claude-plugin-wordpress-manager 1.4.0

package/hooks/hooks.json

@@ -0,0 +1,57 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "mcp__wp-rest-bridge__delete_content|mcp__wp-rest-bridge__delete_media|mcp__wp-rest-bridge__delete_user|mcp__wp-rest-bridge__delete_term",
+        "hooks": [
+          {
+            "type": "prompt",
+            "prompt": "The user is about to DELETE WordPress content. This operation may be irreversible if force=true. Verify the user explicitly requested this deletion and confirm the target (site, content type, ID). If uncertain, respond with 'deny' and ask the user to confirm. Respond with 'approve' only if the deletion was clearly and explicitly requested."
+          }
+        ]
+      },
+      {
+        "matcher": "mcp__wp-rest-bridge__deactivate_plugin",
+        "hooks": [
+          {
+            "type": "prompt",
+            "prompt": "The user is about to DEACTIVATE a WordPress plugin. This could break site functionality if other plugins depend on it. Confirm the user explicitly requested this. Respond 'approve' if intentional, 'deny' if it seems accidental."
+          }
+        ]
+      },
+      {
+        "matcher": "mcp__hostinger-mcp__hosting_importWordpressWebsite",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ${CLAUDE_PLUGIN_ROOT}/hooks/scripts/backup-reminder.sh",
+            "timeout": 5
+          },
+          {
+            "type": "prompt",
+            "prompt": "The user is about to IMPORT a full WordPress site, which will OVERWRITE the existing installation. This is a major destructive operation. Verify the user explicitly requested this and understands the consequences. Respond 'approve' only if clearly intentional."
+          }
+        ]
+      },
+      {
+        "matcher": "mcp__hostinger-mcp__DNS_updateDNSRecordsV1|mcp__hostinger-mcp__DNS_resetDNSRecordsV1",
+        "hooks": [
+          {
+            "type": "prompt",
+            "prompt": "The user is about to MODIFY DNS records. Incorrect DNS changes can make the site unreachable. Confirm the user explicitly requested this change and verify the record details look correct. Respond 'approve' if intentional."
+          }
+        ]
+      },
+      {
+        "matcher": "mcp__hostinger-mcp__hosting_deployWordpressPlugin|mcp__hostinger-mcp__hosting_deployWordpressTheme|mcp__hostinger-mcp__hosting_deployStaticWebsite",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ${CLAUDE_PLUGIN_ROOT}/hooks/scripts/pre-deploy-check.sh",
+            "timeout": 15
+          }
+        ]
+      }
+    ]
+  }
+}

package/hooks/scripts/backup-reminder.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# backup-reminder.sh — Backup reminder hook for destructive operations
+# Prints a warning to stderr reminding the user to backup before major operations.
+# This is an advisory hook (always exits 0) — it doesn't block operations.
+# Called as a PreToolUse command hook for hosting_importWordpressWebsite.
+#
+# Claude Code PreToolUse hooks receive tool input as JSON on stdin.
+# We read the tool name from stdin if jq is available, otherwise fall back.
+
+set -euo pipefail
+
+# Read tool name from stdin JSON (Claude Code passes {"tool_name": "...", "tool_input": {...}})
+TOOL_NAME="unknown"
+if command -v jq &>/dev/null; then
+    INPUT=$(cat)
+    TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // "unknown"' 2>/dev/null || echo "unknown")
+else
+    # Consume stdin to avoid broken pipe
+    cat > /dev/null
+fi
+
+cat <<MSG >&2
+[wordpress-manager] Reminder: You are about to run '$TOOL_NAME'.
+Consider creating a backup first if you haven't recently:
+  /wordpress-manager:wp-backup create
+MSG
+
+# Advisory only — always allow
+exit 0

