Facebook
TwitterWP Toolkit - Product News
- Thread starter custer
- Start date
@trialotto It's not added yet, but the team is looking into adding wc-cli support as we speak. If it's easy to support, we'll add it in the upcoming major release. I'll keep you posted.
Hi everyone, WP Toolkit v6.9 is now available! Changelog:
6.9.0 (12 Nov 2025)
- [+] (cPanel)(Gradual rollout) WP Toolkit's WordPress plugin responsible for protecting sites with Vulnerability Protection now also provides GUI for accessing certain WP Toolkit functionality inside WordPress admin dashboard. This GUI is now available on cPanel servers:
- Site admins can access vulnerability information directly inside the plugin GUI. More features will be added in the next plugin updates
- The plugin now detects when plugins and themes are installed or updated directly through WordPress, so it will apply mitigation strategies immediately
- To enable GUI on the existing plugin installations, add the following lines to config.ini file:
- integrationPluginApi = true
- integrationPluginUiModuleEnabled = true
- integrationPluginEventModuleEnabled = true
- integrationPluginApi = true
- To give site administrators the opportunity to install the plugin, add integrationPluginPromo = true to config.ini file
- To install the plugin on all new WordPress installations automatically, add installIntegrationPluginToNewSites = true line to config.ini file
- Set this option to false if you want to disable this behavior before it becomes default in the subsequent WP Toolkit updates
- [+] Backups made in WP Toolkit v6.9 and newer can be easily restored on different servers and even platforms (from Plesk to cPanel and the other way around). To restore a backup made on another domain or server:
- Create a new WordPress site on the target domain
- Upload the backup
- Make sure the Hide backups from other domains option is off
- Find your backup in the list and restore it. Relevant paths and URLs will be updated automatically during the restoration process
- [+] (Plesk) Added official support for Debian 12 and Debian 13 OSes
- [+] (Gradual rollout) Issues menu in the site card header was split into several categories for better visibility of issues and easier access
- [+] Vulnerability protection rules and other mitigation policies are now applied immediately in most cases without waiting for an hourly maintenance task
- [+] Vulnerability protection rules are now applied to ignored low-risk vulnerabilities
- [+] WP Toolkit now properly supports cloning and copying data between WordPress installations that use Redis Object Cache plugin
- CLI option -password will be deprecated in the next major version of WP Toolkit (v6.10). ADMIN_PASSWORD environmental variable should be used instead
- Addressed a couple of issues that caused WP Toolkit to spam error messages in server logs under various circumstances
- Accessibility improvements
- Security improvements
- (cPanel) Feature Showcase text for WP Guardian addon is now shorter
- [-] Malformed PHP files in WordPress should no longer be able to break WP Toolkit interface. (EXTWPTOOLK-13707)
- [-] Enabling "take over wp-cron.php" feature on a server with a lot of WordPress sites no longer fails with Invalid usage of pm_Settings::set error. (EXTWPTOOLK-13657)
- [-] Disabling vulnerability protection now displays factually correct notification message. (EXTWPTOOLK-13755)
- [-] Failed Smart Updates should now properly clean up after themselves, removing all traces of cloned installation files created during the Smart Update process. (EXTWPTOOLK-10448)
- [-] WP Toolkit no longer rejects plugins and themes with underscore characters in version used outside of Version field. (EXTWPTOOLK-9313)
- [-] Updating vulnerability database should no longer fail with errors in a number of cases. (EXTWPTOOLK-13832)
Hey everyone, one of our biggest releases is now out. WP Toolkit v6.10 changelog:
6.10.0 (14 Apr 2026)
- [+] Security Risk rating is now displayed for each WordPress component and website. The goal of this rating is to help site admins assess which vulnerable website or component they should take care about first. This feature introduces a lot of changes throught WP Toolkit:
- Vulnerabilities widget was replaced by Security Risk widget
- WordPress Vulnerabilities tab was redesigned and renamed to Vulnerable Components. It now shows WordPress components with their Security Risk rating. Clicking on a component expands the view to show details about specific vulnerabilities
- All actions on the Vulnerable Components tab have been moved inline or to the widgets at the top of the screen
- Vulnerabilities label in the site card title was replaced by Security Risk label
- Sites view on mass Security window was moved to a separate tab. It now has a separate Security Risk column that shows Security Risk rating for each site
- Updates and Vulnerability Protection widgets were redesigned
- WordPress installations can now be sorted by their Security Risk
- Email notifications about new vulnerabilities were redesigned to focus on Security Risk rating changes
- Ignore Low-Risk Vulnerabilities feature became pointless, so it was removed
- [+] Redesigned WP Toolkit plugin UI to support the Security Risk feature and related changes
- [+] Added the ability to change autoupdate settings to WP Toolkit plugin
- [+] Site administrators can now purchase Vulnerability Protection directly from the WP Toolkit plugin. Purchase URL can be customized via purchaseDeluxeGuardianBaseUrl parameter in panel.ini on Plesk and whmVirtualPatchesUpsellUrl parameter in config.ini on cPanel
- [+] Installing WP Toolkit plugin will switch WP Toolkit to using a secure one-time login link when logging in to WordPress from WP Toolkit
- [+] Link to WP Toolkit plugin inside WordPress admin area was moved under the Dashboard link in the left navigation menu. Server administrators can change the position of WP Toolkit link via integrationPluginCustomizationsMenuPosition option in the config file.
