Skip to content

WordPress Toolkit

The WordPress Toolkit provides centralized management for all WordPress installations on the server. It enables installation, updates, security scans, automatic login and much more.


Overview

The WordPress Toolkit displays all detected WordPress installations as cards with thumbnail previews:

Information Description
Domain Website domain
Path Installation path relative to the document root
WordPress Version Installed WP version
PHP Version PHP version in use
SSL SSL status
Auto-Update Automatic update status
Plugins Count (with update notice)
Themes Count (with update notice)

Detect WordPress (Scan)

The "Scan" button searches all websites for WordPress installations and registers them in the toolkit automatically — version, URL, title and admin user are read via wp-cli.

  • After a migration: a scan fills in the details of already-imported WordPress sites without re-migrating.
  • Subdirectories: it finds not only the install in the document root but also WordPress in subdirectories (e.g. /shop, /blog) — each install is registered with its real path.
  • Installations that no longer exist are marked removed.

Install WordPress

  1. Click Install WordPress
  2. Fill out the form:
Field Required Description
Website Yes Select the target website
Path No Subdirectory (empty = root)
Title Yes Website title
Admin User Yes WordPress admin login
Admin Password Yes WordPress admin password
Admin Email Yes WordPress admin email
Language Yes Installation language (e.g. de_DE)
Database Automatic Created automatically
  1. Click Install

Note

Each WordPress installation is counted as a full website.

The system automatically performs:

  • Download of the latest WordPress version
  • Creation of a MariaDB database
  • Configuration of wp-config.php
  • WordPress installation via WP-CLI
  • Security adjustments (file permissions, security keys)

Auto-Login (SSO)

  1. Click the Login button on a WordPress installation
  2. You are automatically logged in as a WordPress admin
  3. A temporary authentication token is generated via a WordPress plugin

How it works

Auto-Login uses an automatically installed Must-Use plugin (mu-plugin) and transients for secure token transfer. No password is transmitted via the URL.


Updates

Update WordPress Core

  1. When an update is available, an update badge is displayed
  2. Click Update WordPress
  3. The update is performed via WP-CLI

Update Plugins

  1. Click on a WordPress installation
  2. Switch to the Plugins tab
  3. Plugins with available updates are marked
  4. Click Update individually or Update All

Update Themes

  1. Switch to the Themes tab
  2. Themes with available updates are marked
  3. Click Update

Configure Auto-Updates

Each installation has three independent auto-update switches:

Switch What is updated
Core The WordPress core
Plugins All installed plugins
Themes All installed themes
  1. Click on the Auto-Update setting of an installation
  2. Enable the desired switches (Core / Plugins / Themes)
  3. Save

When the updates run: A panel worker applies the enabled updates every 6 hours — plus a few minutes after every panel restart. There is no fixed time of day. Updates run via wp-cli (idempotent: nothing happens if there is nothing to do). Staging clones are skipped.

Requirement

Auto-updates only run while the WordPress Toolkit extension is installed and enabled.

Recommendation

Enable at least Core to promptly close vulnerabilities in the WordPress core. For immediate updates use the Update all button — the worker then only handles whatever is left.


Plugin Management

View Plugins

The plugin list shows per WordPress installation:

Column Description
Name Plugin name
Status Active, Inactive or Must-Use
Version Installed version
Update Available update
Risk Info Known security vulnerabilities and rating

Install Plugin

  1. Click Install Plugin
  2. Search for the desired plugin
  3. Click Install and Activate

Activate / Deactivate Plugin

  • Use the toggle in the status column

Delete Plugin

  1. Deactivate the plugin
  2. Click Delete
  3. Confirm the deletion

Theme Management

Similar to plugin management, themes can be:

  • Installed (from the WordPress repository)
  • Activated
  • Updated
  • Deleted

Security Scan

The security scan checks a WordPress installation for known vulnerabilities:

  1. Click Security Scan on an installation
  2. The scan checks:
  3. WordPress core version against known CVEs
  4. Plugins against the WPScan vulnerability database
  5. Themes against known vulnerabilities
  6. Active installations and ratings

  7. Results show:

  8. CVSS Score — Severity of the vulnerability
  9. Fixed in Version — Version containing the fix
  10. Reference Links — Links to security advisories

Critical Vulnerabilities

Update plugins and themes with known vulnerabilities immediately. Deactivate affected plugins if no update is available.


Database Management

Through the WordPress Toolkit you have direct access to:

  • phpMyAdmin SSO for the WordPress database
  • Database prefix and table list
  • Database size

WP-CLI

WP-CLI commands can be executed through the panel:

  1. Select a WordPress installation
  2. Navigate to the WP-CLI tab
  3. Enter a WP-CLI command
  4. The output is displayed in real time

Common Commands

Command Description
wp plugin list List all plugins
wp theme list List all themes
wp user list List all users
wp cache flush Flush cache
wp search-replace 'old' 'new' Search and replace in the database
wp db export Create database dump
wp cron event list Show scheduled tasks

Caching

WordPress caching options:

Option Description
OPcache PHP OPcache for faster PHP execution
Redis Object cache via Redis (if available)
Page Cache (FastCGI) Server-side page cache directly in Nginx — see below

Page Cache (FastCGI micro-cache)

The page cache lets Nginx store finished PHP responses for a short time and serves repeat requests entirely without PHP. For anonymous traffic this massively lowers response times (TTFB) — faster than classic cache plugins because PHP is never started.

Enable: Turn on the Page Cache (FastCGI) switch on the installation in the WordPress Toolkit. It applies to the website including its subdomains.

Automatically bypassed (so a private page is never served to the wrong visitor):

  • Logged-in users (wordpress_logged_in, comment_author, wp-postpass cookies)
  • WooCommerce — cart, checkout, account (woocommerce_* cookies)
  • POST requests, wp-admin, wp-login.php, xmlrpc.php, wp-cron.php, wp-json
  • Requests carrying a Joomla/session cookie

TTL: 30 seconds. Front-end changes are visible after 30 s at the latest (immediately for logged-in editors, who bypass the cache).

Check: The X-Enconf-Cache response header shows HIT, MISS or BYPASS.

Multilingual sites: if the site sets a language cookie (e.g. nc_lang, Polylang, WPML), the cache key is split per language — so a German page is never served to an English visitor.

Interaction with the other cache options

  • OPcache (PHP bytecode) and Redis (object cache) sit on different layers and complement the page cache — feel free to enable them as well.
  • A page-cache plugin (WP Super Cache, W3TC, LiteSpeed Cache) caches the same layer (the whole page) → use only one. The FastCGI cache is faster (serves entirely without PHP), so it's the better choice.

Clone WordPress

  1. Click Clone on an installation
  2. Select the target website
  3. The system copies all files and the database
  4. URLs are automatically updated via wp search-replace