I love WordPress, but one of the biggest pains has always been keeping it up-to-date and secure when you’ve got more than one or two installs.
If you’ve got only a couple installs then just manually logging into each one and doing updates and making sure you haven’t broken anything isn’t too bad. As soon as you have more than a handful though, logging in and clicking update over and over takes so much time that sometimes it just doesn’t get done. Things have gotten a little better since auto-updating became available in 3.7, but that doesn’t cover all updates or plugins & themes, etc. I always feel like I have this disorganized mess of some sites that are up-to-date and streamlined and some that aren’t and I’m never totally sure which is on what list.
Enter the multiple install management tools. ManageWP, iThemes Sync, InfiniteWP, etc. These tools allow you to have a centralized dashboard where you can see what needs to be upgraded: WordPress core, plugins, themes, etc. Many of these tools also have additional functionality like backups, cloning, snippets you can run across all your sites and more.
“But why wouldn’t I just use WordPress multisite?” you may ask. It’s a good question, since it seems like that’s what multisite was designed for. I used to run WordPress this way myself, but it was very frustrating. Plenty of popular plugins don’t work with multisite, users and other data is shared across the whole multisite install, and the general practice of customization of themes and plugins per install just doesn’t really translate. On top of that, maybe the WordPress sites that you manage all aren’t hosted in the same place? I know mine aren’t. They are on a number of different hosting platforms, and I couldn’t setup multisite even if I wanted to. Certainly there are scenarios where multisite makes good sense, but if you’re just running a gaggle of disconnected sites it doesn’t really work.
I’m going to talk about ManageWP since I found it to be the most full-featured and usable of the options I tried. If you’re looking for a feature comparison and reviews check out this article from wpscoop. My opinion is that while ManageWP is maybe on the more expensive side (about $2/mo/site for the Pro version), if you’re going to bother setting this all up it may as well be with the one with the best feature set. Here’s some of the features I’ve already found useful:
- One-click multiple site upgrades of basically everything.
- Offsite scheduled backups.
- Security audits.
- Sub-accounts for clients that may have multiple sites.
- Migration of a site from one host to another via cloning.
- Alerts for spikes in traffic.
Once you’re ready to install it on your sites it might seem like a lot of work just to get it going, but it’s not to bad when you consider how much time it saves in the future (I enjoy delayed laziness as an incentive).
To install ManageWP you’ll need to:
1. Install and activate the worker plugin.
2. Make sure your site is allowing upgrades from the admin console without entering an FTP or other password.
3. Make sure you know the admin login for each site.
4. Make sure your site allows SSL logins.
Then you can bulk add all your sites into ManageWP.
The ManageWP user guide has a lot of this covered already, but I took some shortcuts I wanted to go over.
If you’re a command-line person and haven’t heard of WP-CLI, let me introduce you to your new best friend. It’s so useful you might decide you don’t even need ManageWP and you can just script everything from command line. I’m too lazy for that, but it did make my step #1 pretty darn easy:
$ for i in `cat ~/wordpress-directories.txt`; do echo $i ; cd /var/www/html/$i ; wp-cli plugin install worker ; wp-cli plugin activate worker ; done
That for loop will go into each of your wordpress directories on your site (that’s what I’ve got in wordpress-directories.txt) and download, install & activate the ManageWP worker plugin. I do this kind of trick a lot to install plugins across all my sites.
#2. Allow upgrades w/o entering a password.
This is maybe a little trickier. I don’t ever set my WordPress to be able to update its own files via the web server user, and you probably shouldn’t either. But this means you have to either specify a public key or password in your wp-config.php file so that WordPress knows how to update itself. I do this with ssh keys of a user that can’t connect except for locally, see this article for a run-down of that method. I actually externalize that data from the wp-config.php as well for a little more safety.
#3 Get the list of admins.
Ok, this is a little embarrassing to admit, but I didn’t really know what login I was using for some sites. So I ran this:
$ for i in `cat ~/wordpress-directories.txt`; do echo $i ; cd /var/www/html/$i ; wp user list --role=administrator --fields=user_login ; done
and then I had a list of everyone with admin accounts, including a couple that still had the “admin” user (oops). You aren’t using users named “admin” anymore either, right?
#4. Your site allows SSL.
ManageWP can fall-back to using its own encryption just over HTTP, but using SSL here would be better.
Then bulk upload your CSV file of hosts, admins & groups and you’re done!