- [+] Added the ability to mass-install WP Toolkit plugin on all existing sites on a server. Set rolloutIntegrationPluginToExistingSites option to true in your config file to enable this behavior. Installation of the plugin is performed at a rate of 100 sites per hour to avoid causing significant server load. Note: this option will be enabled by default on all Plesk and cPanel servers purchased via retail channels
- [+] Scan for new sites can now be run automatically every 24 hours. To enable this, add scanInstancesPeriodically = true to your config file (config.ini on cPanel or panel.ini on Plesk)
- [+] Running wp-cli instance info now also shows the minor WordPress version available for update
- [+] Added name filters to Plugins and Themes tabs on the site card
- [+] Extended filters on global Plugins and Themes tabs to make sure list items can be filtered by domain and by component name
- [+] Server administrators can now prevent users from accidentally turning off Vulnerability Protection feature. This is done by adding permissionNonAdminsManageVulnerabilityProtection = false to your config file
- [+] The list of content-related database tables that can be optionally excluded during the Copy Data procedure was extended with the following WooCommerce HPOS database tables:
- _wc_orders
- _wc_order_addresses
- _wc_order_operational_data
- _wc_orders_meta
- [+] Server admins can now use wpCronFrequency config option to define how often wp-cron.php scheduled tasks should be executed by default. The default frequency was changed from every hour to every 5 minutes (12 times per hour).
- [+] Take over wp-cron.php option now always creates a replacement scheduled task (no extra action required)
- [+] Smart Update and Smart PHP Update procedures now generate text logs when the update prognosis is positive (only negative prognoses generated text logs previously)
- [+] WP Toolkit now properly supports cloning and copying data between WordPress installations that use W3 Total Cache plugin
- [+] (cPanel) WordPress security widget was added to WHM home page
- [+] (cPanel) WP Guardian (cPanel addon) 50 sites pack is now available for purchase in cPanel Store
- [+] (Plesk) WordPress security widget was added to Plesk Home screen
- [+] (Plesk) Vulnerability Protection status widget was added to Plesk Home page
- [+] (Plesk) Access to WP Toolkit can now be blocked in Restricted Mode (Plesk > Tools & Settings > Restricted Mode Settings > Administrative Tools)
- [+] (Plesk) WP Guardian SaaS promo was added to the corresponding widget on the Plesk Home screen
- WP Toolkit now pre-downloads the latest WordPress archive to the server's local package cache on clean installation and refreshes it once per day
- Improved WP Toolkit performance for the following operations:
- Site data refresh
- Switching themes
- Activating or deactivating plugins
- WP Toolkit plugin performance was improved
- Updated several feature icons
- Default HTTP timeout for connecting to wordpress.org was increased from 15 seconds to 60 seconds
- Multiple security improvements
- CLI option -password is now fully deprecated for security reasons. ADMIN_PASSWORD environmental variable should be used instead
- Optimized Smart PHP Updates feature screens to reduce the number of distracting texts
- Improved reliability of WP Toolkit installation and update procedures
- (Plesk) Users will now be warned that their subscription will be locked during and after Smart PHP Update if PHP version and handler management permission is disabled on the subscription
- (Plesk) Improved the stability of working with wp-cron.php scheduled tasks
- [-] Installation path on the Clone screen is now refreshed properly after target domain is changed. (EXTWPTOOLK-13920)
- [-] Proper error message is now displayed if user tries to clone a multisite in the same domain. (EXTWPTOOLK-12836)
- [-] Smart Update no longer fails when it finds a page with redirect. (EXTWPTOOLK-12815)
- [-] Smart Update no longer fails if WPML plugin is used and sitemap generation is disabled in WordPress. (EXTWPTOOLK-6571)
- [-] Smart Update no longer fails if Redirection plugin is used. (EXTWPTOOLK-7655, EXTWPTOOLK-13317)
- [-] WP Toolkit UI no longer breaks if it encounters malformed UTF-8 characters in processed data. (EXTWPTOOLK-13253)
- [-] Duplicated message saying Smart PHP Updates php handler switching was declined no longer shown in Logs when Smart PHP Update is declined. (EXTWPTOOLK-14074)
- [-] Vulnerability-related confirmation popup is no longer shown when a blocklisted plugin happens to be selected during a bulk activation of plugins. (EXTWPTOOLK-14226)
- [-] Install button on the WordPress installation screen no longer unlocks prematurely after being clicked. (EXTWPTOOLK-14228)
- [-] (cPanel) WP Toolkit log files (sw-engine and action-logs) are now properly rotated when ProtectSystem is set to full. (EXTWPTOOLK-13990)
- [-] (cPanel) WP Toolkit name is now properly displayed in browser tab titles. (EXTWPTOOLK-10775)
- [-] (cPanel) WP Toolkit now properly works on CloudLinux 9 Solo. (EXTWPTOOLK-14180)
- [-] (cPanel) Ongoing Smart Update or Smart PHP Update task can no longer prevent the user from accessing WP Toolkit interface under certain conditions. (EXTWPTOOLK-14238)
- [-] (Plesk) Orphaned WordPress installations are now properly cleaned up from WP Toolkit database during WP Toolkit update. (EXTWPTOOLK-11704)
- [-] (Plesk) Text on API documentation links located on Remote API (REST) screen is now displayed correctly in Restricted Mode. (EXTWPTOOLK-13915)
- [-] (Plesk) Errors are no longer shown in panel.log when discarding or applying Smart PHP updates. (EXTWPTOOLK-14125)
Similar threads
