with one click
wp-arsenal
wp-arsenal contains 30 collected skills from rahlplx, with repository-level occupation coverage and site-owned skill detail pages.
Skills in this repository
Deploy a theme, plugin, or wp-content subset to a WordPress server from a CI/CD pipeline, with automatic pre-deploy backup, post-deploy health check, and automatic rollback on failure. Designed for GitHub Actions, GitLab CI, or any pipeline that can run Python.
Security and integrity audit for WooCommerce stores. Checks REST API key scope, payment gateway exposure, webhook HTTPS enforcement, suspicious $0 orders, exposed wc-logs (PII/payment data), and coupon abuse.
Scaffold and deploy a WordPress child theme via SSH. Generates style.css, functions.php (with correct parent style enqueueing), and index.php. Supports Kadence, Astra, GeneratePress, Hello Elementor, OceanWP, and any custom parent. Can activate the child theme immediately after creation.
Safely switch WordPress themes via SSH with automatic rollback if the site goes down. Records the previous theme for instant rollback. Verifies HTTP 200 before and after the switch.
Security audit of WordPress themes via SSH. Scans for PHP malware patterns, injected scripts, recently modified files, and unexpected file types. Also checks DB for customizer injections and Elementor postmeta payloads. Use after any attack or before going live with a new/inherited theme.
Comprehensive guide to building, maintaining, and recovering Elementor-based WordPress sites. Covers the CSS pipeline, global styles (Kit), common post-attack failures and fixes, Pro vs Free features, and integration with Kadence and Hello Elementor themes.
Comprehensive guide to building and recovering Kadence-based WordPress sites. Covers global styles, Kadence Blocks, Header/Footer builder, template library, child theme best practices, and post-attack recovery sequences.
Security audit for WordPress Multisite Network installations. Lists all sub-sites, detects super-admins, checks network-activated plugins vs filesystem, flags spam/deleted sites, reviews registration settings, and checks dangerous upload filetypes at the network level.
MU-plugin that restricts wp-login.php and wp-admin/ to trusted IP ranges at the PHP level. Belt-and-suspenders alongside .htaccess whitelisting. Has a safety valve: if no trusted CIDRs are configured, all IPs are allowed (so you can't lock yourself out).
MU-plugin that rate-limits WordPress login attempts — no plugin required. After N failed logins from the same IP within a rolling window, locks out that IP for a configurable duration and sends an email alert.
MU-plugin that adds HTTP security headers to every WordPress response: X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, Permissions-Policy, and optional Content-Security-Policy. Also removes WordPress version fingerprinting from HTML head.
MU-plugin that completely disables WordPress XML-RPC at the PHP level. Belt-and-suspenders alongside .htaccess blocking. Also removes pingback headers and self-pingbacks. Do not use if you run Jetpack.
Send a weekly multi-site security digest email aggregating all scan results. Reads JSON logs from wp-multisite sweeps, groups findings by site, and emails a colour-coded HTML digest with one-click attention flags. Use for agency weekly reporting or personal multi-site monitoring.
Generate self-contained HTML or plain-text audit reports from WP-Arsenal JSON output. Combines results from multiple scripts into one colour-coded report. Use after any audit run to produce a shareable deliverable for clients or records.
WordPress database security audit via SSH + MySQL. Detects injected scripts, rogue admin users, plugin-filesystem mismatches, Rank Math redirect abuse, WP-cron tampering, and rogue option rows. Use early in incident response before any cleanup.
Full WordPress site backup via SSH — database dump + wp-content/ archive. Stores backup on server with rotation, optionally downloads locally. Use before any destructive operation or on a maintenance schedule.
Run any WP-Arsenal script across all sites in config/sites/. Produces a pass/fail summary table per site. Use for weekly security sweeps, mass updates, or post-incident lateral movement checks across multiple sites.
Restore WordPress core files from a clean wordpress.org download. Overwrites core files only — preserves wp-content/ and wp-config.php. Use when core files have been tampered with or corrupted by malware.
Check and apply WordPress core and plugin updates via SSH. Verifies site responds after each update. Skips premium/private plugins. Supports check-only mode to see what's outdated without applying changes.
WordPress user and role security audit via SSH + MySQL. Detects rogue admins, suspicious usernames, disposable emails, and active sessions. Can delete users, demote roles, and kill all sessions.
Fix WordPress file and directory permissions via SSH. Sets directories to 755, PHP files to 644, wp-config.php to 600. Detects world-writable files and PHP files with execute bit set. Use after malware cleanup or server misconfiguration.
Build an attacker IP/identity profile from WordPress forensic data. Extracts IPs from session_tokens, honeypot logs, login monitor alerts. Cross-references with a configurable ISP map or runs whois automatically. Output suitable for police reports and ISP abuse complaints. Works on any WP install.
Collect forensic evidence from any compromised WordPress site. Preserves malware files, server logs, wp-config (redacted), crontab, processes, DB dumps of critical tables, and session tokens. Creates timestamped tar.gz. Always run before cleanup. Works on any host with SSH access.
Fix broken Elementor rendering on any WordPress site after malware cleanup, plugin restore, or migration. Bumps elementor_css_version, clears _elementor_css postmeta, removes missing plugins from active_plugins, and clears transients and file cache. Works on any host.
Restore deleted WordPress plugins from a sibling WP site on the same server (instant copy, no download) or from wordpress.org API. Then optionally reactivates them in the database. Works on any host, any WP installation.
Comprehensive 8-domain WordPress security audit: filesystem, malware signatures, database, wp-config, plugins/themes, server/cron, network/DNS, and logs. Works on any host (IONOS, SiteGround, WP Engine, Kinsta, cPanel, etc.). Produces incident-quality report. Takes 3-8 minutes per site.
WordPress IP/geo firewall via .htaccess for any Apache-based host. Block attacker IPs, protect wp-login.php with an allowlist, geo-block countries via Cloudflare CF-IPCountry or mod_geoip. Config-driven, never blocks your trusted CIDRs. Not needed on Nginx/WP Engine/Kinsta (use their WAF).
WordPress security hardening: adds security constants to wp-config.php, writes .htaccess protection rules (xmlrpc block, file browser disable, wp-includes protection), blocks PHP in uploads, disables pingbacks.
Fast WordPress malware scan for any site on any host. Detects known shell filenames, PHP in uploads, recently modified PHP, 14 malware signatures (eval/base64, c99, TFM/Nyx, assert, preg_replace/e), and .htaccess anomalies. Runs in under 60 seconds. Use as first triage on any suspect site.
Remove WordPress malware and shell files. Deletes known-bad filenames, PHP from uploads, rogue plugin directories, and /tmp staging files. Always run --dry-run first. Blocks PHP execution in uploads via .htaccess.