WordPress Toolkit

All WordPress installations starting from version 3.4 can be attached to the WordPress Toolkit, a single management interface that enables you to perform operations on multiple WordPress installations such as:

• Checking and improving the security of WordPress installations;
• Installing, uninstalling, activating, deactivating, and updating plugins used by WordPress installations;
• Installing, uninstalling, updating themes and selecting an active theme used by WordPress installations;
• Checking if updates are available and updating WordPress installations;
• Setting up automatic updates for WordPress installations.

To manage WordPress installations on your subscription, go to the Websites & Domains tab > WordPress.

To install a new WordPress copy, go to Websites & Domains > WordPress, and click Install.

APS installations of WordPress are attached to the WordPress Toolkit automatically; non-APS installations should be attached to WordPress Toolkit manually. If you have upgraded from an earlier version of Plesk, where you used WordPress, you should also attach existing WordPress installations to the WordPress Toolkit manually.

To attach WordPress installations to the WordPress Toolkit, go to Websites & Domains > WordPress and click Scan. The files of your subscription will be scanned and the found WordPress installations will be added to the WordPress Toolkit. After that, new APS installations of WordPress will be attached to the WordPress Toolkit automatically, but if you or your customers install new copies of WordPress manually after the scan, these WordPress installations will not be attached to the WordPress Toolkit. For this reason, we recommend that you perform a scan for new WordPress installations from time to time.

All APS installations of WordPress are permanently attached to the WordPress Toolkit. You cannot detach them from the WordPress Toolkit; you can only remove them completely. To remove a WordPress installation, go to Websites & Domains > WordPress > click the WordPress installation name, and then click the Remove button.

Non-APS installations of WordPress cannot be removed by means of the WordPress Toolkit; you can only detach them from the WordPress Toolkit. To detach a WordPress installation, go to Websites & Domains > WordPress > click the WordPress installation name, and then click the Detach button. Note that a detached WordPress installation will be attached to the WordPress Toolkit again after you perform a new scan for WordPress installations.

To view and change settings of a WordPress installation, go to Websites & Domains > WordPress > <WordPress installation name>.

For each WordPress installation, you can change such settings as the username and password for the WordPress database, the administrator’s email, the site name, and the interface language. To do all this, go to Websites & Domains > WordPress > <WordPress installation name> > Change Settings.

To log in to the WordPress dashboard from Plesk, go to Websites & Domains > WordPress > <WordPress installation URL>. Note that for a non-APS WordPress installation, you will need to provide the administrator’s username and password.

To enable automatic logging in to the WordPress dashboard from Plesk for a non-APS installation, go to Websites & Domains > WordPress > <WordPress installation name>, click Manage next to Administrator, and specify the administrator's username and password for this WordPress installation.

To change the administrator's username in WordPress, go to Websites & Domains > WordPress > <WordPress installation name>, click Manage next to Administrator, provide your current username, and specify a new one.

Securing WordPress installations

To check and secure WordPress installations:

1. Go to the Websites & Domains > WordPress.
2. Select the WordPress installations and click Check Security. The security of the following data is checked:
   • The wp-content folder. The wp-content directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-content directory. The security check should verify that the execution of PHP files in the wp-content directory is forbidden.
   • The wp-includes folder. The wp-includes directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-includes directory. The security check should verify that the execution of PHP files in the wp-includes directory is forbidden.
   • The configuration file. The wp-config.php file contains credentials for database access and so on. After WordPress installation, the wp-config.php file can be executed. If, for some reason, processing of PHP files by the web server is turned off, hackers can access the content of the wp-config.php file. The security check should verify that unauthorized access to the wp-config.php file is blocked.
   • Directory browsing permissions. If directory browsing is turned on, hackers can obtain information about your site (the used plugins and so on). By default, directory browsing is turned off in Plesk. The security check should verify that directory browsing on the WordPress installation is turned off.
   • Database prefix. WordPress database tables have the same names in all WordPress installations. When the standard wp_ prefix to the database table names is used, the whole WordPress database structure is not a secret and anyone can obtain any data from it. The security check should verify that the prefix to the database table names is something other than wp_.
   • Security keys. WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) to ensure better encryption of information stored in the user's cookies. A good security key should be long (60 characters or longer), random and complicated. The security check should verify that the security keys are set up and that they at least contain alphabetic and numeric characters.
   • Permissions for files and directories. If permissions for files and directories do not comply with the security policy, these files can be used to hack your site. After WordPress installation, files and directories can have various permissions. The security check should verify that the permissions for the wp-config.php file are set to 600, for other files to 644, and for directories to 755.
   • Administrator’s username. When a WordPress copy is installed, by default there is a user with administrative privileges and the username admin. As a user's username cannot be changed in WordPress, one only needs to guess the password to access the system as the administrator. The security check should verify that there is no user with the administrative privileges and the username admin.
   • Version information. There are known security vulnerabilities for each WordPress version. For this reason, displaying the version of your WordPress installation makes it an easier target for hackers. The version of an unprotected WordPress installation can be seen in the pages' meta data and readme.html files. The security check should verify that all readme.html files are empty and that every theme has a functions.php file, which contains the line: remove_action(\'wp_head\', \'wp_generator\');.
3. If some data does not pass the security check, select this data in the list of the security check results and click Secure. Depending on the selected items, the following actions will be taken:
   • For the wp-content folder, execution of PHP files in the wp-content directory will be forbidden in the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this security measure. Also note that some of your plugins might stop working after securing the wp-content folder.
   • For the wp-includes folder, execution of PHP files in the wp-includes directory will be forbidden in the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this security measure. Also note that some of your plugins might stop working after securing the wp-includes folder.
   • For the configuration file, execution of the wp-config.php file will be forbidden in the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this security measure.
   • For directory browsing permissions, directory browsing on the WordPress installation will be turned off in the server configuration file (Apache, nginx for Linux or web.config for Windows).
   • For the database prefix, the maintenance mode is turned on, all plugins are deactivated, the prefix is changed in the configuration file, the prefix is changed in the database, the plugins are re-activated, the permalink structure is refreshed, and then the maintenance mode is turned off.
   • Good security keys will be generated and added for your WordPress installation.
   • As regards the permissions for files and directories, the permissions will be changed in accordance with WordPress security policy: permissions for the wp-config file will be set to 600, for other files, to 644, and for directories, to 755.
   • For the WordPress administrator's username, a new user with a random username and password and the same profile and properties as the current administrator is created. The administrator's blogs and links are reassigned to the new user, and then the administrator's account is removed.
   • For the WordPress version information, the content of the readme.html files will be cleared, and the above line will be added to the functions.php file of every theme. If there is no such file in a theme, it will be created.

Updating WordPress installations

To check if updates for the WordPress installations are available, go to Websites & Domains > WordPress > Check for Updates.

To update the WordPress installations, go to Websites & Domains > WordPress, select the Wordpress installations and click Update.

To set up automatic updates for the WordPress installations:

1. Go to Websites & Domains > WordPress > Auto-Update.
2. Select the WordPress installations for which you want to set up automatic updates and click Switch On Autoupdate.