WordPress Toolkit in Plesk

WordPress Toolkit is a single management interface that enables you to easily install, configure, and manage WordPress. To work with it, you need to install the WordPress Toolkit extension in Plesk.

Note: WordPress Toolkit requires PHP version 5.3 or higher. If the system PHP version on your server is lower than 5.3, add a custom PHP handler of version 5.3 or higher, specify the path to the PHP binary, and switch the subscription with WordPress Toolkit to this custom PHP handler. To learn how to add a custom PHP handler, refer to the Command Line Reference guide.

You can completely switch off the WordPress Toolkit by editing the Plesk configuration file. For details, refer to the Advanced Administration Guide, section Switching off WordPress Toolkit.

All WordPress installations installed using the Application Catalog are automatically registered in the WordPress Toolkit. This integration increases the time required to install WordPress. If you want to avoid this, you can switch off automatic integration of new WordPress installations. For details, refer to the Advanced Administration Guide, section Switching Off Automatic Integration of WordPress Installations.

To view and manage all WordPress installations related to your subscriptions and to the subscriptions belonging to your resellers and customers, go to Wordpress.

WP_admin

You can manage WordPress installations either from this page, or from the page of a subscription (open a subscription for management and go to Websites & Domains > WordPress).

The detailed information about installing WordPress on a subscription and managing a WordPress installation can be found at WordPress Toolkit.

在本节:

Managing Plugins

Managing Themes

Securing WordPress

Access WP-CLI

 

Managing Plugins

Installing and Removing Plugins

To install a plugin on one or more WordPress installations, go to WordPress > Plugins tab > Install.

WP_plugins

Type in the name of the plugin you want to install and click Icon_search to search. Once the search is complete, locate the desired plugin in the list and select the corresponding checkbox. You now can install the plugin on all WordPress installations on the server, or click Button_down > Select instances to select one or more installations on which the plugin will be installed. By default, newly installed plugins are activated immediately; you can prevent this by clearing the Activate after installation checkbox.

WP_plugin_install

Note: If you search for a plugin, select the checkbox, and then perform a new search without installing the plugin first, the results of the first search will be lost. For that reason we recommend that you install plugins one at a time.

To remove a plugin from one or more WordPress installations, go to WordPress. Select the checkboxes next to the names of WordPress installations from which you want to remove a plugin and click Plugins. Click thetrashcanicon next to a plugin to remove it from the selected WordPress instances.

You can also remove one or more plugins from all WordPress installations on the server. To do so, go to Server Management > WordPress > Plugins tab, select the checkboxes next to the names of the plugins you want to remove, and click Uninstall.

Activating and Deactivating Plugins

To activate or deactivate one or more plugins on one or more WordPress installations, go to Server Management > WordPress, select the checkboxes next to the names of WordPress installations on which you want to activate or deactivate plugins and click Plugins. You will be presented with the list of all plugins installed on at least one of the selected WordPress installations, along with their activation statuses. For every plugin, you can select to activate it on all selected installations, deactivate it on all selected installations, or leave the plugin's activation status unchanged.

You can also activate or deactivate one or more plugins on all WordPress installations on the server, on which those plugins are installed. To do so, go to Server Management > WordPress > Plugins tab, select the checkboxes next to the names of the plugins you want to activate or deactivate, and click either Activate or Deactivate.

Updating Plugins

To update one or more plugins, go to Server Management > WordPress > Plugins tab, select the checkboxes next to the names of the plugins you want to update, and click Update.

 

Managing Themes

Installing and Removing Themes

To install a theme on one or more WordPress installations, go to WordPress > Themes tab > Install.

WP_themes

Type in the name of the theme you want to install and click Icon_search to search. Once the search is complete, locate the desired theme in the list and select the corresponding checkbox. You now can install the theme on all WordPress installations on the server, or click Button_down > Select instances to select one or more installations on which the theme will be installed.

WP_theme_install

Note: If you search for a theme, select the checkbox, and then perform a new search without installing the theme first, the results of the first search will be lost. For that reason we recommend that you install themes one at a time.

To remove a theme from one or more WordPress installations, go to WordPress. Select the checkboxes next to the names of WordPress installations from which you want to remove a theme and click Themes. Click thetrashcanicon next to a theme to remove it from the selected WordPress instances.

You can also remove one or more themes from all WordPress installations on the server. To do so, go to WordPress > Themes tab, select the checkboxes next to the names of the themes you want to remove, and click Uninstall. Note that a theme that is currently active on a WordPress installation cannot be removed from that installation. To remove a theme from a WordPress installation, activate a different theme on it first.

Activating and Deactivating Themes

To activate a theme on one or more WordPress installations, go to WordPress, select the checkboxes next to the names of WordPress installations on which you want to activate the theme and click Themes. You will be presented with the list of all themes installed on at least one of the selected WordPress installations, along with their activation statuses. You can select a theme that will be activated on all WordPress installations on which it is installed.

You can also activate or deactivate a theme on all WordPress installations on the server, on which that theme is installed. To do so, go to WordPress > Themes tab, and click Activate next to the theme you want to activate.

