Welcome to our third post on WP-CLI for secure WordPress management over an SSH command line interface. In our previous two articles, we discussed how to connect to WordPress over SSH, and then how to back up & update WordPress securely.
Like other open-source content management systems, WordPress lets you easily add code to make your website look and act differently. These are your themes and plugins, built by inspired developers and designers who understand how WordPress works. It’s these extensions that allow you to publish content with added functionality for your visitors and what facilitates the unique look of your brand.
The people who build these extensions know quite a bit about internet technology when it comes to user experience, but there are just too many ways to break a website. All developers should be ready to deal with a security flaw by patching and notifying users of an update if it comes to that.
Security is not the core competency for most developers and designers. Even the most secure code in the world has flaws that can allow an attacker to gain unauthorized access.
WordPress Plugin and Theme Security
Plugins and themes are no exception, in fact, exploitation of software vulnerabilities is one of the leading causes of WordPress infections.
If a security hole is patched by the developer, it’s important to update as soon as possible. If you don’t, hackers who stay informed about security patches might beat you to the punch. This is why features like virtual software patching in technologies like Website Firewall’s can be so helpful.
For every plugin and theme you add to your website, you are adding a whole directory of files that may contain a vulnerability. This is why you should choose additional themes/plugins wisely and remove the ones you don’t need. You can do all this directly in the WordPress console, as long as you have write access to the server and your SFTP credentials. Plain FTP is an insecure communication mechanism, please leverage SFTP when it’s available.
WP-CLI: WordPress Command Line Interface
You can also use WP-CLI over SSH, which is a great way to use the command line and keep your connection to your website encrypted. This means you use a text console to type commands that make changes to your WordPress website. In a previous post, we explored how to get connected to your website over SSH and install WP-CLI, then back up your website before updating the core of WordPress. All of this and more using text commands.
In this post we are going to look at the most popular ways to manage your WordPress themes and plugins securely over SSH.
To start, get connected to your website using SSH the same way we showed you last time. This post is going to be a bit more of a reference guide, assuming you read the previous instructional guides.
Now that you are connected to your website, why don’t you just go ahead and update all your plugins and themes in under 40 characters?
wp plugin update-all
wp theme update-all
List and Check For Updates
Maybe you want to check which plugins are installed, and which have updates available?
wp plugin list
wp theme list
With that, you now know all the slugs used for your plugins.
Plugins: Install, Activate, Deactivate, Delete
You can use the slugs to manipulate your plugins, such as adding and removing them.
wp plugin install akismet
wp plugin activate akismet
wp plugin update akismet
wp plugin deactivate zeroday
wp plugin delete zeroday
Themes: Install, Activate, Deactivate, Delete
Same goes for managing themes.
wp theme install twentyfifteen
wp theme activate twentyfifteen
wp theme update twentyfifteen
wp theme disable twentyfifteen
wp theme delete twentyfifteen
Finding Plugin and Theme Slugs
If you want to install a new plugin but you don’t know the slug for it, you can find it as a directory under the WordPress.org repository URL:
Installing From URL
You can also hover over the download button to see that its a .ZIP file, right-click the button and copy the link location that the button goes to.
Of course, take care to only install plugins and themes from trusted sources because pirated and nulled themes and plugins are dangerous and often contain some nasty backdoors.
Hacking is still a fairly new criminal activity; new vulnerabilities are discovered on a regular basis by hackers that read through lines and lines of code until they find something they can exploit. It’s impossible to guess how many zero-day vulnerabilities exist that haven’t been disclosed yet. In many ways, this is just the beginning.
Stay tuned for our next part in the series, where we’ll explore how to install WordPress almost entirely using WP-CLI.
As an added bonus, I’ve prepared a quick video tutorial to assist you in the process. Enjoy!
Would it be possible to run these update commands as a cron job giving you a better chance of patching any vulnerabilities before they are exploited (assumming you trust the developer has done a decent QA job) ?
Yes you could use a bash script to automate the update of WordPress core and plugins at a frequency that you determine, but you would also want to make sure you had a backup and tested the upgrade in case there are any conflicts or issues after the upgrade.
Is it possible to create a wordpress theme with this CLI?