package/hooks/scripts/pre-deploy-check.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# pre-deploy-check.sh — Pre-deployment validation hook
+# Ensures the target site is reachable and authenticated before deploy operations.
+# Called as a PreToolUse command hook for deploy-related tools.
+# Exit 0 = allow, Exit 2 = block with message
+
+set -euo pipefail
+
+# Consume stdin (Claude Code sends tool input as JSON on stdin to command hooks)
+cat > /dev/null
+
+# Resolve site URL from WP_SITES_CONFIG
+if [ -z "${WP_SITES_CONFIG:-}" ]; then
+    echo "WARN: WP_SITES_CONFIG not set, cannot validate target site"
+    exit 0  # Allow — can't validate without config
+fi
+
+SITE_URL=$(echo "$WP_SITES_CONFIG" | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['url'])" 2>/dev/null || echo "")
+CREDS=$(echo "$WP_SITES_CONFIG" | python3 -c "import json,sys; c=json.load(sys.stdin)[0]; print(c['username']+':'+c['password'])" 2>/dev/null || echo "")
+
+if [ -z "$SITE_URL" ]; then
+    exit 0  # Can't determine site, allow operation
+fi
+
+# Check site reachable
+HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 5 "$SITE_URL" 2>/dev/null || echo "000")
+if [ "$HTTP_CODE" = "000" ]; then
+    echo "BLOCKED: Target site $SITE_URL is unreachable (connection timeout). Deploy aborted."
+    exit 2
+fi
+
+# Check REST API
+API_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 5 "$SITE_URL/wp-json/wp/v2/" 2>/dev/null || echo "000")
+if [ "$API_CODE" != "200" ]; then
+    echo "BLOCKED: WordPress REST API not available at $SITE_URL (HTTP $API_CODE). Deploy aborted."
+    exit 2
+fi
+
+# Check authentication
+if [ -n "$CREDS" ]; then
+    AUTH_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 5 -u "$CREDS" "$SITE_URL/wp-json/wp/v2/users/me" 2>/dev/null || echo "000")
+    if [ "$AUTH_CODE" != "200" ]; then
+        echo "BLOCKED: Authentication failed for $SITE_URL (HTTP $AUTH_CODE). Check Application Password."
+        exit 2
+    fi
+fi
+
+# All checks passed
+exit 0

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "claude-plugin-wordpress-manager",
+  "version": "1.4.0",
+  "description": "Unified WordPress management and development plugin for Claude Code. Orchestrates Hostinger MCP, WP REST API bridge, and WordPress.com MCP with 18 skills, 5 agents, and security hooks.",
+  "author": {
+    "name": "vinmor",
+    "email": "morreale.v@gmail.com"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "keywords": [
+    "claude-code",
+    "claude-code-plugin",
+    "wordpress",
+    "hostinger",
+    "mcp",
+    "deployment",
+    "cms",
+    "multi-site",
+    "gutenberg",
+    "block-development",
+    "wp-cli"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/morrealev/wordpress-manager.git"
+  },
+  "homepage": "https://github.com/morrealev/wordpress-manager#readme",
+  "bugs": {
+    "url": "https://github.com/morrealev/wordpress-manager/issues"
+  },
+  "files": [
+    ".claude-plugin/",
+    ".mcp.json",
+    "agents/",
+    "commands/",
+    "skills/",
+    "hooks/",
+    "scripts/",
+    "servers/wp-rest-bridge/build/",
+    "servers/wp-rest-bridge/package.json",
+    "docs/",
+    "LICENSE",
+    "CHANGELOG.md",
+    "README.md"
+  ]
+}

