• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

WP Toolkit - Product News

Hi everyone,

WP Toolkit v6.2 is out. Changelog:

6.2.0 (12 Apr 2023)​

  • [+] Added new API methods for working with plugins and themes on an installation
  • [+] (cPanel) Extended Team Manager feature support
  • [+] (cPanel) Added AlmaLinux 9 support
  • [+] Added help output for the updated --clear-cache CLI command
  • Adjusted the logic of displaying warnings about outdated PHP versions to make sure alt-php doesn't incorrectly trigger them anymore
  • (Plesk) Updated integration with Dynamic list to accommodate for corresponding changes in Plesk
  • [-] WP Toolkit no longer shows Failed to find set with specified ID error when installing WordPress under certain rare circumstances. (EXTWPTOOLK-9898)
  • [-] Unaccessible free trial offer is no longer displayed for Smart Updates. (EXTWPTOOLK-10312)
  • [-] Once mitigated via WP Toolkit, CVE-2022-3590 vulnerability is now always properly shown as mitigated. (EXTWPTOOLK-10298)
  • [-] Smart Update no longer reports certain combinations of square brackets as a false positive "broken shortcode" issue. (EXTWPTOOLK-10050)
 
@custer

In my humble opinion, you should really consider to

1 - give a roadmap of planned future premium features that will be included in WPT Deluxe

2 - give an option for Plesk license holders and/or endusers to give the WPT Deluxe a try during a brief period of time......


I hope that you can at least share some insight into the expected roadmap of WPT Deluxe .......

Kind regards....

Hey trialotto,
1. Good point. We don't have a roadmap to share at the moment, but we should, as such transparency should help users make the decision.
2. In-product trial is definitely on the roadmap.
 
@custer

I have been probably missing some of the new developments with respect to WPT, but is there any support for the wc cli (WooCommerce command line) utility that normally is supported by the wp cli (WordPress command line) utility? I could not find that in the release notes - after a very quick check.

In essence, the WPT does not update the WooCommerce database after WooCommerce updates that require WooCommerce database updates.

It would be really good if that (and other wc cli) functionality is available by default in the WPT.

Kind regards....
 

6.2.1 (13 April 2023)​

13 April 2023
  • [-] Login to WordPress from Dynamic List now properly works again. (EXTWPTOOLK-10409)
 
@custer

I have been probably missing some of the new developments with respect to WPT, but is there any support for the wc cli (WooCommerce command line) utility that normally is supported by the wp cli (WordPress command line) utility? I could not find that in the release notes - after a very quick check.

In essence, the WPT does not update the WooCommerce database after WooCommerce updates that require WooCommerce database updates.

It would be really good if that (and other wc cli) functionality is available by default in the WPT.

Kind regards....

Hi trialotto, thanks for letting me know -- we'll look into it.
 
Hey everyone, here's the long-awaited WP Toolkit version 6.3! Here's changelog:

6.3.0 (27 Mar 2024)​

  • [+] Added integration with Wordfence vulnerability database:
    • WP Toolkit now displays combined information from Patchstack and Wordfence vulnerability databases, with links to both services
    • Some vulnerability entries might happen to be duplicates, but we're working on merging them as well
  • [+] Introducing new vulnerability management UI based on WP Guardian
  • [+] Added the ability to filter out vulnerabilities based on their CVSS score to reduce alert fatigue
  • [+] (Plesk) Full-featured integration of WP Toolkit into Plesk Dynamic list is now available:
    • Most WP Toolkit features are now accessible directly from Dynamic list in Plesk without having to visit the separate WP Toolkit interface
    • Mass management operations are not in scope of this integration, please use the separate WP Toolkit interface for them
    • To enable this feature, add appModeFeature = on under the [ext-wp-toolkit] section of the panel.ini file
  • [+] Added a link to Codeable platform for site admins:
    • Codeable provides access to WordPress experts and developers for WordPress site administrators
    • Unlike many freelancers, Codeable experts and developers will never recommend against the current host
    • To hide the link to Codeable, add codeableIntegrationFeature = off under the corresponding section of the panel.ini (Plesk) or config.ini (cPanel) file.
    • To put your company's name on the Codeable landing page, add codeableUrlCustomer = your company name under the corresponding section of the panel.ini (Plesk) or config.ini (cPanel) file.
  • [+] Added API for managing WordPress backups
  • [+] Added API for managing Sets
  • [+] Backup file name and timestamp are now added to the corresponding meta.json file
  • [+] Backup API now allows to add an arbitrary description to the corresponding meta.json file
  • [+] (cPanel) WP Toolkit now works on Ubuntu 22.04
  • Security improvements
  • Minor assorted improvements to Maintenance Mode
  • Improved WordPress installation speed on CloudLinux OS
  • Reduced memory consumption when working with vulnerabilities
  • (cPanel) Improved WP Toolkit performance via opcache shenanigans
  • (cPanel) Improved WP Toolkit responsiveness in case of cPanel user account modifications
  • [-] Fixed a bunch of PHP errors and notices appearing in server-level log files
  • [-] WP Toolkit now honestly reports if a site could not be added after the scan due to improper directory ownership. (EXTWPTOOLK-9679)
  • [-] Scan info message now provides info about reattaching a previously detached site. (EXTWPTOOLK-10109)
  • [-] Autoupdate policies are now properly applied to plugins and themes installed via set. (EXTWPTOOLK-10699)
  • [-] Mitigate action is no longer displayed for vulnerabilities that cannot be addressed by security measures. In fact, since the interface was reworked, this action does not appear at all because it was renamed to Apply security measure. (EXTWPTOOLK-11390)
  • [-] Scheduled task execution no longer overlaps on servers with thousands of sites. (EXTWPTOOLK-11017)
  • [-] Maintenance mode timer is now limited to a maximum of 99 days because come on, really!? (EXTWPTOOLK-11181)
  • [-] (cPanel) Smart PHP Update is no longer unable to find the right PHP version on the server. (EXTWPTOOLK-10701)
  • [-] (cPanel) Multiple Smart PHP Update processes can now be launched simultaneously. (EXTWPTOOLK-10958)
  • [-] (cPanel) Customers can now run scan procedure without getting disappointed by the Task is not responding, error code 1 error. (EXTWPTOOLK-11184)
  • [-] (cPanel) Removed banner in WHM about WP Toolkit Deluxe not being enabled in any packages. (EXTWPTOOLK-10468)
 
Great to see the updates to the WordPress Toolkit!
Can I check one thing though, is there anymore information that can be given about the following entry:
[+] (Plesk) Full-featured integration of WP Toolkit into Plesk Dynamic list is now available
 
Is there any more info on how this new feature works, as I can't seem to work out where to how to apply the filter in the Toolkit or plesk notifications pages? ?

  • [+] Added the ability to filter out vulnerabilities based on their CVSS score to reduce alert fatigue
 
Hey everyone, here's the long-awaited WP Toolkit version 6.3! Here's changelog:

6.3.0 (27 Mar 2024)​

  • [+] Added integration with Wordfence vulnerability database:
    • WP Toolkit now displays combined information from Patchstack and Wordfence vulnerability databases, with links to both services
    • Some vulnerability entries might happen to be duplicates, but we're working on merging them as well
  • [+] Introducing new vulnerability management UI based on WP Guardian
  • [+] Added the ability to filter out vulnerabilities based on their CVSS score to reduce alert fatigue
  • [+] (Plesk) Full-featured integration of WP Toolkit into Plesk Dynamic list is now available:
    • Most WP Toolkit features are now accessible directly from Dynamic list in Plesk without having to visit the separate WP Toolkit interface
    • Mass management operations are not in scope of this integration, please use the separate WP Toolkit interface for them
    • To enable this feature, add appModeFeature = on under the [ext-wp-toolkit] section of the panel.ini file
  • [+] Added a link to Codeable platform for site admins:
    • Codeable provides access to WordPress experts and developers for WordPress site administrators
    • Unlike many freelancers, Codeable experts and developers will never recommend against the current host
    • To hide the link to Codeable, add codeableIntegrationFeature = off under the corresponding section of the panel.ini (Plesk) or config.ini (cPanel) file.
    • To put your company's name on the Codeable landing page, add codeableUrlCustomer = your company name under the corresponding section of the panel.ini (Plesk) or config.ini (cPanel) file.
  • [+] Added API for managing WordPress backups
  • [+] Added API for managing Sets
  • [+] Backup file name and timestamp are now added to the corresponding meta.json file
  • [+] Backup API now allows to add an arbitrary description to the corresponding meta.json file
  • [+] (cPanel) WP Toolkit now works on Ubuntu 22.04
  • Security improvements
  • Minor assorted improvements to Maintenance Mode
  • Improved WordPress installation speed on CloudLinux OS
  • Reduced memory consumption when working with vulnerabilities
  • (cPanel) Improved WP Toolkit performance via opcache shenanigans
  • (cPanel) Improved WP Toolkit responsiveness in case of cPanel user account modifications
  • [-] Fixed a bunch of PHP errors and notices appearing in server-level log files
  • [-] WP Toolkit now honestly reports if a site could not be added after the scan due to improper directory ownership. (EXTWPTOOLK-9679)
  • [-] Scan info message now provides info about reattaching a previously detached site. (EXTWPTOOLK-10109)
  • [-] Autoupdate policies are now properly applied to plugins and themes installed via set. (EXTWPTOOLK-10699)
  • [-] Mitigate action is no longer displayed for vulnerabilities that cannot be addressed by security measures. In fact, since the interface was reworked, this action does not appear at all because it was renamed to Apply security measure. (EXTWPTOOLK-11390)
  • [-] Scheduled task execution no longer overlaps on servers with thousands of sites. (EXTWPTOOLK-11017)
  • [-] Maintenance mode timer is now limited to a maximum of 99 days because come on, really!? (EXTWPTOOLK-11181)
  • [-] (cPanel) Smart PHP Update is no longer unable to find the right PHP version on the server. (EXTWPTOOLK-10701)
  • [-] (cPanel) Multiple Smart PHP Update processes can now be launched simultaneously. (EXTWPTOOLK-10958)
  • [-] (cPanel) Customers can now run scan procedure without getting disappointed by the Task is not responding, error code 1 error. (EXTWPTOOLK-11184)
  • [-] (cPanel) Removed banner in WHM about WP Toolkit Deluxe not being enabled in any packages. (EXTWPTOOLK-10468)

@custer

Two questions :

1 - any update on wc cli (WooCommerce command line utility) integration?

2 - can you have a look at migration consistency?


With respect to question 2, please note that migration of a WPT managed WP instance to a target server CAN result in notifications (on the target server) of

Website "" (<full path>): Failed to reset cache for the instance #8: Error: This does not seem to be a WordPress installation.
The used path is: <path>
Pass --path=`path/to/wordpress` or run `wp core download`.

even in the case that these messages are not showing on the source server.

This is unpredicted migration behavior, very likely to be the result of how WPT manages and shows issues on both source and target server.

Moreover, it is "dangerous" behavior, since the migrated WP instance might not or often does not work as expected within WPT on the target server.

Could you be so kind as to have a look?


Kind regards.....
 
Great to see the updates to the WordPress Toolkit!
Can I check one thing though, is there anymore information that can be given about the following entry:
[+] (Plesk) Full-featured integration of WP Toolkit into Plesk Dynamic list is now available

A picture says more than a thousand words. Two screen shots for comparison.

Old WP Toolkit integration into Plesk Dynamic list
Schermafbeelding 2024-04-03 201242.png

New (Full-featured integration of WP Toolkit into Plesk Dynamic list)
Schermafbeelding 2024-04-03 201102.png
 
Is there any more info on how this new feature works, as I can't seem to work out where to how to apply the filter in the Toolkit or plesk notifications pages? ?

  • [+] Added the ability to filter out vulnerabilities based on their CVSS score to reduce alert fatigue

Open the WP toolkit and open the Settings to adjust the CVSS score.
Schermafbeelding 2024-04-03 201712.png
 
@Kaspar
We have set a default via settings but it doesn't appear the filter is applied. Seems to be off by default for all users? I'd assumed when set it would be applied to all, perfectly happy for them to be able to change it up / down to taste. I couldn't see a toggle to enable filtering by default.
Untitled.jpg
Side note: When a filter is applied and there are no CVSS above the threshold it says 'No vulnerabilities found' this is perhaps misleading and could be improved to indicate some were filtered out as I could easily see many not being aware. Especially if they cranked it up really high.

