One of the simplest ways to keep your WordPress site secure is to stay on top of regular updates. Developers are constantly releasing bugfixes to help close security hole, and as good users of open-source software it’s our duty to stay up-to-date.
For many WordPress sites, it’s immediately obvious when updates are available: you log into WordPress, and it says “hey, there are updates! Click here to install them!”. Unfortunately, that ability compromises site security for ease-of-use; WordPress should not be able to edit its own files on the web server.
Disabling plugin and theme installation via WP Admin
For sites that are able, it’s strongly recommended that WordPress be unable to mutate itself in a production environment. This offers two main benefits:
- An attacker who gains access to a WordPress user account can’t insert a back-door.
- A well-intentioned site admin can’t accidentally white-screen the site by missing a semi-colon.
## Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true);
Of course, this only disables the file editor. New plugins and themes can be installed, updates deployed, and core itself modified.
A more secure approach is to completely disable WordPress’ ability to write anywhere on the server (besides the uploads directory), but this comes with an important caveat: we’re now completely responsible for knowing when updates are available.
If you’re comfortable taking the security of your site into your own hands, add the following constant to wp-config.php (in place of
DISALLOW_FILE_EDIT, as this one takes precedence):
# Disallow all file modifications within WordPress. define('DISALLOW_FILE_MODS', true);
Keeping WordPress up-to-date
DISALLOW_FILE_MODS in place, WordPress won’t tell you when there are important security updates available, so how do you stay on top of these things?
That’s exactly why we’ve built and open-sourced the Update Check package for WP-CLI. With a single command, you can get a bird’s eye view of core, plugin, and theme updates available on your site.
Even more powerful, the reports can automatically be emailed to either an address of your choosing or the site’s
To install Update Check, make sure you’re running WP-CLI version 1.1.0 or newer, then run:
$ wp package install [email protected]:growella/update-check.git
Now you’ll be able to run Update Check against any site you can talk to with WP-CLI and either generate or email a report like this:
$ wp update-check run Update check for https://engineering.growella.com Generated Fri, 24 Feb 2017 21:17:16 +0000 WordPress Core: WordPress core is up-to-date. Plugin Updates: - An update is available for google-analytics-for-wordpress (5.5.4 => 6.0.11) Theme Updates: All themes are up-to-date.
As of today, we’re running Update Check via a cron job on all of our production servers, ensuring Growella’s never more than a day out of date.