package/scripts/health-check.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# health-check.sh — WordPress site health check
+# Tests REST API reachability, authentication, SSL validity, and Hostinger API status.
+# Usage: ./health-check.sh [site-url] [username:app-password]
+#        ./health-check.sh  (uses WP_SITES_CONFIG env var)
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+pass() { echo -e "  ${GREEN}PASS${NC} $1"; }
+fail() { echo -e "  ${RED}FAIL${NC} $1"; }
+warn() { echo -e "  ${YELLOW}WARN${NC} $1"; }
+
+# Resolve site config
+if [ $# -ge 1 ]; then
+    SITE_URL="$1"
+    # Ensure URL has https:// prefix
+    if [[ ! "$SITE_URL" =~ ^https?:// ]]; then
+        SITE_URL="https://$SITE_URL"
+    fi
+    CREDS="${2:-}"
+elif [ -n "${WP_SITES_CONFIG:-}" ]; then
+    SITE_URL=$(echo "$WP_SITES_CONFIG" | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['url'])" 2>/dev/null)
+    CREDS=$(echo "$WP_SITES_CONFIG" | python3 -c "import json,sys; c=json.load(sys.stdin)[0]; print(c['username']+':'+c['password'])" 2>/dev/null)
+else
+    echo "Usage: $0 [site-url] [username:app-password]"
+    echo "  Or set WP_SITES_CONFIG environment variable"
+    exit 1
+fi
+
+echo "=== WordPress Health Check ==="
+echo "Site: $SITE_URL"
+echo ""
+
+# 1. HTTP reachability
+echo "[1/5] Site Reachability"
+HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$SITE_URL" 2>/dev/null || echo "000")
+if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "301" ] || [ "$HTTP_CODE" = "302" ]; then
+    pass "Site responds (HTTP $HTTP_CODE)"
+elif [ "$HTTP_CODE" = "000" ]; then
+    fail "Site unreachable (connection timeout/refused)"
+else
+    warn "Site responds with HTTP $HTTP_CODE"
+fi
+
+# 2. SSL Certificate
+echo "[2/5] SSL Certificate"
+SSL_EXPIRY=$(echo | openssl s_client -servername "${SITE_URL#https://}" -connect "${SITE_URL#https://}:443" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
+if [ -n "$SSL_EXPIRY" ]; then
+    EXPIRY_EPOCH=$(date -d "$SSL_EXPIRY" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$SSL_EXPIRY" +%s 2>/dev/null || echo "0")
+    NOW_EPOCH=$(date +%s)
+    DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
+    if [ "$DAYS_LEFT" -gt 30 ]; then
+        pass "SSL valid ($DAYS_LEFT days remaining, expires: $SSL_EXPIRY)"
+    elif [ "$DAYS_LEFT" -gt 0 ]; then
+        warn "SSL expiring soon ($DAYS_LEFT days remaining)"
+    else
+        fail "SSL certificate expired!"
+    fi
+else
+    fail "Could not retrieve SSL certificate"
+fi
+
+# 3. WordPress REST API
+echo "[3/5] WordPress REST API"
+API_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$SITE_URL/wp-json/wp/v2/" 2>/dev/null || echo "000")
+if [ "$API_CODE" = "200" ]; then
+    pass "REST API reachable (HTTP $API_CODE)"
+else
+    fail "REST API not reachable (HTTP $API_CODE)"
+fi
+
+# 4. Authentication
+echo "[4/5] Authentication"
+if [ -n "$CREDS" ]; then
+    AUTH_RESP=$(curl -s --max-time 10 -u "$CREDS" "$SITE_URL/wp-json/wp/v2/users/me" 2>/dev/null)
+    USER_ID=$(echo "$AUTH_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || echo "")
+    if [ -n "$USER_ID" ] && [ "$USER_ID" != "" ]; then
+        USER_NAME=$(echo "$AUTH_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('name','?'))" 2>/dev/null)
+        pass "Authenticated as '$USER_NAME' (ID: $USER_ID)"
+    else
+        ERROR=$(echo "$AUTH_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('message','Unknown error'))" 2>/dev/null || echo "Parse error")
+        fail "Authentication failed: $ERROR"
+    fi
+else
+    warn "No credentials provided, skipping auth test"
+fi
+
+# 5. Hostinger API (if token available)
+echo "[5/5] Hostinger API"
+if [ -n "${HOSTINGER_API_TOKEN:-}" ]; then
+    HAPI_RESP=$(curl -s --max-time 10 -H "Authorization: Bearer $HOSTINGER_API_TOKEN" "https://developers.hostinger.com/api/hosting/v1/websites" 2>/dev/null)
+    HAPI_CODE=$(echo "$HAPI_RESP" | python3 -c "import json,sys; d=json.load(sys.stdin); print(len(d.get('data',d)) if isinstance(d,dict) and 'message' not in d else d.get('message','error'))" 2>/dev/null || echo "error")
+    if [[ "$HAPI_CODE" =~ ^[0-9]+$ ]]; then
+        pass "Hostinger API reachable ($HAPI_CODE sites found)"
+    elif [ "$HAPI_CODE" = "Unauthenticated." ]; then
+        fail "Hostinger API: Unauthenticated (token invalid or expired)"
+    else
+        warn "Hostinger API: HTTP $HAPI_CODE"
+    fi
+else
+    warn "HOSTINGER_API_TOKEN not set, skipping Hostinger check"
+fi
+
+echo ""
+echo "=== Health Check Complete ==="