Otherwise I really think this is a great improvement.

One last suggestion, have you considered making it possible to compare plugins and theme checksum with source similar to what you have for the WordPress core?
 
@Kaspar
We have set a default via settings but it doesn't appear the filter is applied. Seems to be off by default for all users? I'd assumed when set it would be applied to all, perfectly happy for them to be able to change it up / down to taste. I couldn't see a toggle to enable filtering by default.
I've only briefly played with the CVSS filter and hadn't noticed this yet. I also would have assumed that the filter setting would be applied to all instances.

View attachment 25862
Side note: When a filter is applied and there are no CVSS above the threshold it says 'No vulnerabilities found' this is perhaps misleading and could be improved to indicate some were filtered out as I could easily see many not being aware. Especially if they cranked it up really high.
Otherwise I really think this is a great improvement.
Hmm, yeah agreed. @custer?

One last suggestion, have you considered making it possible to compare plugins and theme checksum with source similar to what you have for the WordPress core?
No really to be honest. I am not on the Plesk team nor employed by Plesk. :) Good suggestion though.
 
Hi everyone, here's the changelog for the WP Toolkit v6.4, just out:

6.4.0 (11 Jun 2024)​

  • [+] Introducing Vulnerability Protection: a new security feature for WordPress websites provided as a part of WP Guardian offer. Vulnerability protection is a non-invasive, automated, lightweight way to neutralize vulnerabilities in WordPress plugins, themes, and WordPress core. Once enabled on a site, vulnerability protection neutralizes high and medium risk vulnerabilities automatically whenever they appear without any need for user engagement.
    • A WordPress plugin will be installed when protection is enabled to automatically neutralize dangerous vulnerabilities by applying special protection rules.
    • Protection rules work like a firewall, so they never touch or modify the site code.
    • Protection rules are applied and removed only for specific vulnerabilities on any given site, so they have minimal effect on site performance.
    • This feature and its corresponding upsell prompts are not visible to control panel users by default. Only the server administrator can see it.
    • You can control the access to this feature via separate limit in your Service Plans (Plesk) or Packages (cPanel).
    • Vulnerability protection is a part of the security suite provided by WP Guardian platform. It requires purchasing a separate license called either WP Guardian (Plesk addon) or WP Guardian (cPanel addon), depending on your control panel.
    • WP Guardian (Plesk addon) is an upgraded version of WP Toolkit Deluxe bundle, combining all previous Deluxe features with Vulnerability Protection (and with more features to be included in the future).
    • WP Guardian (cPanel addon) only includes Vulnerability Protection, as all other features are already available in WP Toolkit on cPanel by default.
    • The technical name of this feature is virtual patching, and it's powered by Patchstack. Protection rules (also known as virtual patches) are released for high-to-medium-risk vulnerabilities present in Patchstack vulnerability database
  • [+] CVSS rating used for ranking and sorting vulnerabilities was replaced with Risk rank
    • Risk rank is an aggregate rating of vulnerability impact based on CVSS rating, EPSS rating, Patchstack Patch Priority and other factors
    • Vulnerability filtering feature was changed from specifying a CVSS score threshold to a simple knob for ignoring low-risk vulnerabilities
    • Low-risk vulnerabilities are now ignored by default on all websites after the upgrade to WP Toolkit v6.4
  • [+] Added the ability to change the destination of "Hire a developer" link or hide it completely in global WP Toolkit Settings
  • [+] (cPanel) Server administrators can now automatically provision WordPress and sets for user accounts
    • New autoprovisioning options were added to Packages interface as a Package Extension
    • A separate option allows admin to automatically install the latest version of WordPress when a new user account is created
    • A set of plugins & themes can also be selected for automatic installation.
    • Note: selected set will be installed every time when WordPress itself is installed.
  • [+] Must-use plugins are now correctly displayed in the list of plugins with corresponding tags
  • [-] WP Toolkit no longer stops working with Initial data load error: some required fields are not provided error in some rare cases. (EXTWPTOOLK-11652)
  • [-] Certain WP Toolkit processes no longer hang indefinitely if they cannot be finished for some reason. (EXTWPTOOLK-10647)
 
As it was not mentioned in the changelog - if you want to disable the paid and advertised "Vulnerability Protection" feature set the following rule in your "Panel.ini Editor":

Code:
[ext-wp-toolkit]

virtualPatchesFeature = false
 
I was told there will be an update very soon to be able to purchase vulnerability protection for single sites. Is there a estimated release date?
 
