cPanel's WP Toolkit messing with CP files

ozfiddler · December 9, 2020, 7:39am

cPanel now has WP Toolkit added as a new feature, and my hosting company has made it available. It’s not something I would ever need or want to use. It is certainly not something I signed up for.

However, on a recent update it went into all my wp-config files and added a line of code!

define('WP_AUTO_UPDATE_CORE', 'minor');// This setting is required to
make sure that WordPress updates can be properly managed in WordPress
Toolkit. Remove this line if this WordPress website is not managed by
WordPress Toolkit anymore

This has concerned a number of people and there is a thread on the cPanel forum here:

The main worry for me is that WP Toolkit is messing around with ClassicPress files. I wonder if @1stepforward should contact them and point out that ClassicPress is not WordPress.

1stepforward · December 9, 2020, 11:39am

Yes, this is something I only very recently became aware of after I updated WHM on my VPS. Immediately after doing so, I started getting loads of wp-toolkit email alerts from my firewall. By “loads”, I mean 860 in 10 minutes. This would have carried on had I not removed the toolkit from cPanel and then uninstalled the toolkit altogether.

I’ve been meaning to look at the toolkit on a test server to see what methods it is using to detect WP installations but I’ve just not had time to do this yet.

So yes, I will contact cPanel today and ask them to fix this asap.

Removing the WordPress Toolkit

Just as an aside, if you’ve got admin access, you can remove the WordPress Toolkit completely with the following command:

yum remove wp-toolkit-cpanel

zigpress · December 9, 2020, 2:25pm

Creepy intrusive behaviour like that is why I stopped using SiteGround.

When will hosting companies and hosting technology suppliers realise that they have no right to make changes to our sites without our express (not implied) permission?

1stepforward · December 9, 2020, 6:55pm

Just a quick update.

I’ve reported this to cPanel and they have been able to confirm that the toolkit wrongly identifies CP sites as WP sites.

This has now been escalated to Level 3 Analysts for further investigation.

I’ll report back here as and when.

ozfiddler · December 9, 2020, 8:10pm

I don’t blame my hosting company. They just applied the cPanel update. It was cPanel that overstepped the mark. They have admitted it, and will revert.

1stepforward · December 9, 2020, 8:58pm

cPanel have created this article which will be updated as and when.

ozfiddler · December 9, 2020, 9:11pm

Yes, they are certainly onto it. Also a reply on the forum:

zigpress · December 10, 2020, 12:04am

Yes, that’s exactly what I meant by hosting technology suppliers. But it’s good that they’re going to put it right.