Skip to main content
Run any Skill in Manus
with one click
GitHub repository

wp-arsenal

wp-arsenal contains 30 collected skills from rahlplx, with repository-level occupation coverage and site-owned skill detail pages.

skills collected
30
Stars
1
updated
2026-06-16
Forks
0
Occupation coverage
3 occupation categories · 100% classified
repository explorer

Skills in this repository

wp-ci-deploy
software-developers

Deploy a theme, plugin, or wp-content subset to a WordPress server from a CI/CD pipeline, with automatic pre-deploy backup, post-deploy health check, and automatic rollback on failure. Designed for GitHub Actions, GitLab CI, or any pipeline that can run Python.

2026-06-16
wp-woo-audit
information-security-analysts

Security and integrity audit for WooCommerce stores. Checks REST API key scope, payment gateway exposure, webhook HTTPS enforcement, suspicious $0 orders, exposed wc-logs (PII/payment data), and coupon abuse.

2026-06-16
wp-child-theme
software-developers

Scaffold and deploy a WordPress child theme via SSH. Generates style.css, functions.php (with correct parent style enqueueing), and index.php. Supports Kadence, Astra, GeneratePress, Hello Elementor, OceanWP, and any custom parent. Can activate the child theme immediately after creation.

2026-06-16
wp-theme-switch
software-developers

Safely switch WordPress themes via SSH with automatic rollback if the site goes down. Records the previous theme for instant rollback. Verifies HTTP 200 before and after the switch.

2026-06-16
wp-theme-audit
information-security-analysts

Security audit of WordPress themes via SSH. Scans for PHP malware patterns, injected scripts, recently modified files, and unexpected file types. Also checks DB for customizer injections and Elementor postmeta payloads. Use after any attack or before going live with a new/inherited theme.

2026-06-16
elementor-guide
software-developers

Comprehensive guide to building, maintaining, and recovering Elementor-based WordPress sites. Covers the CSS pipeline, global styles (Kit), common post-attack failures and fixes, Pro vs Free features, and integration with Kadence and Hello Elementor themes.

2026-06-16
kadence-theme-guide
software-developers

Comprehensive guide to building and recovering Kadence-based WordPress sites. Covers global styles, Kadence Blocks, Header/Footer builder, template library, child theme best practices, and post-attack recovery sequences.

2026-06-16
wp-network-audit
information-security-analysts

Security audit for WordPress Multisite Network installations. Lists all sub-sites, detects super-admins, checks network-activated plugins vs filesystem, flags spam/deleted sites, reviews registration settings, and checks dangerous upload filetypes at the network level.

2026-06-15
admin-guard
information-security-analysts

MU-plugin that restricts wp-login.php and wp-admin/ to trusted IP ranges at the PHP level. Belt-and-suspenders alongside .htaccess whitelisting. Has a safety valve: if no trusted CIDRs are configured, all IPs are allowed (so you can't lock yourself out).

2026-06-15
rate-limiter
information-security-analysts

MU-plugin that rate-limits WordPress login attempts — no plugin required. After N failed logins from the same IP within a rolling window, locks out that IP for a configurable duration and sends an email alert.

2026-06-15
security-headers
software-developers

MU-plugin that adds HTTP security headers to every WordPress response: X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, Permissions-Policy, and optional Content-Security-Policy. Also removes WordPress version fingerprinting from HTML head.

2026-06-15
xmlrpc-kill
software-developers

MU-plugin that completely disables WordPress XML-RPC at the PHP level. Belt-and-suspenders alongside .htaccess blocking. Also removes pingback headers and self-pingbacks. Do not use if you run Jetpack.

2026-06-15
wp-digest
software-developers

Send a weekly multi-site security digest email aggregating all scan results. Reads JSON logs from wp-multisite sweeps, groups findings by site, and emails a colour-coded HTML digest with one-click attention flags. Use for agency weekly reporting or personal multi-site monitoring.

2026-06-15
wp-report
software-developers

Generate self-contained HTML or plain-text audit reports from WP-Arsenal JSON output. Combines results from multiple scripts into one colour-coded report. Use after any audit run to produce a shareable deliverable for clients or records.

2026-06-15
wp-db-audit
information-security-analysts

WordPress database security audit via SSH + MySQL. Detects injected scripts, rogue admin users, plugin-filesystem mismatches, Rank Math redirect abuse, WP-cron tampering, and rogue option rows. Use early in incident response before any cleanup.

