Completely Uninstall Wordpress Toolkit including users

RobinF28

Active Member
Jun 27, 2015
40
8
58
Elgin, Scotland
cPanel Access Level
Root Administrator
I agree with the general sentement above from WHM users, i.e. new features shoudn't add or modify code on users' accounts without the explicit consent & agreement from server owners etc.

I too have used the rpm -e wp-toolkit-cpanel command to remove the feature, after initally accepting it, in oder to understand it's functionalty better, and then regretted this.

Furthermore and FYI, I have noticed many additional log lines (1000's of additional lines) in our daily "/var/log/secure" log file, referencing this line...

sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts

... which indicates increased activity as this feature "does-it's-thing" so to speak, and there is no explination of this yet. I'm a bit suspicious of course, but hoping this will now stop after its de-registration.

Just FYI.

:)
 

custer

Member
Staff member
Dec 7, 2020
5
3
78
Russian Federation
cPanel Access Level
Root Administrator
Since the editing of the wp-config.php files.. I tested some manual Wordpress upgrades and they have now switched to the dev/nightly versions. This is a huge issue. There has to be some way for cPanel to support the reversal of this almost malicious (not intended) action.
Hi @bradlee,

This can happen only if both of the following conditions are true:

1. Your WP site is already running a dev/nightly version.
2. Major WP core updates were enabled for your WP site either manually or via WPT.

Please double check if the sites you've used for testing were already running a dev/nightly build, since WPT cannot install dev/nightly builds or update a public release build to a dev/nightly build without site admin enabling dev/nightly builds first.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
404
243
cPanel Access Level
Root Administrator
Hey everyone!

We've published a tool that will allow you to automatically remove the extra entry to the wp-config.php file:


Since this does make a change to user files, it's important you have a backup first just in case.
 

Paul Shultz

Active Member
Jun 5, 2018
27
10
3
Malebourne
cPanel Access Level
Root Administrator
Thanks to @custer for that helpful post.

I'd also like to point out that after some additional research, WPT *will* auto-install if you update cPanel and Wordpress Manager is detected, which is something we weren't aware of at the time I posted last week.
I am glad that this was picked up, as it was made to believe i did something wrong in v90 update to v92.0.3 feature showcase
 
  • Like
Reactions: cPRex

0884094

Member
Nov 14, 2013
15
6
53
cPanel Access Level
Root Administrator
"WordPress Toolkit" has broken auto-update for the 350 WordPress blogs on our server by modifying wp-config.php without my knowledge.

cPanel: please avoid pushing this kind of thing onto my systems in the future.

@custer: my platform manages auto-updates by setting constants from our own plugin, so if you scan wp-config.php and don't find WP_AUTO_UPDATE_CORE, don't think that you can insert your own random settings without affecting anything. Your inserts clobbered our logic. It took me a while to figure out what was going on. Our plugin uses this:
add_filter( 'auto_update_core', '__return_true' );
add_filter( 'allow_dev_auto_core_updates', '__return_true' );
add_filter( 'allow_minor_auto_core_updates', '__return_true' );
add_filter( 'allow_major_auto_core_updates', '__return_true' );
add_filter( 'auto_core_update_send_email', '__return_false' );
 

rivermobster

Well-Known Member
Dec 16, 2020
94
19
8
SoCal
cPanel Access Level
Root Administrator
@custer

I'd like to add a little something to this discussion, both pro and con...

First, I'm upgrading to a new cloud hosting account. It was nice to find the Toolkit there. Normally, I'd either have to add WP manually, or do it through Softaculous, so the toolkit was a nice surprise since I won't have Softaculous anymore.

We are all here to make money. Obviously the toolkit wants to monetize itself, but let's be realistic here....

Almost All of the options the toolkit wants us to pay for are free with a number of different security plugins, so why would anyone want to pay for that! lol

This is the one I use, I have it on all of my sites: All In One WordPress Security and Firewall Plugin The free version has, I believe, all of your Premium options included. Wordfence is probably the most popular one, but it's a little overblown for my tastes.

Premium features should be PREMIUM features. Things you can't get somewhere else or provide a much needed service.

Being able to add my own plugin and theme library is Really nice, but do i want to pay a monthly fee for that? Yeah no. Cause really, that's the only thing I can see so far that I can't easily get somewhere else AND makes my life easier.

Add some Real value to it, reduce the price, or maybe make it a one time fee to upgrade (the one time fee is a much prefered option to me)? Nickel and diming my monthly nut is never my first choice for an upgrade. :)

With all due respect,

-Joe
 

scottc

Well-Known Member
Apr 21, 2002
49
0
306
Hey everyone!

