WordPress Toolkit¶
The WordPress Toolkit provides centralized management for all WordPress installations on the server. It enables installation, updates, security scans, automatic login and much more.
Overview¶
The WordPress Toolkit displays all detected WordPress installations as cards with thumbnail previews:
| Information | Description |
|---|---|
| Domain | Website domain |
| Path | Installation path relative to the document root |
| WordPress Version | Installed WP version |
| PHP Version | PHP version in use |
| SSL | SSL status |
| Auto-Update | Automatic update status |
| Plugins | Count (with update notice) |
| Themes | Count (with update notice) |
Detect WordPress (Scan)¶
The "Scan" button searches all websites for WordPress installations and registers them in the toolkit automatically — version, URL, title and admin user are read via wp-cli.
- After a migration: a scan fills in the details of already-imported WordPress sites without re-migrating.
- Subdirectories: it finds not only the install in the document root but also WordPress in subdirectories (e.g.
/shop,/blog) — each install is registered with its real path. - Installations that no longer exist are marked removed.
Install WordPress¶
- Click Install WordPress
- Fill out the form:
| Field | Required | Description |
|---|---|---|
| Website | Yes | Select the target website |
| Path | No | Subdirectory (empty = root) |
| Title | Yes | Website title |
| Admin User | Yes | WordPress admin login |
| Admin Password | Yes | WordPress admin password |
| Admin Email | Yes | WordPress admin email |
| Language | Yes | Installation language (e.g. de_DE) |
| Database | Automatic | Created automatically |
- Click Install
Note
Each WordPress installation is counted as a full website.
The system automatically performs:
- Download of the latest WordPress version
- Creation of a MariaDB database
- Configuration of
wp-config.php - WordPress installation via WP-CLI
- Security adjustments (file permissions, security keys)
Auto-Login (SSO)¶
- Click the Login button on a WordPress installation
- You are automatically logged in as a WordPress admin
- A temporary authentication token is generated via a WordPress plugin
How it works
Auto-Login uses an automatically installed Must-Use plugin (mu-plugin) and transients for secure token transfer. No password is transmitted via the URL.
Updates¶
Update WordPress Core¶
- When an update is available, an update badge is displayed
- Click Update WordPress
- The update is performed via WP-CLI
Update Plugins¶
- Click on a WordPress installation
- Switch to the Plugins tab
- Plugins with available updates are marked
- Click Update individually or Update All
Update Themes¶
- Switch to the Themes tab
- Themes with available updates are marked
- Click Update
Configure Auto-Updates¶
Each installation has three independent auto-update switches:
| Switch | What is updated |
|---|---|
| Core | The WordPress core |
| Plugins | All installed plugins |
| Themes | All installed themes |
- Click on the Auto-Update setting of an installation
- Enable the desired switches (Core / Plugins / Themes)
- Save
When the updates run: A panel worker applies the enabled updates every 6 hours — plus a few minutes after every panel restart. There is no fixed time of day. Updates run via wp-cli (idempotent: nothing happens if there is nothing to do). Staging clones are skipped.
Requirement
Auto-updates only run while the WordPress Toolkit extension is installed and enabled.
Recommendation
Enable at least Core to promptly close vulnerabilities in the WordPress core. For immediate updates use the Update all button — the worker then only handles whatever is left.
Plugin Management¶
View Plugins¶
The plugin list shows per WordPress installation:
| Column | Description |
|---|---|
| Name | Plugin name |
| Status | Active, Inactive or Must-Use |
| Version | Installed version |
| Update | Available update |
| Risk Info | Known security vulnerabilities and rating |
Install Plugin¶
- Click Install Plugin
- Search for the desired plugin
- Click Install and Activate
Activate / Deactivate Plugin¶
- Use the toggle in the status column
Delete Plugin¶
- Deactivate the plugin
- Click Delete
- Confirm the deletion
Theme Management¶
Similar to plugin management, themes can be:
- Installed (from the WordPress repository)
- Activated
- Updated
- Deleted
Security Scan¶
The security scan checks a WordPress installation for known vulnerabilities:
- Click Security Scan on an installation
- The scan checks:
- WordPress core version against known CVEs
- Plugins against the WPScan vulnerability database
- Themes against known vulnerabilities
-
Active installations and ratings
-
Results show:
- CVSS Score — Severity of the vulnerability
- Fixed in Version — Version containing the fix
- Reference Links — Links to security advisories
Critical Vulnerabilities
Update plugins and themes with known vulnerabilities immediately. Deactivate affected plugins if no update is available.
Database Management¶
Through the WordPress Toolkit you have direct access to:
- phpMyAdmin SSO for the WordPress database
- Database prefix and table list
- Database size
WP-CLI¶
WP-CLI commands can be executed through the panel:
- Select a WordPress installation
- Navigate to the WP-CLI tab
- Enter a WP-CLI command
- The output is displayed in real time
Common Commands¶
| Command | Description |
|---|---|
wp plugin list |
List all plugins |
wp theme list |
List all themes |
wp user list |
List all users |
wp cache flush |
Flush cache |
wp search-replace 'old' 'new' |
Search and replace in the database |
wp db export |
Create database dump |
wp cron event list |
Show scheduled tasks |
Caching¶
WordPress caching options:
| Option | Description |
|---|---|
| OPcache | PHP OPcache for faster PHP execution |
| Redis | Object cache via Redis (if available) |
| Page Cache (FastCGI) | Server-side page cache directly in Nginx — see below |
Page Cache (FastCGI micro-cache)¶
The page cache lets Nginx store finished PHP responses for a short time and serves repeat requests entirely without PHP. For anonymous traffic this massively lowers response times (TTFB) — faster than classic cache plugins because PHP is never started.
Enable: Turn on the Page Cache (FastCGI) switch on the installation in the WordPress Toolkit. It applies to the website including its subdomains.
Automatically bypassed (so a private page is never served to the wrong visitor):
- Logged-in users (
wordpress_logged_in,comment_author,wp-postpasscookies) - WooCommerce — cart, checkout, account (
woocommerce_*cookies) - POST requests,
wp-admin,wp-login.php,xmlrpc.php,wp-cron.php,wp-json - Requests carrying a Joomla/session cookie
TTL: 30 seconds. Front-end changes are visible after 30 s at the latest (immediately for logged-in editors, who bypass the cache).
Check: The X-Enconf-Cache response header shows HIT, MISS or BYPASS.
Multilingual sites: if the site sets a language cookie (e.g. nc_lang, Polylang, WPML), the cache key is split per language — so a German page is never served to an English visitor.
Interaction with the other cache options
- OPcache (PHP bytecode) and Redis (object cache) sit on different layers and complement the page cache — feel free to enable them as well.
- A page-cache plugin (WP Super Cache, W3TC, LiteSpeed Cache) caches the same layer (the whole page) → use only one. The FastCGI cache is faster (serves entirely without PHP), so it's the better choice.
Clone WordPress¶
- Click Clone on an installation
- Select the target website
- The system copies all files and the database
- URLs are automatically updated via
wp search-replace