2026-06-15
wp-backup
network-and-computer-systems-administrators

Full WordPress site backup via SSH — database dump + wp-content/ archive. Stores backup on server with rotation, optionally downloads locally. Use before any destructive operation or on a maintenance schedule.

2026-06-15
wp-multisite
network-and-computer-systems-administrators

Run any WP-Arsenal script across all sites in config/sites/. Produces a pass/fail summary table per site. Use for weekly security sweeps, mass updates, or post-incident lateral movement checks across multiple sites.

2026-06-15
wp-restore-core
network-and-computer-systems-administrators

Restore WordPress core files from a clean wordpress.org download. Overwrites core files only — preserves wp-content/ and wp-config.php. Use when core files have been tampered with or corrupted by malware.

2026-06-15
wp-update
network-and-computer-systems-administrators

Check and apply WordPress core and plugin updates via SSH. Verifies site responds after each update. Skips premium/private plugins. Supports check-only mode to see what's outdated without applying changes.

2026-06-15
wp-user-audit
information-security-analysts

WordPress user and role security audit via SSH + MySQL. Detects rogue admins, suspicious usernames, disposable emails, and active sessions. Can delete users, demote roles, and kill all sessions.

2026-06-15
wp-chmod-fix
network-and-computer-systems-administrators

Fix WordPress file and directory permissions via SSH. Sets directories to 755, PHP files to 644, wp-config.php to 600. Detects world-writable files and PHP files with execute bit set. Use after malware cleanup or server misconfiguration.

2026-06-15
wp-attacker-profile
information-security-analysts

Build an attacker IP/identity profile from WordPress forensic data. Extracts IPs from session_tokens, honeypot logs, login monitor alerts. Cross-references with a configurable ISP map or runs whois automatically. Output suitable for police reports and ISP abuse complaints. Works on any WP install.

2026-06-15
wp-forensics
information-security-analysts

Collect forensic evidence from any compromised WordPress site. Preserves malware files, server logs, wp-config (redacted), crontab, processes, DB dumps of critical tables, and session tokens. Creates timestamped tar.gz. Always run before cleanup. Works on any host with SSH access.

2026-06-15
wp-elementor-fix
software-developers

Fix broken Elementor rendering on any WordPress site after malware cleanup, plugin restore, or migration. Bumps elementor_css_version, clears _elementor_css postmeta, removes missing plugins from active_plugins, and clears transients and file cache. Works on any host.

2026-06-15
wp-plugin-restore
software-developers

Restore deleted WordPress plugins from a sibling WP site on the same server (instant copy, no download) or from wordpress.org API. Then optionally reactivates them in the database. Works on any host, any WP installation.

2026-06-15
wp-deep-audit
information-security-analysts

Comprehensive 8-domain WordPress security audit: filesystem, malware signatures, database, wp-config, plugins/themes, server/cron, network/DNS, and logs. Works on any host (IONOS, SiteGround, WP Engine, Kinsta, cPanel, etc.). Produces incident-quality report. Takes 3-8 minutes per site.

2026-06-15
wp-firewall
information-security-analysts

WordPress IP/geo firewall via .htaccess for any Apache-based host. Block attacker IPs, protect wp-login.php with an allowlist, geo-block countries via Cloudflare CF-IPCountry or mod_geoip. Config-driven, never blocks your trusted CIDRs. Not needed on Nginx/WP Engine/Kinsta (use their WAF).

2026-06-15
wp-harden
information-security-analysts

WordPress security hardening: adds security constants to wp-config.php, writes .htaccess protection rules (xmlrpc block, file browser disable, wp-includes protection), blocks PHP in uploads, disables pingbacks.

2026-06-15
wp-scan
information-security-analysts

Fast WordPress malware scan for any site on any host. Detects known shell filenames, PHP in uploads, recently modified PHP, 14 malware signatures (eval/base64, c99, TFM/Nyx, assert, preg_replace/e), and .htaccess anomalies. Runs in under 60 seconds. Use as first triage on any suspect site.

2026-06-15
wp-shell-nuke
information-security-analysts

Remove WordPress malware and shell files. Deletes known-bad filenames, PHP from uploads, rogue plugin directories, and /tmp staging files. Always run --dry-run first. Blocks PHP execution in uploads via .htaccess.

2026-06-15