Here it finally is, the long-awaited WP-CLIWP-CLIWP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is http://wp-cli.org/https://make.wordpress.org/cli/ release v2.5.0! For this release, we had 73 contributors collaborate to get a whopping 600 pull requests merged.
It was a very tough release to get out, as so many different systems and dependencies all broke or had issues at the same time: PHPPHPPHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php., MySQLMySQLMySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. https://www.mysql.com/., Travis CI, Composer, Requests, … all of these produced major compatibility issues in a seemingly concerted effort! 😅
More importantly, though, I’m pretty certain that all of the WP-CLI contributors were additionally suffering under the “new normal” of COVID-19 – those contributors lucky enough to still earn regular income during the pandemic are still battling health issues (for themselves and their family), isolation and burnout.
As a maintainer, my initial plan was to devise special events and additional incentives to hopefully raise the level of contribution back up again. But I decided against doing so. Even though we all can’t wait to get a new release out and onto servers, I did not want to add to the additional pressure that the volunteer contributors are already feeling right now. The risks of burnout or other negative effects on mental health have never been so prevalent than now where everyone has to dial down their social support systems. In that perspective, I opted to knowingly go with a longer release time. I am fully aware that a lot of companies had to look into extra workarounds or similar to deal with the late release, but I had to assume that this still happens in a paid capacity. Given the global situation, this seemed more justifiable to me than moving the cost towards volunteer health instead.
Thanks to all the support I had during the extended release time, not least to the WP-CLI sponsors who have allowed me to personally invest as much time as needed into the project to make this release happen.
Now, with that being said, let’s go over some of the noteworthy changes in this release. As always, you can also skip directly to the detailed changelog if you prefer.
This release fixes one direct and one upstream security vulnerability, so it is recommended for everyone to update to this latest release.
Improper Certificate Validation in WP-CLI framework
This security vulnerability is categorized as CWE-295: Improper Certificate Validation with a CSSCSSCSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. V3 severity rating of ‘high‘ and was disclosed as CVE-2021-29504 (GitHubGitHubGitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ security advisory GHSA-rwgm-f83r-v3qj).
An improper error handling in HTTPSHTTPSHTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.
The vulnerability stems from the fact that the default behavior of WP_CLI\Utils\http_request() when encountering a TLS handshake error is to disable certificate validation and retry the same request.
The default behavior has been changed with version 2.5.0 of WP-CLI and the wp-cli/wp-cli framework (via wp-cli/wp-cli#5523) so that the WP_CLI\Utils\http_request() method accepts an $insecure option that is false by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of WP_CLI\Utils\http_request(), including those in separate WP-CLI bundled or third-party packages.
Insecure Deserialization of untrusted data in upstream Requests library
The vulnerability was found in the FilteredIterator class and was first reported to the WordPress project. The security fix applied to WordPress has been ported back into the Requests library and was distributed with release v1.8.0.
The security fix for CVE-2021-29504 detailed above led to a breaking change where the retry behavior of commands that use remote requests is disabled. Furthermore, the framework is stricter in making use of the certificates that are provided via environment settings.
This means that automated systems that previously succeeded with reliable downloads of external assets can now start to fail because there is an issue with the certificate verification. This can be due to either the environment being misconfigured for certificate verification or the server to connect to actually being insecure.
To get back to the previous behavior, the affected commands now include a new --insecure flag that re-enables the insecure retrying mechanism again. Beware: This opens up these remote requests to man-in-the-middle attacks!
The following commands were affected and were adapted to recognize this new --insecure flag:
PHP 8 support
WP-CLI now officially supports PHP 8. All commands are being extensively tested against PHP 8 and the actual development is currently being done on PHP 8 as well.
However, keep in mind that PHP 8 support is not fully there for WordPress CoreCoreCore is the set of software required to run WordPress. The Core Development Team builds WordPress., and especially for a large part of plugins and themes. Due to the nature of the changes that PHP 8 brings about, it is very easy to break perfectly compatible WordPress Core or WP-CLI via the actions/filters system. Keep this in mind when trying to diagnose PHP 8 compatibility issues and trying to deduce where the erroneous code is to be found.
