diff --git a/CHANGELOG.md b/CHANGELOG.md
index b4ba45ead0f616ae25cd53f4a2e563150550fe20..3ef29cfb79450397d03670ef611a69e3cc621a5f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## [0.1.3] - 2020-06-18
+
+* Only set imagePullSecrets if the corresponding helm value is set.
+* Run apache as non-root user, and listen on port 8080 inside the docker
+  container.
+
 ## [0.1.2] - 2020-06-09
 
 * Moved repository to open.greenhost.net/openappstack/wordpress-helm
diff --git a/Chart.yaml b/Chart.yaml
index 87e8892c2b83dfd37998312d707487bfdc3b3683..b6ec1e5c32b16b1dd654fc5f195231f5918d5d09 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -5,5 +5,5 @@ description: WordPress with a replicated MariaDB backend
 name: wordpress
 # Please only change the chart version as part of the release procedure: see
 # RELEASING.md
-version: 0.1.2
+version: 0.1.3
 icon: https://make.wordpress.org/design/files/2016/09/WordPress-logotype-wmark.png
diff --git a/RELEASING.md b/RELEASING.md
index 8e523dbae6d62debfbe6c81e921d7bfb5555ce50..bc59eac941dab2f4371bcb2f4e61df8e3bd2df61 100644
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -2,6 +2,7 @@
 
 When releasing a new version of the wordpress-helm chart, please remember to do
 the following:
+* update `CHANGELOG.md`;
 * change the chart version in `Chart.yaml`;
 * change the default `image.tag` and `initImage.tag` in `values.yaml` to the new
   version (e.g., "0.1.3");
diff --git a/install.sh.example b/install.sh.example
old mode 100755
new mode 100644
index e4676e4eb16c3710ee5aa8473faa98c367ab3cff..14a6b50d124eb2b387949e7011c8dd665c1161f3
--- a/install.sh.example
+++ b/install.sh.example
@@ -1,12 +1,15 @@
 #!/bin/bash
 
-# Use this installation script as an example for easy installation. Copy it to
-# `install.sh` and edit the values file names if you need to.
+# You can use this installation script to install production ready clusters.
+# Make sure to create `values-local.yaml` and edit the values to reflect your
+# website.
+
+# Edit the `releaseName` variable below  if you want to release several
+# production sites.
 
 set -v
 
-# Makes sure you use docker image tags for the branch you're working on now
-. variables.sh
+releaseName="wordpress-production"
 
 # Upgrade or install application using the current git branch as docker tag
-helm upgrade $releaseName . --install -f values-local.yaml --set initImage.tag=$dockerTag --set image.tag=$dockerTag
+helm upgrade $releaseName . --install -f values-local.yaml
diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
index 945618bdbb43184c7b0859c3356e94603b79e4c6..d2c3c0ac7c5c1788251ed5db2ab7fc1fb0e40135 100644
--- a/templates/statefulset.yaml
+++ b/templates/statefulset.yaml
@@ -27,8 +27,10 @@ spec:
         {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.initImage.imagePullSecretName }}
       imagePullSecrets:
         - name: {{ .Values.initImage.imagePullSecretName }}
+      {{- end }}
       initContainers:
         - name: init-{{ .Chart.Name }}
           image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
@@ -67,11 +69,14 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            runAsUser: 33
+            runAsGroup: 33
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
             - name: https
-              containerPort: 443
+              containerPort: 8443
           {{- if .Values.livenessProbe.enabled }}
           livenessProbe:
             httpGet:
diff --git a/test-install.sh.example b/test-install.sh.example
new file mode 100755
index 0000000000000000000000000000000000000000..8d87c84a28ad5c5fa707be5cc40a0fef1fadd5b5
--- /dev/null
+++ b/test-install.sh.example
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Use this installation script to test development branches. It will
+# automatically set the docker tags to tags generated by the CI system.
+# Copy this script to `test-install.sh` and edit the values file names if you
+# need to.
+# Make sure you configure the helm chart by copying `values-local.yaml.example`
+# to `values-local.yaml` and editing it.
+
+
+set -v
+
+# Makes sure you use docker image tags for the branch you're working on now
+. variables.sh
+
+# Upgrade or install application using the current git branch as docker tag
+helm upgrade $releaseName . --install -f values-local.yaml --set initImage.tag=$dockerTag --set image.tag=$dockerTag
diff --git a/values-local.yaml.example b/values-local.yaml.example
index 31047f5aaf145f1a890d022f983d4650a69e5af0..47fc9201b50ff1f17116072019d4a1b63b45f2ec 100644
--- a/values-local.yaml.example
+++ b/values-local.yaml.example
@@ -66,7 +66,7 @@ wordpress:
 
