Do you use the WordPress dashboard to update plugins and themes? How do you back up your database? If you have not used it yet, WP-CLI is an efficient way to manage your WordPress installation using a command line interface, meaning you type text commands like these two:
wp core update wp plugin update-all
You type these lines into a Secure Shell (SSH) window that is connected to your website server. If you are new to using command line interfaces, this is a great place to start learning. Beginners will feel like masters of the Matrix in no time.
This is the first part in a series on WP-CLI for secure WordPress management. This post includes the basics of getting connected.
WP-CLI is a set of command-line tools for managing WordPress installations. You can update plugins, set up multisite installs and much more, without using a web browser. – WP-CLI.org
A Note on Secure Server Access
File Transfer Protocol (FTP) is inherently insecure. The command and data channels are unencrypted, meaning that anything transferred between your computer and the server can be intercepted and read. Imagine your wp-config.php file, containing its super-secret database codes, transmitted in plain text across the internet for any traffic-sniffing trojan to grab. Not ideal, is it?
Also worth noting, SSH stands for Secure Shell Protocol. It’s a good sign when the protocol has the word “secure” built into its acronym.
What You Will Need
To access to your website over SSH, you need to find your server and login information. This is not the same as your WordPress Dashboard login (wp-admin), this is a set of credentials you use with your web host. Once we have the server credentials, Windows users just need to install an application to get connected.
SSH Access
Log in to the website for your hosting company. If possible, you may want to call or chat with your host and ask them for assistance with getting SSH access to the root directory of your website. You can also look through your hosting control panel or cPanel for anything related to SSH or Shell Access. Make sure it’s enabled. You also need your server and login information, which often looks like this:
- Server: server.name.com
- User: username
- Password: ***************
In most cases your server is just your website domain name (example.com) and the username and password are the same ones used to log in to your hosting company’s website. You can try searching for “SSH” in your host’s knowledge base. Depending on the host’s setup, you may need to generate a key pair, and they can guide you through that process.
SSH Client
You take the above credentials and connect to your server using a program on your computer. For Mac and Linux users there is no need to install anything. For Windows users, we have included a screen shot.
Mac/Linux: Open Terminal (built-in)
- Type this, replacing the username and server.name.com:
ssh username@server.name.com
- You will be prompted for your password.
- When you are connected successfully, you won’t receive an error or a confirmation, just a prompt where you can start typing. You should now be in the root of your website!
- You can check that you are in the root of your website by typing:
ls
This will list the contents of the folder you are in. You should see your WordPress files in those folders (wp-admin, wp-content, wp-includes, etc). If you see a bunch of folders like publichtml or httpdocs or www, type:
cd folder
This changes your directory to that folder and then you can use the ls command again to see what’s inside.
Windows: Install an SSH client, we included instructions for PuTTy.

- Click the first putty.exe link on this page: PuTTy website
- Like all SSH clients, PuTTy just asks for your hostname (server), then you can select SSH from the radio buttons, and click Open. You will be prompted to type your username and your password.
- When you are connected successfully, you won’t receive an error or a confirmation, just a prompt where you can start typing. You should now be in the root of your website!
- You can check that you are in the root of your website by typing:
ls
This will list the contents of the folder you are in. You should see your WordPress files in those folders (wp-admin, wp-content, wp-includes, etc). If you see a bunch of folders like publichtml or httpdocs or www, type:
cd folder
This changes your directory to that folder and then you can use the ls command again to see what’s inside.
- You can find plenty of videos and information on how to connect with PuTTy.
Fingerprints
The first time you connect, you may be prompted to verify your host’s fingerprints. Don’t accept a public key fingerprint without checking its validity. Have the phone support representative read the alphanumeric code to you while you check it, or look for “fingerprints” in their documentation.
Installing WP-CLI
Once you have successfully connected, you can copy and paste the following command into the prompt and press Enter to get the latest version of WP-CLI:
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
Or if that doesn’t work, try:
wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
If you still can’t run the following commands, try the alternate install methods on Github.
You know it works when you get a fresh prompt and no error messages. You will see signs of download progress just prior to the new prompt. For newbies to the command line, welcome!: When you type something incorrect, you will get an error message telling you exactly what went wrong.
To verify that WP-CLI is installed, simply type:
wp cli version
You should see the version number if it’s installed. Now you are ready for our next post on using WP-CLI to fully back up your WordPress website and update the core files and database. Stay tuned!
Video Tutorial
As an added bonus, I’ve prepared a quick video tutorial to assist you in the process. Enjoy!
I love the CLI. It’s pretty easy to use and works quite fantastically, especially for checking and running updates, and installing and removing items. Much faster than using the browser, especially if you have multiple sites and aren’t using something like ManageWP or IWP (though it’s still much faster than those anyway).
A few things worth mentioning is.
PHP need phar module compiled with it.
and if suhosin is active in php you might need to whitelist phar by putting the following in php.ini file.
suhosin.executor.include.whitelist = phar
Also if its run under root make sure to use sudo -u user in front of command else the files generated will get root as owner.
Hello,
How are you use WP-CLI ??