Improved MySQL/MariaDB support
As it turns out, WordPress Core has not been compatible with a default MySQL database for a while now. What actually happens is that WordPress switches the database in a sort of “legacy” mode at runtime. This has caused the WP-CLI code that uses WPDB to slowly diverge in results from the code that makes direct database requests via the mysql shell binary.
This has now been rectified (at least for all of the major use cases) by letting WP-CLI employ the same “legacy” database mode via a few hacks around the mysql binary.
Package Manager is now powered by Composer v2
Composer v2 has drastically improved both the processing time as well as the memory usage of its dependency resolution mechanisms. And now the WP-CLI Package Manager that you can use via wp package * commands gets to benefit from these same improvements, at it internally uses the new Composer v2 code.
This should also make the dreaded Out-Of-Memory problems with package installation much rarer, even on shared hosting or tight Docker containers.
New commands for managing automatic updates
The following commands were added to allow you to manage the state of automatic updates for plugins and themes:
plugin auto-updates disable
plugin auto-updates enable
plugin auto-updates status
theme auto-updates disable
theme auto-updates enable
theme auto-updates status
Although you could technically already work on the state of the automatic updates by directly controlling the WordPress Options table, this now provides a clean APIAPIAn API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. that abstracts away the technical implementation.
New command for creating MO files
A new command was added to the wp-cli/i18-command package for creating MO files from existing PO files. This can be useful if you use a translation platform that can only output PO files, or tooling that modifies these files.
// Reads from a single .po file.
$ wp i18n make-mo ./wp-content/languages/slug.po
Success: Created 1 file.
// Reads from a directory for multiple .po files.
$ wp i18n make-mo ./wp-content/languages/
Success: Created 5 files.
Smarter I18N handling of JS files
New environment variable: WP_CLI_ALLOW_ROOT
When you’ve been using WP-CLI within a Docker container, you’ve probably noticed the big “YIKES!” message you get that aborts the execution of the command if it detects that you’re running as root. You’d then have to add the --allow-root flag to every single command you run within that container.
Within a docker container, everything is done as the root user, though, and there’s no really security issue, as the container itself acts as a sandbox. Therefore, WP-CLI now allows you to let it know not to warn about the root user via the new WP_CLI_ALLOW_ROOT environment variable. Just set this variable through in your container’s ENV section, and you’re good to go – no need for multiple --allow-root flags anymore.
New global parameter: --exec
Some scenarios require you to run a small PHP snippet before the actual WP-CLI command, to make sure the command runs under the right context or encounters the right environment. You would typically do this by creating a PHP file with the code snippet that needs to be executed and then using the --require global parameter to load that file upfront before the command gets executed.
This is very cumbersome for short snippets, though, or not even easily possible on read-only filesystems. Therefore, WP-CLI now also accepts a new global parameter --exec that you can use to execute PHP logic directly from the command-line before running the actual command.
Chunked queries in search-replace to avoid memory issues
When you need to run a search & replace operation on a very large database, you can easily run into memory issues. WP-CLI tried to fetch all matching query results into memory to loopLoopThe Loop is PHP code used by WordPress to display posts. Using The Loop, WordPress processes each post to be displayed on the current page, and formats it according to how it matches specified criteria within The Loop tags. Any HTML or PHP code in the Loop will be processed on each post. https://codex.wordpress.org/The_Loop. over them.
This type of operation is now processed via a chunked loop that works on 1000 query results at a time via pagination. This drastically reduces the memory requirements and decouples them from the database size.
This is just the first command that receives this treatment, but expect to see more of such scalability fixes in the future.
Hide global parameters help
If you’re a more seasoned WP-CLI, you might have been annoyed from time to time about the wasted screen real estate on the help screens that always append the list of global parameters every single time.
You can now choose to skip the display of these global parameters by setting the following environment variable:
All the help screens will then only display the help for the current context.
Switch from Travis CI to GitHub Actions
For multiple different reasons, I decided to move away from Travis CI, and I ended up migrating the entire infrastructure (testing, automation, deployment, publication, …) over to GitHub Actions.
You will now find a .github/workflows folder in each of the repositories that contains a set of workflows for that repository. However, we also have a new wp-cli/.github repository. This contains centralized workflows that mostly deal with keeping the workflows and configurations across all of the other repositories in sync.
This means that, when I now need to make a change in the testing workflow, for example, I don’t need to manually create a pull request in each of the packages. I modify the template workflow in the wp-cli/.github repository instead, and this one then syncs all the changes over to the individual repositories.