Hi everyone, changelog for WP Toolkit v6.6 update:

6.6.0 (26 Nov 2024)​

  • [+] WordPress Vulnerabilities screen now has additional widgets that help site administrators focus on addressing the most important issues first. In particular, users can now see how many vulnerabilities were blocked by Vulnerability Protection feature in the past
  • [+] Site card header now includes an icon that shows vulnerability protection status for easier identification and management
  • [+] Vulnerability Protection feature API is now available
  • [+] Additional vulnerability protection licenses were added for both cPanel (50 sites license) and Plesk (more site choices for each Plesk edition)
  • [+] Vulnerability labels were improved and moved to a more visible place
  • [+] Smart PHP Update API now allows to specify custom subdomain name for the website clone
  • [+] Added an option to disable email notifications sent by WordPress about password changes. To disable the notifications, add sendWordPressPasswordChangedNativeEmail = false to the panel.ini or config.ini file
  • Updated wp-cli to version 2.11
  • Vulnerabilities in inactive themes are now properly marked as such
  • Adjusted the icons and naming of WP Toolkit links
  • Clarified wording in email notifications about unresponsive WordPress installations (also known as "quarantined")
  • The icon of X (formerly known as Twitter) was updated in the Maintenance Mode server template
  • Check WordPress integrity dialog now displays the name and the URL of the corresponding site
  • Improved cloning logic to properly support Redis Object Cache plugin
  • (cPanel) Certain mass actions performed by WP Toolkit no longer cause web server to restart multiple times
  • [-] WordPress installations linked with non-existent main domain ID no longer prevent website screenshots being made for properly working WordPress installations. (EXTWPTOOLK-12376)
  • [-] Temporary database dumps left after interrupted operations of cloning or data copying are now properly removed from existence. (EXTWPTOOLK-12360)
  • [-] WP Toolkit no longer reports a false positive vulnerability in the "Master Slider" plugin. (EXTWPTOOLK-12304)
  • [-] Addressed vulnerabilities are now properly grayed out and moved to the bottom of the pecking order. (EXTWPTOOLK-12297)
  • [-] Search is now working again on WordPress Vulnerabilities tab. (EXTWPTOOLK-12223)
  • [-] Signing in to WebPros account during the purchase of Vulnerability Protection addon for a single site no longer fails with AggregateError: Issuer.discover() failed. RequestError: Timeout awaiting 'request' for 5000ms error. (EXTWPTOOLK-12102)
  • [-] Themes with numeric slugs no longer prevent WP Toolkit from opening Updates or WordPress Vulnerabilities windows. (EXTWPTOOLK-11710)
  • [-] Refreshing outdated WordPress installations (we're talking version 5.4 or older here) no longer generates the Error: Could not get 'auto_update_themes' option error in the logs. (EXTWPTOOLK-11707)
  • [-] Copying data from a multisite WordPress installation no longer fails with Argument #2 ($haystack) must be of type array, null given error. (EXTWPTOOLK-10814)
  • [-] (cPanel) Global Settings screen now properly states that WP Toolkit configuration file is called config.ini on cPanel instead of panel.ini. (EXTWPTOOLK-12241)
  • [-] (cPanel) Sets screen now refreshes automatically when a set is removed. (EXTWPTOOLK-11824)
  • [-] (Plesk) Link to configuring of HTTPS redirection under Issues is now properly working again. (EXTWPTOOLK-12331)
  • [-] (Plesk) Smart Update now displays correct error message if it fails due to disabled WP Toolkit cloning management permission. (EXTWPTOOLK-12210)
Please note that this release will be going through a gradual rollout procedure to make sure we can catch any breaking bugs before they do too much damage, so it might not be available on your servers immediately.
 
Back
Top