We've published a tool that will allow you to automatically remove the extra entry to the wp-config.php file:


Since this does make a change to user files, it's important you have a backup first just in case.
There is nothing automatic about that tool. It requires you edit the command line to include the path to the wp-config.php file and then run it, one at a time, for each and every Wordpress installation on the server. Your installation script apparently found and edited every one of them without our intervention. Why are you making it so difficult to uninstall?
 

wintech2003

Well-Known Member
PartnerNOC
Sep 15, 2010
103
27
78
Greece
cPanel Access Level
DataCenter Provider
There is nothing automatic about that tool. It requires you edit the command line to include the path to the wp-config.php file and then run it, one at a time, for each and every Wordpress installation on the server. Your installation script apparently found and edited every one of them without our intervention. Why are you making it so difficult to uninstall?
+1

The first command finds all the paths with wp-config.php files that WordPress Toolkit edited, and then the second script needs you to feed each path one-by-one?
That's not automatic, I need to run the command 229 times for a customer who accidentally choose to install it (before WPT v5.2.4)...
 
  • Like
Reactions: scottc

Alongar

Member
Oct 5, 2019
18
2
3
America
cPanel Access Level
Website Owner
I was reading through the thread and I didn't see anyone mention how the Wordpress Toolkit also installs a 'drop-in plugin' and it's located in your Wordpress content folder called 'Maintenance.' Does anyone know if detaching a website from Wordpress Toolkit will remove the files it installed in your Wordpress directory? (i.e. the 'Maintenance' folder and all it's contents inside and any other files)

I was trying to figure out where this 'drop-in plugin' came from as I deleted it and it came back. I investigated it, found the maintenance folder but thought it was placed there via a Wordpress update. I investigated it even further and it came from the Wordpress Toolkit. I can't quite figure out why this was a necessary thing to do without asking for consent to install files in someone's Wordpress directory. I ended up deleting the folder and maintenance.php file that was outside the folder. So far it hasn't auto generated again. The first time I just deleted the php file and not the entire folder. Which looked like why the .php file kept coming back.

The wp-config file edit was not that bad. I got over it and auto-updating to a minor release isn't a big deal for me but the drop in plugin and files added to the content folder was uncalled for.
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
404
243
cPanel Access Level
Root Administrator
@Alongar - if the site has ever been put into maintenance mode through the cPanel interface the /wp-content/maintenance directory gets created. Unlinking a site from WordPress Toolkit does not remove that directory at this time. If you'd like to see the directory removed it would be best to submit a feature request so we can work toward getting that behavior changed, but the presence of the directory itself will not interfere with the way the site works.
 

wintech2003

Well-Known Member
PartnerNOC
Sep 15, 2010
103
27
78
Greece
cPanel Access Level
DataCenter Provider
AFAIK those are standard files/folders for WordPress Toolkit managed installations. I've seen them in Plesk in the past too. They're here in cPanel as well.
You don't need to enable maintenance mode for them to appear, simply adding a WordPress installation to WordPress Toolkit is enough.
Not particularly bad when you actually add the WordPress sites yourself - the problem here is that in the v5.2.3 it happened automatically after installation (even if you hadn't ran the plugin at all yet).

Anyway, what is done is done - we can't change that. I believe it's clear to the devs that altering client files in any way is not acceptable.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
404
243
cPanel Access Level
Root Administrator
In my testing, I couldn't get them to appear without putting a site in maintenance mode, although my site was only running for a few minutes. If something else is making that happen, I'm personally not aware of it, so I just wanted to see his file structure for comparison.
 

Alongar

Member
Oct 5, 2019
18
2
3
America
cPanel Access Level
Website Owner
@cPRex

It happened when Wordpress Toolkit was first introduced in the cPanel update. Wordpress Toolkit automatically attached itself to my Wordpress website on my VPS after the update. It added the Maintenance folder under wp-contents. Inside the wp-contents folder there was also a maintenance.php file that resided outside the actual maintenance folder. Both items were added by Wordpress Toolkit automatically during the cPanel update that introduced it. I actually didn't realize it until a week ago that Wordpress Toolkit added my website when I was trying to figure out where this maintenance drop-in plugin came from that appeared on my Wordpress backend.

