• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WP-CLI Guide: Secure Plugin & Theme Management

July 28, 2015Alycia Mitchell

FacebookTwitterSubscribe

Welcome to our third post on WP-CLI for secure WordPress management over an SSH command line interface. In our previous two articles, we discussed how to connect to WordPress over SSH, and then how to back up & update WordPress securely.

Like other open-source content management systems, WordPress lets you easily add code to make your website look and act differently. These are your themes and plugins, built by inspired developers and designers who understand how WordPress works. It’s these extensions that allow you to publish content with added functionality for your visitors and what facilitates the unique look of your brand.

The people who build these extensions know quite a bit about internet technology when it comes to user experience, but there are just too many ways to break a website. All developers should be ready to deal with a security flaw by patching and notifying users of an update if it comes to that.

Security is not the core competency for most developers and designers. Even the most secure code in the world has flaws that can allow an attacker to gain unauthorized access.

WordPress Plugin and Theme Security

Plugins and themes are no exception, in fact, exploitation of software vulnerabilities is one of the leading causes of WordPress infections.

Updates

If a security hole is patched by the developer, it’s important to update as soon as possible. If you don’t, hackers who stay informed about security patches might beat you to the punch. This is why features like virtual software patching in technologies like Website Firewall’s can be so helpful.

Reduction

For every plugin and theme you add to your website, you are adding a whole directory of files that may contain a vulnerability. This is why you should choose additional themes/plugins wisely and remove the ones you don’t need. You can do all this directly in the WordPress console, as long as you have write access to the server and your SFTP credentials. Plain FTP is an insecure communication mechanism, please leverage SFTP when it’s available.

WP-CLI: WordPress Command Line Interface

You can also use WP-CLI over SSH, which is a great way to use the command line and keep your connection to your website encrypted. This means you use a text console to type commands that make changes to your WordPress website. In a previous post, we explored how to get connected to your website over SSH and install WP-CLI, then back up your website before updating the core of WordPress. All of this and more using text commands.

In this post we are going to look at the most popular ways to manage your WordPress themes and plugins securely over SSH.

To start, get connected to your website using SSH the same way we showed you last time. This post is going to be a bit more of a reference guide, assuming you read the previous instructional guides.

Update All

Now that you are connected to your website, why don’t you just go ahead and update all your plugins and themes in under 40 characters?

wp plugin update-all
wp theme update-all
List and Check For Updates

Maybe you want to check which plugins are installed, and which have updates available?

wp plugin list
wp theme list

With that, you now know all the slugs used for your plugins.

Plugins: Install, Activate, Deactivate, Delete

You can use the slugs to manipulate your plugins, such as adding and removing them.

wp plugin install akismet
wp plugin activate akismet
wp plugin update akismet
wp plugin deactivate zeroday
wp plugin delete zeroday
Themes: Install, Activate, Deactivate, Delete

Same goes for managing themes.

wp theme install twentyfifteen
wp theme activate twentyfifteen
wp theme update twentyfifteen
wp theme disable twentyfifteen
wp theme delete twentyfifteen
Finding Plugin and Theme Slugs

If you want to install a new plugin but you don’t know the slug for it, you can find it as a directory under the WordPress.org repository URL:

plugin-pick

theme-pick

Installing From URL

You can also hover over the download button to see that its a .ZIP file, right-click the button and copy the link location that the button goes to.

Status bar and Copy Link context menu
Status bar and Copy Link context menu in Firefox

Of course, take care to only install plugins and themes from trusted sources because pirated and nulled themes and plugins are dangerous and often contain some nasty backdoors.

Hacking is still a fairly new criminal activity; new vulnerabilities are discovered on a regular basis by hackers that read through lines and lines of code until they find something they can exploit. It’s impossible to guess how many zero-day vulnerabilities exist that haven’t been disclosed yet. In many ways, this is just the beginning.

Stay tuned for our next part in the series, where we’ll explore how to install WordPress almost entirely using WP-CLI.

Video Tutorial

As an added bonus, I’ve prepared a quick video tutorial to assist you in the process. Enjoy!

FacebookTwitterSubscribe

Categories: Security Education, WordPress SecurityTags: Best Practices, Command Line Tools, WordPress Plugins and Themes

About Alycia Mitchell

Alycia Mitchell has been Sucuri’s Marketing Manager since 2014. Alycia's main responsibilities include analytics and content strategy. Her professional experience covers 10 years of SEO and digital marketing for cybersecurity. When Alycia isn’t deep in spreadsheets, you might find her exploring nature. Connect with her on Twitter.

Reader Interactions

Comments

  1. Maco

    July 31, 2015

    Would it be possible to run these update commands as a cron job giving you a better chance of patching any vulnerabilities before they are exploited (assumming you trust the developer has done a decent QA job) ?

    • Alycia

      July 31, 2015

      Yes you could use a bash script to automate the update of WordPress core and plugins at a frequency that you determine, but you would also want to make sure you had a backup and tested the upgrade in case there are any conflicts or issues after the upgrade.

  2. Rilwanrabo

    November 28, 2015

    Hi
    Is it possible to create a wordpress theme with this CLI?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.