Remote plugin updates via ManageWP and iControlWP

Home Forums BulletProof Security Pro Remote plugin updates via ManageWP and iControlWP

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #14922
    David
    Participant

    I want to use services like ManageWP and iControlWP to remotely manage several WordPress sites. The advantages of these services is that they allow me to update plugins in my various WordPress installations remotely, very handy when managing many sites. My question is how these services work with BPS Pro autorestore.

    When I update a plugin from within a WordPress site directly I need to click the autorestore notice ‘ONLY Click This Link If You Are Updating A Theme or Plugin’ to update the autorestore backups. What will happen if I update a plugin remotely via, say, ManageWP? Will the autorestore backups be updated, and if not will the updated plugin be quarantined?

    I tried searching the forum archives to see if this question shaw been asked previously but I didn’t find anything.

    Cheers,
    David.

    #14924
    AITpro Admin
    Keymaster

    Update 2-8-2017: https://forum.ait-pro.com/forums/topic/managewp-read-me-first/

    If you have a “plugins” exclude rule setup in AutoRestore then you do not need to do anything and can install plugins remotely.  By default the BPS Pro Wizards create the AutoRestore plugins folder exclude rule when you first setup BPS Pro.  What this means is AutoRestore is told NOT to check the /plugins folder.  The Plugin Firewall was added for this reason as well as a several other reasons.  The Plugin Firewall protects the plugins folder so it is not necessary for AutoRestore to monitor plugin files.  Installing WordPress itself remotely is a different matter.  You would need to do the steps listed below.  Installing themes remotely could be done without having to do anything else AS LONG AS you create an AutoRestore Exclude rule for the /themes folder or you would need to do the steps listed below.

    Notes:  BPS Pro should NEVER be installed at the same time as other WordPress plugins and should NEVER be installed remotely.  BPS Pro upgrades are located on the AITpro.com API Server:  api.ait-pro.com.  WordPress itself, WordPress plugins and themes are on the WordPress.org API Server.  If BPS Pro is installed at the same time as other WordPress plugins and themes then the complex sequence of turning things on and off, etc will not work since our API Server is no longer in control of the BPS Pro upgrade.

    If you are installing WordPress itself remotely or you are installing a Theme remotely and have NOT create a /themes folder exclude rule in AutoRestore:

    Deactivating BPS Pro turns Off AutoRestore and F-Lock, but does not turn off any other security features in BPS Pro.

    Deactivate BPS Pro from your remote application so that AutoRestore is turned Off on that site.
    Install WordPress or Themes remotely.
    Log into that site and run the Pre-Installation Wizard and the Setup Wizard, which will backup all new installed files and turns AutoRestore back On. This step should only take 1-2 minutes to complete.

    #14939
    David
    Participant

    OK, let’s see if I have understood.

    1. I do have a plugins AutoRestore exclude rule so I should be ok to remotely update plugins.

    However if that’s the case, then why does BPS Pro ask me to ‘ONLY Click This Link If You Are Updating A Theme or Plugin’ when I update a plugin from within WordPress? Because I’m obedient and I trust BPS Pro I always click the link. But presumably there would be no problem if I didn’t because AutoRestore isn’t monitoring my plugins folder anyway. Correct?

    2. Is it safe to exclude the themes folder from AutoRestore monitoring? It’s in the wp-content folder so isn’t it potentially writable? Excuse my ignorance, I’m just cautious and was previously hacked before discovering BPS 🙂

    3. I think to be safe I will always update WordPress from within WordPress itself. If I have to go into WordPress to deactivate BPS Pro before remotely updating then I might as well update while I’m there.

    Thanks!

    David.

    #14949
    AITpro Admin
    Keymaster

    Update 2-8-2017: https://forum.ait-pro.com/forums/topic/managewp-read-me-first/

    Yes, you can remotely install plugins without having to do anything else.

    LOL there are a lot of different complex things occurring with ARQ Automation and instead of showing/displaying a message that was a page long with all the different possible scenarios we are only showing a condensed to the point message.  The link does need to be clicked for important reasons and to cover every possible scenario we are keeping it simple.

    Personally we would not exclude the /themes folder from being checked by ARQ, but for some folks convenience is more important to them then security.  So I do not recommend that you do that.  At some point we will be creating an additional security feature in BPS Pro that protects the themes folder specifically.  That is a long long way off though since there a much higher priority tasks being worked on currently.

    Yep, my personal opinion – I think both of these remote apps are really well coded, but I am old school Microsoft trained so there is no way that I would ever use a remote application to install WordPress.  😉

    #14953
    David
    Participant

    Cool thanks, I think I’m nearly there 🙂 Looks like we’re both of the same security conscious mind. I will not exclude themes for security reasons and will therefore only update themes and WP itself from within WordPress.

    Just one last question about remote update of plugins. From your reply above there are clearly other important things happening when the ARQ link is clicked after a plugin is updated from within WordPress. So the obvious question is, if I remotely update a plugin from ManageWP for example, and therefore the link cannot be clicked, the other ARQ important things are not going to happen. Is that a problem?

    I don’t mind not using ManageWP or iControlWP to remotely update. I’d rather know what I’m potentially exposing my sites to so that I can make an informed decision.

    Thanks again!

    David.

    #14967
    AITpro Admin
    Keymaster

    Update 2-8-2017: https://forum.ait-pro.com/forums/topic/managewp-read-me-first/

    “…if I remotely update a plugin from ManageWP for example, and therefore the link cannot be clicked, the other ARQ important things are not going to happen. Is that a problem?…”

    Nope, not a problem.  BPS Pro has functions that are specially designed for handling this scenario.  So you should not run into any issues.  Do a plugin update remotely and then check everything on that site.  If all is good then move ahead with “mass plugin updating”.

    #32358
    AITpro Admin
    Keymaster

    BPS Pro AutoRestore Automation and ManagWP compatibility testing results:

    As it turns out Plugin and Theme installations/updates from ManageWP already work seamlessly with AutoRestore Automation and no additional steps are required. I believe the changes that were made in BPS Pro 12+ version series with the WP upgrader_pre_install and upgrader_post_install filters got everything working fine together.  For WP Core updates, AutoRestore Automation uses AJAX trigger functions instead of using the WP upgrader_pre_install and upgrader_post_install filters. So if someone wants to upgrade WordPress remotely using ManageWP then they would need to do these steps below:

    1. Use the ManageWP Open WP Dashboard feature to connect to your WordPress Dashboard.
    2. Update WordPress from the WP Dashboard. AutoRestore Automation will automatically turn Off AutoRestore, backup files and turn AutoRestore back On.

    Or

    1. Use the ManageWP Open WP Dashboard feature to connect to your WordPress Dashboard.
    2. Turn AutoRestore Off.
    3. Update WordPress from the Manage WP Dashboard.
    4. Run the BPS Pro Setup Wizard.

    Note:  Enabling WordPress Automatic Updates will automatically install any/all new versions of WordPress when they are available.  So manually updating WordPress either from your WP Dashboard or from the remote ManageWP Dashboard is not really necessary.

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.