The added automation details, as well as the much improved parallelization of running the tests in GitHub Actions has drastically accelerated the development experience and ultimately leads to faster and cheaper maintenance of the entire project.
Documentation is automatically kept in sync
If you’ve contributed to one of the commands before, I might have required you to install the wp-cli/scaffold-package-command package and run a cryptic command on your PR to get the README.md file updated based on changes in the code’s docblocks. This was an awful contributor experience and I wanted to get rid of that requirement.
When I initially experimented with a git hook to automatically add a commit on PRs when they are pushed, I realized that that approach leads down to a path of merge conflicts and confusion.
The move from Travis CI to GitHub Actions was a good opportunity to revisit this, as I have now solved this problem via an automated GitHub Actions workflow. Whenever changes are pushed to the default branch of a repository, the GitHub Actions bot will try to regenerate the documentation and if this actually produced any changes, it creates a new pull request with the needed patch.
This PR can then be reviewed and merged just like any other contribution. It happens independently of the code change a contributor submitted, so they don’t need to worry about any of this.
MigrationMigrationMoving the code, database and media files for a website site from one server to another. Most typically done when changing hosting companies. to Behat v3
WP-CLI has been stuck with Behat v2 for quite a while now, and this also had an impact on the dependencies we needed to rely on. This made the move to PHP 8 compatibility all the more difficult. Therefore wp-cli/wp-cli-tests was updated to migrate from Behat v2 to Behat v3.
Apart from multiple improvements of the syntax and its execution, this also finally makes it easy to reuse the functional testing infrastructure outside of a wp-cli package. Expect to see a guide on how to migrate your own package code to Behat v3 as well as on how to use wp-cli/wp-cli-tests within other contexts soon.
More flexible test setup
The test setup was made way more configurable to adapt to less standardized environments. Where it was previously difficult to run the tests on a non-traditional stack like a Docker network or a GitHub Actions environment, this can now be easily done via a set of new environment variables.
The database credentials can now be provided via the following environment variables:
host to use and can include a port, i.e “127.0.0.1:33060”
user that has permission to administer databases and users
password to use for the above user
user that the tests run under
password to use for the above user
Provided that these environment variables are present and that your database is online, a simple composer prepare-tests will take care of everything.
Detailed change log
To avoid too much noise in the list above, the following types of pull requests have been omitted:
PRs that dealt with Travis CI and its many issues, as Travis CI has now been replaced with GitHub Actions. Note that the PRs that switched from Travis CI to GitHub Actions are still included, as these often include fixes in the tests or even in the actual code to make the tests pass again on GHA.
PRs that only bumped a single dependency to its latest version.
Move fetcher implementations back into framework [#5527]
Add WpOrgApi abstraction to handle WordPress.orgWordPress.orgThe community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ API requests [#5526]
[BREAKING CHANGE] Disable automatic retry by default on certificate validation error [#5523]
Add missing $pipes variables when creating processes [#5522]
Harden error message on failed cache directory creation [#5520]
Update docblocks for methods that accept error objects [#5516]
[BREAKING CHANGE] Use custom certificate if provided [#5514]
[BREAKING CHANGE] Respect provided verify option in Utils\http_request [#5507]
Add $interactive arg for run_mysql_command() [#5420]
Add support for comma-separated flag values [#5419]
Create a default global config file if it does not exist [#5411]
Updated minimum required PHP version to 5.6 [#5408]
Include classmap in order to fix Composer 2 deprecation notices [#5407]
Bump PHPCS compatibility tests to new PHP 5.6+ minimum [#5406]
Throw exception when misusing error_to_string() [#5405]
Prevent array access notice when $update_info is null [#214]
Add missing --network parameter for plugin is-active [#222]
Don’t show a warning when theme delete --all skips the active theme [#218]
Deny --dry-run usage when requiring a specific version [#236]
Bump PHPCS compatibility tests to new PHP 5.6+ minimum [#235]
Allow for filtering multiple field values for the list command [#234]
Validate the --statusfilterFilterFilters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. passed to wp plugin list and wp theme list [#229]
Add commands to manage auto-updates for plugins and themes [#259]
Provide clear error message when pluginPluginA plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party fails PHP requirement [#253]