Wordpress Toolkit: Errors in Security Status Updates

Operating System & Version
CENTOS 7.9
cPanel & WHM Version
WHM v98.0.8 CPanel 98.0 (build 8)

perdrix

Registered
Oct 1, 2021
3
0
1
United States
cPanel Access Level
Root Administrator
This is a new install of WordPress Toolkit. I am running through the security status of numerous websites on my server and the security check seems to trip up on 2 different checks:

1) An error occurred while changing the administrator username
I never use Admin as a username. It seems that using something different then Admin initially is tripping up this check and any subsequent attempt to update to a checkmark? Or is it something else? The error message is mute as to what type of error occurred.

2) An error occurred while configuring security keys
Again, the error message is mute as to what type of error occurred. I cannot update any security keys on my server through this.

None of these WordPress installations were directly setup through CPanel, they were all setup either through ftp, command line, or transfer from another cPanel server. In case this matters.
 
Last edited by a moderator:

perdrix

Registered
Oct 1, 2021
3
0
1
United States
cPanel Access Level
Root Administrator
After looking at the log report there were some further details:

1) Security measure "Change default administrator's username" was not applied due to the following issue: Error: Administrator with 'admin' username was not found. Warning: ini_set() has been disabled for security reasons in .../utils-wp.php on line 74 Warning: ini_set() has been disabled for security reasons in .../Runner.php on line 1298

2) "Security measure "Configure security keys" was not applied due to the following issue: Security keys were not fully applied."
 

perdrix

Registered
Oct 1, 2021
3
0
1
United States
cPanel Access Level
Root Administrator
Since in both instances toolkit fails to cease reflecting the website having "critical security issues", then yes there are questions. Like how do I get these messages to go away without uninstalling toolkit or detaching the website (since this is happening to all websites on the server)... it implies the WordPress installation has a "critical security issue" when in fact it does not, because in both instances the information is set in the manner the script would have set it had it been able to. This same messaging appears in the CPanel area of the website and I would prefer not to have to tell 50+ clients that the website is secure regardless of what this toolkit says.

#1 especially is a lame result from toolkit. As soon as it realized that admin user could not be found, it should have indicated that "this security measure is applied." It does not it still says " Applying this security measure is critical for WordPress website security."
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Thanks for the additional details. I did reach out to our WordPress Toolkit developers, and they'd like to get access to the server. If possible, could you submit a ticket to our team and then post the number here so I can follow along?