If you’re running cPanel, you’re almost certainly running WP Toolkit. It’s installed by default on cPanel servers and is the standard tool for managing WordPress installations.<\/p>\n
Here’s the problem: WP Toolkit deploys with a sudoers configuration that gives it passwordless root access<\/strong> to your entire server. This isn’t something you enabled. It’s there out of the box.<\/p>\n That means every cPanel server running WP Toolkit – and there are millions of them – has this configuration sitting in This isn’t a misconfiguration. It’s baked into the WP Toolkit package itself. You can verify this by checking the RPM preinstall scriptlet:<\/p>\n Here’s what it shows:<\/p>\n Every time WP Toolkit is installed or updated, this script runs and creates that sudoers file. It’s intentional. It’s documented in their own comments: “WPT needs ability to impersonate other system users.”<\/em><\/p>\n The problem is what they gave themselves to achieve that: WP Toolkit creates this sudoers entry out of the box:<\/p>\n That’s This is a classic privilege escalation vector:<\/p>\n Your entire server is one WordPress vulnerability away from full compromise.<\/p>\n If you’re not a sysadmin or you don’t rely heavily on WP Toolkit’s advanced features, the safest approach is to remove it entirely:<\/p>\n That’s it. Done. Will WP Toolkit break?<\/strong> Probably not. Most day-to-day WordPress management doesn’t need root access. If something specific stops working, you can troubleshoot then. The alternative – leaving a passwordless root backdoor on your server – is not worth the convenience.<\/p>\n If you’re comfortable with Linux administration and need WP Toolkit’s automation features, you can lock it down to specific commands instead of removing it completely.<\/p>\n Use Run your normal WP Toolkit operations for a few days, then review:<\/p>\n Once you know what it actually runs, create a hardened sudoers file:<\/p>\n Adjust the command list based on your audit findings. The principle: whitelist only what’s needed.<\/p>\n Always validate after editing – a syntax error in sudoers can lock you out of sudo entirely:<\/p>\n If you see Default configurations prioritise convenience over security. In this case, that convenience is a passwordless root backdoor sitting on your server. Most users:<\/strong> just remove it. Advanced users who need the functionality:<\/strong> audit, whitelist, and lock it down. Either way, don’t ignore it.<\/p>\n","protected":false},"excerpt":{"rendered":" If you’re running cPanel, you’re almost certainly running WP Toolkit. It’s installed by default on cPanel servers and is the standard tool for managing WordPress installations. Here’s the problem: WP Toolkit deploys with a sudoers configuration that gives it passwordless root access to your entire server. This isn’t something you enabled. It’s there out of the box. That means everyRead More …<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,138,131],"tags":[],"class_list":["post-2239","post","type-post","status-publish","format-standard","hentry","category-cpanel","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/2239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=2239"}],"version-history":[{"count":2,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/2239\/revisions"}],"predecessor-version":[{"id":2241,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/2239\/revisions\/2241"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=2239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=2239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=2239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/etc\/sudoers.d\/48-wp-toolkit<\/code> right now.<\/p>\nDon’t Take My Word For It<\/h2>\n
rpm -q --scripts wp-toolkit-cpanel 2>\/dev\/null | grep -A 20 \"preinstall scriptlet\"<\/code><\/pre>\npreinstall scriptlet (using \/bin\/sh):\n# Check that \"wp-toolkit\" user exist and create in case of absence\n\/usr\/bin\/getent passwd wp-toolkit >\/dev\/null 2>&1 || \/usr\/sbin\/useradd -r -s \/bin\/false -d \/usr\/local\/cpanel\/3rdparty\/wp-toolkit\/var wp-toolkit\n# If wp-toolkit\/var catalog exists, set its owner. If it doesn't exist \u2014 no problem\nchown -R wp-toolkit:wp-toolkit \/usr\/local\/cpanel\/3rdparty\/wp-toolkit\/var 2>\/dev\/null\n# Allow sudo without password prompt\ncat << EOF > \/etc\/sudoers.d\/48-wp-toolkit\n# Rules for wp-toolkit system user.\n# WPT needs ability to impersonate other system users to perform WordPress management and maintenance\n# tasks under the system users who own the affected WordPress installations.\nwp-toolkit ALL=(ALL) NOPASSWD:ALL\nDefaults:wp-toolkit secure_path = \/sbin:\/bin:\/usr\/sbin:\/usr\/bin\nDefaults:wp-toolkit !requiretty\nEOF\n# Verify that sudo works, check performed in non-interactive mode to avoid password prompts\nsu -s \/bin\/bash wp-toolkit -c 'sudo -n -l'<\/code><\/pre>\nNOPASSWD:ALL<\/code>.<\/p>\nThe Default Configuration<\/h2>\n
wp-toolkit ALL=(ALL) NOPASSWD:ALL\nDefaults:wp-toolkit secure_path = \/sbin:\/bin:\/usr\/sbin:\/usr\/bin\nDefaults:wp-toolkit !requiretty<\/code><\/pre>\nNOPASSWD:ALL<\/code>. The wp-toolkit user can execute any command as root<\/strong> without a password.<\/p>\nWhy This Is Dangerous<\/h2>\n
\n
Option 1: Just Disable It (Recommended for Most Users)<\/h2>\n
rm \/etc\/sudoers.d\/48-wp-toolkit<\/code><\/pre>\nOption 2: Harden It (For Advanced Users)<\/h2>\n
Step 1: Audit what WP Toolkit actually needs<\/h3>\n
auditd<\/code> to track what commands it runs:<\/p>\n# Add audit rule for commands run by wp-toolkit\nauditctl -a always,exit -F arch=b64 -F euid=0 -F auid=$(id -u wp-toolkit) -S execve -k wp-toolkit-cmds<\/code><\/pre>\nausearch -k wp-toolkit-cmds | aureport -x --summary<\/code><\/pre>\nStep 2: Replace with whitelisted commands<\/h3>\n
cat << EOF > \/etc\/sudoers.d\/48-wp-toolkit\n# WP Toolkit - hardened sudoers\n# Only allow specific commands required for WordPress management\nwp-toolkit ALL=(ALL) NOPASSWD: \/usr\/local\/cpanel\/3rdparty\/bin\/wp\nwp-toolkit ALL=(ALL) NOPASSWD: \/bin\/chown\nwp-toolkit ALL=(ALL) NOPASSWD: \/bin\/chmod\nwp-toolkit ALL=(ALL) NOPASSWD: \/usr\/bin\/systemctl restart httpd\nwp-toolkit ALL=(ALL) NOPASSWD: \/usr\/bin\/systemctl restart php-fpm\nDefaults:wp-toolkit secure_path = \/sbin:\/bin:\/usr\/sbin:\/usr\/bin\nDefaults:wp-toolkit !requiretty\nEOF<\/code><\/pre>\nStep 3: Validate your sudoers<\/h3>\n
visudo -c -f \/etc\/sudoers.d\/48-wp-toolkit<\/code><\/pre>\nCheck Your Server Now<\/h2>\n
cat \/etc\/sudoers.d\/48-wp-toolkit<\/code><\/pre>\nNOPASSWD:ALL<\/code>, take action. Either remove the file or harden it. Don’t leave it as-is.<\/p>\nThe Bottom Line<\/h2>\n