You can not use FTPS until the correct ports are opened in the Raspberry pi Firewall:
sudo ufw allow 2222/tcp
sudo ufw allow 40110: 40120/tcp

Test with the FTP client of your PC if you can access the wordpress folder and that you can open all files except wp-config.php
If this works properly, you can open the ports 2222 and 40110: 40120 in the router and it must be possible to create an FTPS connection via your domain name. The WordPress update should now work.

WordPress can be configured so that it can make FTPS connection automatically.
Edit file /var/www/html/wordpress/wp-config.php and add:

/** FTP ugrade credentials. */
define( 'FTP_USER', 'wordpressftpuser' );
define( 'FTP_PASS', '<password>' );
define( 'FTP_HOST', '<domain>:2222' );
define( 'FTP_SSL', true );

After a restart of the Raspberry Pi, FTPs doesn’t function anymore. I am unable to find the cause.
As a workaround I restart the service: sudo service pure-ftpd restart