cPanel WordPress Toolkit Creates WP Auto Update Core Directive in wp-config File

Discover why hosts are removing the new WordPress Toolkit app from cPanel, and how it can directly conflict with WordPress or other manually added auto update directives for your site.

What is WordPress Toolkit?

cPanel introduced a new, free WordPress management interface app called WordPress Toolkit.

The app was rolled into the November 2020 cPanel v92 update.

A few of its features include:

• Site maintenance mode
• Backup/restore
• debugging

The free version, called WordPress Toolkit Lite was made available to all cPanel users on hosts who released the app onto their servers. There is also a paid version called Deluxe with more features that allows you to stage, clone, and migrate sites, and costs $7.50/mo for a single user.

Sounds Great, What’s the Problem?

It appears that cPanel may have developed this app without following the expected updates to be released in WordPress 5.6 that included automatic WP updates.

cPanel decided that the WordPress Toolkit would have a default setting to allow all minor WordPress updates.

And while that is the default behavior of existing WordPress sites who were currently running WP 5.5, it will not be the default behavior of new WP installs using WP 5.6.

And the cPanel app writes that directive into the wp-config file without so much as detecting if any other directive is already there – you know, like a site owner having manually configured all updates off either via hard code or through a plugin.

Plus, there is no way to turn off the auto updates directive in WordPress Toolkit.

It’s either set to:

• turn on minor update
• turn on major updates
• turn off all updates

There is no “off” setting to entirely opt out of the app having control over this critically important setting.

Hosts Remove the App

The WordPress Toolkit app is actively being removed by many hosts after learning about the update directive being written into the wp-config file, and other issues they are not happy with supporting.

But to their utter dismay, that directive in the wp-config file does not disappear when WordPress Toolkit is uninstalled.

As you can see in this cPanel forum support thread, that has caused a major issue for hosting resellers who will now have to either manually remove that directive or come up with a script to auto remove it and risk toasting those wp-config files.

cPanel Seriously Needs to Do Better Coordination, Beta Testing, and Notification

This is not the first time cPanel has written directives to site files without telling anyone.

They have made multiple changes to the DCV rules that govern how our free SSL certificates renew every 90 days, including writing redirect rules in the .htaccess file.

And while cPanel has good intentions with this new WordPress Toolkit app, they should never write anything to a wp-config file without prior authorization from the site owner.

On top of that, who did they tell about this?

I have yet to encounter a host support person who knew about it.

Nor do I know any webmaster, much less site owners who knew about it.

It seems to me that the only folks who might have known were the server admins who tested it out.

And it also seems to me that cPanel included this particular setting in their app with total disregard for native WordPress settings.

For cPanel to setup a potential conflict with something as critically important as auto update directives, and cause countless hours of non-billable troubleshooting for hosts and site owners is irresponsible.

And I am one of those webmasters who finds new, unknown directives written in our files who has to spend non-billable hours chasing down where it came from.

Then I have to spend non-billable hours coordinating the new directives with the perfectly tuned way I had the files and directives previously configured for my own sites as well as all of my clients and webmasters.

It’s out of hand!

And next time this happens, I may just send cPanel the bill for all the troubleshooting and investigation.

How to Check if You Have the WordPress Toolkit App

Log into your cPanel.

In the search box at the top or in the sidebar, type in WordPress Toolkit.

If your host has installed it, you’ll see the app.

If you see the app, open a support ticket and include a link to this post and ask them to kindly take that app off their hosting, or to tell you a safe way to turn off their auto update directive so that you are both 100% it will not be rewritten to your wp-config.php file again later. (I’m betting they can’t guarantee this as long as that app is present.)

And then ask them to remove that directive for you.

If you don’t see the app, you may still want to open a support ticket with your host, link to this post, and ask them if they plan to install it. And let’s hope not.

Want Cutting Edge Eyes on Your Site?

Get a site audit or become a Webmaster.

I’m constantly working on the backside of your hosting and see these changes as they happen.

My site audit clients and webmasters are the first to know, and get to stay well ahead of the curve to keep their sites fast and secure, while staying out of trouble when conflicts like this happen.