   ## mu_plugins are installed as hidden and cannot be updated from the UI
   ## mu_dir  'mu-plugins' maps to wp-content/mu-plugins
-  ## mu_plugins supplies a detailed list of mu values and plugins with versions 
+  ## mu_plugins supplies a detailed list of mu values and plugins with versions
 
   mu_plugins_enabled: false
   mu_plugins_dir: mu-plugins
@@ -75,8 +75,8 @@ wordpress:
        name: Block Bad Queries
        version: 20200319
        phpfile: block-bad-queries.php
-  
-  ## Enable externally triggered cron for an MU cron plugin 
+
+  ## Enable externally triggered cron for an MU cron plugin
   # NOTE: A value for mu_cron_enabled must be set. Select either true or false
   # NOTE: This cron must be triggered by a call you have set up outside the server
   mu_cron:
@@ -162,7 +162,7 @@ redis:
 #   enabled: true
 #   # Example annotation to make cert-manager manage the TLS certificates for
 #   # this ingress (Don't supply crt and key to the tls config in this case).
-#   # annotations: 
+#   # annotations:
 #   #   kubernetes.io/tls-acme: "true"
 #   path: /
 #   hosts:
@@ -173,7 +173,7 @@ redis:
 #       secretName: wordpress-cert
 #       crt: |
 #         Optionally insert your certificate here, it will be saved as a
-#         Kubernetes secret. You can insert the whole certificate chain here. 
+#         Kubernetes secret. You can insert the whole certificate chain here.
 #         NOTE: Don't do this if you use cert-manager to get your certificates!
 #       key: |
 #         If you use a custom certificate, insert your TLS key here, it will be
diff --git a/values.yaml b/values.yaml
index b0fba87b8c2e957c40f35d6b4fe0700916fd948d..3dc9c4a6b8725053f65aea837003b9b873af543c 100644
--- a/values.yaml
+++ b/values.yaml
@@ -88,7 +88,7 @@ wordpress:
     theme_fallback: twentytwenty
     # NOTE: Make sure you use underscore and that the localisation is in full caps
     locale: en_US
-    version: 5.4.1
+    version: 5.4.2
     url: "http://localhost"
     title: "Wordpress Helm"
     ## If including a plugin to alias wp login then set a path for alt and also set the config 
@@ -174,12 +174,12 @@ wpSalts: {}
 
 image:
   repository: open.greenhost.net:4567/openappstack/wordpress-helm/wordpress
-  tag: 0.1.2
+  tag: 0.1.3
   pullPolicy: Always
 
 initImage:
   repository: open.greenhost.net:4567/openappstack/wordpress-helm/wordpress-cli-ansible
-  tag: 0.1.2
+  tag: 0.1.3
   pullPolicy: Always
 
 ingress:
diff --git a/wp-docker/Dockerfile b/wp-docker/Dockerfile
index 77a0c26b84c131f7722a1c27573277b809a3b6d9..315c7ae2eefc822e5b18198a0f5dd8cf0ecefdc3 100644
--- a/wp-docker/Dockerfile
+++ b/wp-docker/Dockerfile
@@ -15,3 +15,9 @@ RUN a2enmod rewrite expires
 RUN pecl install -o -f redis \
     && rm -rf /tmp/pear \
     && docker-php-ext-enable redis
+
+# Do not use a privileged port for Apache so it can run as non-root
+ENV PORT 8080
+ENV TLS_PORT 8443
+RUN sed -i "s/\<80\>/$PORT/g" /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
+RUN sed -i "s/\<443\>/$TLS_PORT/g" /etc/apache2/sites-available/default-ssl.conf /etc/apache2/ports.conf