Support » Plugin: iThemes Security (formerly Better WP Security) » WP CLI being blocked with http code 418

  • When trying to update plugins or themes via WP CLI I am now getting this…
    Fetching pre-update site response…
    -> HTTP status code: 418
    -> I’m a little teapot.
    Warning: Failed pre-update status code check (HTTP code 418).

    wp cli core us up-to-date on my server when I checked.

    I have checked the error logs on my server, and I don’t see any HTTP code 418 being thrown, so where is this coming from?

    I have no problem updating plugins and themes via InfiniteWP though.

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • Hey there, this is the first time I, myself, have ever seen a 418 but it looks like this HTTP status code is an April Fools joke.

    I don’t think this has anything to do with the iThemes Security plugin.

    I’d initially want to know the results of appending --skip-plugins --skip-themes to the wp-cli command.

    Regardless of the results, I would suggest parsing the entire site file system for any references of 418 (well, maybe not the ENTIRE site at first but maybe start with wp-content and then work your way into the rest).

    Tailing some logs and replicating the issue may help provide some answers. As I first mentioned, this is the first time I’ve seen someone use this 418 status code so I’m not entirely sure what you should be keeping an eye out for.

    Hope this helps lead you to some answers.

    Thread Starter danielbair


    The skip-plugins and skip-themes doesn’t help when I am trying to update plugins and themes.

    Here is an example from one of my many sites (all are running iThemes security).

    wp plugin install jetpack --force --skip-plugins --skip-themes
    Installing Jetpack ? WP Security, Backup, Speed, & Growth (9.7)
    Fetching pre-update site response...
     -> HTTP status code: 418
     -> I'm a little teapot.
    Warning: Failed pre-update status code check (HTTP code 418).
    Error: No plugins installed.

    Again I don’t get this problem when I attempt to update with InfiniteWP.

    Thread Starter danielbair


    The mozilla developer article also says this:
    “Some websites use this response for requests they do not wish to handle, such as automated queries.”

    Also, the 418 exception seems to be in the WP core files…
    “wp-includes/Requests/Exception/HTTP/418.php: * Exception for 418 I’m A Teapot responses”

    Thread Starter danielbair


    Ok, I setup a test wp install and was able to discover that this problem only exists when the better-wp-security plugin is installed. I am able to use a local wp-cli workaround with update-verity disabled for now.

    This may be an issue with DreamHost and mod_security that better-wp-security is triggering, but there are no 418 error codes in the logs.

    Thread Starter danielbair




    The provided link points to an outdated post (almost 8 years old) and therefor it is about plugin code that no longer exists …

    I’ve done an automated search for 418 in the current plugin code but it doesn’t exist.

    You could try and temporarily disable all plugin modules by adding the line below to the wp-config.php file (not sure whether this actually also affects WP CLI):

    define('ITSEC_DISABLE_MODULES', true);

    Another option is to disable any setting that writes to the .htaccess or nginx.conf file. Most of these settings are found in the WordPress and System Tweaks modules. Basically make sure the iTSec plugin does not add anything to these web config files. Easiest way to do this is to temporarily disable the Write to Files setting in the Global Settings module.

    +++++ To prevent any confusion, I’m not iThemes +++++



    @danielbair I use both free and paid versions of iThemes Security. Manage a VPS and WordPress via WPcli/SSH and other means and have never run into a 418.

    I feel you are looking in the wrong place to diagnose/troubleshoot this issue but to echo, I would suggest following the above, @nlpro comment, to see if that helps.

    If you haven’t already, contact the hosting provider support for additional help on this.

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Plugin Review Team Rep

    A 418 is 100% a DreamHost thing. We use it for a number of things, but basically it’s our way to know weird stuff is happening. We incorporated it into our pre-flight check so that before we try to update someone’s site, we know for sure that it’s up, it’s working, and it’s WodPress.

    The 418 there means it cannot successfully CURL your site to get headers etc.

    But… if this is always happening when iThemes is active, it means that something iThemes is doing is blocking that CURL check, and preventing the command from seeing your site.

    It very much could be a combo of this plugin (or rather a specific setting in this plugin) that is causing the error and, since DreamHost makes use of the teapot, it’s only showing up here.

    Are there any options in iThemes that would block a call like this:

    // parse URL.
    		$parsed_url = wp_parse_url( $url );
    		$timeout = 10;
    		$ch = curl_init();
    		curl_setopt( $ch, CURLOPT_URL, $url );
    		if ( false !== $ip ) {
    			curl_setopt( $ch, CURLOPT_RESOLVE, array( $ip ) );
    					'www.' . $parsed_url['host'] . ':443:' . $ip,
    					$parsed_url['host'] . ':443:' . $ip,
    					'www.' . $parsed_url['host'] . ':80:' . $ip,
    					$parsed_url['host'] . ':80:' . $ip,
    		curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
    		curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout );
    		$http_respond = curl_exec( $ch );
    		$http_respond = trim( strip_tags( $http_respond ) );
    		$http_code    = curl_getinfo( $ch, CURLINFO_RESPONSE_CODE );
    		if ( in_array( $http_code, array( '200', '302' ) ) ) {
    			return true;
    		} else {
    			return false;
    		curl_close( $ch );

    And yeah, I know straight up curl is bad and I’d rather use wp_remote_get, but weirdly we needed it to be able to run when that won’t, thanks to some services.

    $ip is passed from the command as the IP of the server, so it’s just asking itself. This gets us around situations where someone has a firewall like Cloudflare that makes the lookups chancy.

    $url is literally the domain – we just pass it around a lot.

    Thread Starter danielbair


    FYI, I setup a test WP install on my DreamHost server (they are aware of the issue and have disabled update-verify package for now).

    It was a clean basic WP default install. I then used wp-cli to force install jetpack (without activating it) with no problems with update-verity. Then I used wp-cli to install better-wp-security and activate it with no problems. Then I tried to install force install jetpack again with wp-cli and then 418 is being thrown. This was true for attempts to install or update any other themes or plugins.

    I did no setup for bettter-wp-security, only the default from activation.

    I find it strange that there are no server logs for 418 on DreamHost. I have some other websites on DreamHost and did find a couple of 418 in their error logs, but not related to wp-cli or better-wp-security issues (blocked hack attempts).

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Plugin Review Team Rep

    Well that one isn’t a server log error, which I get is confusing.

    This is curl failing which, if it was curl itself, there would absolutely be an error log on the server. On the other hand, if better-wp-security is blocking curl from running (which is sounding more and more likely here…) then there’s no PHP or error log because WP is just saying “No curl for you!” which isn’t an ‘error’ but a decision :/

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.