Updating Themes

To update one or more themes, go to WordPress > Themes tab, select the checkboxes next to the names of the themes you want to update, and click Update.

 

Securing WordPress

To check and secure WordPress installations:

  1. Go to WordPress.
  2. Do one of the following:
    • To check the security of all WordPress installations, click Check Security.
    • To secure a single WordPress installation, click the icon in the S column next to the name of the desired WordPress installation.
    • To secure two or more WordPress installations, select the checkboxes for the corresponding WordPress installations, then click Check Security.
  3. Select the checkboxes corresponding to the security improvements you want to apply, then click Secure.

Caution: Keep in mind that not all security improvements can be rolled back. It is recommended to back up the corresponding subscription before securing WordPress installations.

The complete list of WordPress security improvements
  • The wp-content folder. The wp-content directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-content directory. The security check verifies that the execution of PHP files in the wp-content directory is forbidden. Note that custom directives in the .htaccess or web.config files might override this security measure. Also note that some of your plugins might stop working after securing the wp-content folder.
  • The wp-includes folder. The wp-includes directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-includes directory. The security check verifies that the execution of PHP files in the wp-includes directory is forbidden. Note that custom directives in the .htaccess or web.config files might override this security measure. Also note that some of your plugins might stop working after securing the wp-includes folder.
  • The configuration file. The wp-config.php file contains credentials for database access and other sensitive information. After WordPress installation, the wp-config.php file can be executed. If, for some reason, processing of PHP files by the web server is turned off, hackers can access the content of the wp-config.php file. The security check verifies that unauthorized access to the wp-config.php file is blocked. Note that custom directives in the .htaccess or web.config files might override this security measure.
  • Directory browsing permissions. If directory browsing is turned on, hackers can obtain information about your site (what plugins you use and so on). By default, directory browsing is turned off in Plesk. The security check verifies that directory browsing on the WordPress installation is turned off.
  • Database prefix. WordPress database tables have the same names in all WordPress installations. When the standard wp_ database table name prefix is used, the whole WordPress database structure is not a secret and anyone can obtain any data from it. The security check changes the database table name prefix to something other than wp_. The maintenance mode is turned on, all plugins are deactivated, the prefix is changed in the configuration file, the prefix is changed in the database, the plugins are re-activated, the permalink structure is refreshed, and then the maintenance mode is turned off.
  • Security keys. WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) to encrypt information stored in the user's cookies. A good security key should be long (60 characters or longer), random and complicated. This security check verifies that the security keys are set up and that they at least contain both alphabetic and numeric characters.
  • Permissions for files and directories. If permissions for files and directories do not comply with the security policy, these files can be used to hack your site. After WordPress installation, files and directories can have various permissions. The security check verifies that the permissions for the wp-config.php file are set to 600, for other files to 644, and for directories to 755.
  • Administrator’s username. When a WordPress copy is installed, by default there is a user with administrative privileges and the username admin. As a user's username cannot be changed in WordPress, one only needs to guess the password to access the system as the administrator. The security check verifies that there is no user with the administrative privileges and the username admin.
  • Version information. There are known security vulnerabilities for each WordPress version. For this reason, displaying the version of your WordPress installation makes it an easier target for hackers. The version of an unprotected WordPress installation can be seen in the pages' meta data and readme.html files. The security check verifies that all readme.html files are empty and that every theme has a functions.php file which contains the line: remove_action(\'wp_head\', \'wp_generator\');.
 

Access WP-CLI

WP-CLI is the official WordPress command-line interface for managing WordPress sites. More information can be found here .

You can access WP-CLI directly from the Plesk command-line interface with no need to install WP-CLI on the server.

To call a WP-CLI command via the Plesk command-line interface:

Connect to your Plesk server via SSH (on Linux) or via RDP (on Windows) and, in the command line, run the command:

plesk ext wp-toolkit --wp-cli -instance-id [ID] [command] [options]

where:

  • [ID] is the ID of the WordPress installation in Plesk. To learn the ID, go to WordPress and click the name of the WordPress installation. The ID will be displayed at the end of the URL in the browser. For example, if the URL ends with /id/2, then ID=2.
  • [command] is a WP-CLI command prefixed by -- (for example, --core),
  • [options] is the list of the WP-CLI command's options.

The full list of WP-CLI commands and their options can be found here .

Examples:

To get main WordPress information (a blog name, a web site URL, a version, an update version, plugins, and themes):

plesk ext wp-toolkit --wp-cli -instance-id 4 -- core info

To get help for the core command:

plesk ext wp-toolkit --wp-cli -instance-id 4 -- help core

To install and activate the latest version of the bbPress plugin from wordpress.org:

plesk ext wp-toolkit --wp-cli -instance-id 4 -- plugin install bbpress --activate

Note: To make the changes performed by running a WP-CLI command visible in the Plesk user interface, go to WordPress, click the name of the WordPress installation, and then click Refresh.

 

Leave your feedback on this topic here

If you have questions or need support, please visit the Plesk forum or contact your hosting provider.
The comments below are for feedback on the documentation only. No timely answers or help will be provided.