During that update that introduced Wordpress Toolkit, when my site was attached to it automatically, it also by default had 'Disable wp-cron.php' feature active. I already disabled the native Wordpress cron job before Wordpress Toolkit and had a manual cron job going. Wordpress Toolkit added another cron job on top of the one I already had. So there was 2 cron jobs going. I disabled the cron job feature in Wordpress Toolkit, as well as, deleted the cron job it added. After that, I noticed after disabling that feature, it deleted the 'define('DISABLE_WP_CRON', true);' line from my wp-config.php (keep in mind, that code was in my wp-config file before Wordpress Toolkit took over, I disabled it beforehand because I was using a server side cron job). So, I had to add the line back to my wp-config file. I went to look at Wordpress Toolkit and 'Disable wp-cron.php' was now active again. I checked server cron jobs, but only the one I manually input was there (Wordpress Toolkit did not add another one this time around).

Also, when I look at the security fixes and recommendations provided by Wordpress Toolkit, the 'secure' box is not active when checking hardening features. It's disabled and can not be clicked to apply any hardening. Anyway, that's not really a big deal since I have hardening in place in the areas Wordpress Toolkit recommends or has it flagged as critical. For example, Sucuri Wordpress plugin does the same hardening features as Wordpress Toolkit. However, Wordpress Toolkit does not recognize those hardening features in place and flags the site with critical issues. I also have my directories and files with the correct permissions but Wordpress Toolkit still flags it as being 'critical'.

I attached the file of the security issues and how the secure button is disabled.

Anyway, I like the idea of the Wordpress Toolkit. Especially, the hardening features which can replace plugins that do the same thing. That would be one or more less plugins to use if Wordpress Toolkit can do it server side instead of installing a plugin via Wordpress dashboard. The issue I have, like many others, was the roll out of Wordpress Toolkit which applied changes to web server files and/or added files and directories automatically during the release.

As to your question about sharing the contents of the files and directories so you can confirm:

Under Maintenance Folder:
Assets

template.phtml

Under Assets in Maintenance Folder:
Fonts
Images

styles.css
timer.js

Under Fonts in Assets Folder:
open-sans-300.woff
open-sans-300.woff2
open-sans-regular.woff
open-sans-regular.woff2

Under Images in Assets Folder:
bg.jpg
facebook.svg
instagram.svg
plesk-logo.png
twitter.svg

Those were the contents of the maintenance folder. However, outside that folder resides maintenance.php which is located in the wp-contents folder as well. That file relates to the maintenance folder contents. Both the maintenance folder and all contents inside, and the maintenance.php were added by Wordpress Toolkit.
 

Attachments

Last edited:
  • Like
Reactions: rivermobster

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
404
243
cPanel Access Level
Root Administrator
Thanks for the great details. I can confirm those are the files created by WPT.

As long as you don't have a .maintenance file present in your WordPress' root directory, the site is not currently in maintenance mode, but the folders can still exist. Did you see the site in maintenance mode at some point or are you just concerned with the presence of the files?
 

Alongar

Member
Oct 5, 2019
18
2
3
America
cPanel Access Level
Website Owner
Thanks for the great details. I can confirm those are the files created by WPT.

As long as you don't have a .maintenance file present in your WordPress' root directory, the site is not currently in maintenance mode, but the folders can still exist. Did you see the site in maintenance mode at some point or are you just concerned with the presence of the files?
No, the site was not seen in maintenance mode even with the files there. I removed the files since I have my own maintenance feature in place. Also, I haven't tested it yet but it looks like WPT also created a 'wordpress backup' directory. I haven't performed the backup via WPT to see if the backup files get placed in that folder.

Another question, do you know why the 'secure' button in WPT is not active when critical issues and recommendations are checked off under the security option in WPT? I attached a screenshot in the previous post of mine to get a better view of what I am talking about.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
404
243
cPanel Access Level
Root Administrator
The backup directory I'm not sure about as that doesn't seem like a standard naming convention.

So far we haven't been able to reproduce the odd behavior of the maintenance directory just appearing, so if someone that sees this could submit a ticket that would help us out, as I don't have a good explanation for the behavior you're experiencing at this time.
 

rivermobster

Well-Known Member
Dec 16, 2020
94
19
8
SoCal
cPanel Access Level
Root Administrator
Not only does it not pick up what the plugins do, it doesn't pick up on what WP does either!

I had a site set to Search engine visibility off in one of my test sites...

After I went and turned it back on, the toolkit still showed it as off.

Makes me wonder who has the final word on such things, the toolkit, or WordPress it's self??

Not good...
 
  • Like
Reactions: Alongar