package/scripts/validate-wp-operation.sh

@@ -0,0 +1,115 @@
+#!/bin/bash
+# validate-wp-operation.sh — Pre-flight validation for WordPress operations
+# Checks that a site is reachable and authenticated before proceeding.
+# Returns exit code 0 (safe to proceed) or 1 (abort).
+# Usage: ./validate-wp-operation.sh <operation> [site-url]
+#
+# Operations: deploy, delete, import, dns-change, plugin-deactivate, backup, migrate
+# Used by command-type hooks and manual pre-flight checks.
+
+set -euo pipefail
+
+OPERATION="${1:-unknown}"
+SITE_URL="${2:-}"
+
+# Resolve site URL from config if not provided
+if [ -z "$SITE_URL" ] && [ -n "${WP_SITES_CONFIG:-}" ]; then
+    SITE_URL=$(echo "$WP_SITES_CONFIG" | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['url'])" 2>/dev/null || echo "")
+fi
+
+if [ -z "$SITE_URL" ]; then
+    echo "ERROR: No site URL provided and WP_SITES_CONFIG not set"
+    exit 1
+fi
+
+ERRORS=0
+
+check() {
+    local label="$1"
+    local result="$2"
+    if [ "$result" = "ok" ]; then
+        echo "  [OK] $label"
+    else
+        echo "  [FAIL] $label: $result"
+        ERRORS=$((ERRORS + 1))
+    fi
+}
+
+echo "Pre-flight check: $OPERATION on $SITE_URL"
+echo "---"
+
+# Always check: site reachable
+HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$SITE_URL" 2>/dev/null || echo "000")
+if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "301" ] || [ "$HTTP_CODE" = "302" ]; then
+    check "Site reachable" "ok"
+else
+    check "Site reachable" "HTTP $HTTP_CODE"
+fi
+
+# Always check: REST API available
+API_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$SITE_URL/wp-json/wp/v2/" 2>/dev/null || echo "000")
+if [ "$API_CODE" = "200" ]; then
+    check "REST API available" "ok"
+else
+    check "REST API available" "HTTP $API_CODE"
+fi
+
+# Operation-specific checks
+case "$OPERATION" in
+    deploy|import|migrate)
+        # Check authentication (needed for write operations)
+        if [ -n "${WP_SITES_CONFIG:-}" ]; then
+            CREDS=$(echo "$WP_SITES_CONFIG" | python3 -c "import json,sys; c=json.load(sys.stdin)[0]; print(c['username']+':'+c['password'])" 2>/dev/null || echo "")
+            if [ -n "$CREDS" ]; then
+                AUTH_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 -u "$CREDS" "$SITE_URL/wp-json/wp/v2/users/me" 2>/dev/null || echo "000")
+                if [ "$AUTH_CODE" = "200" ]; then
+                    check "Authentication" "ok"
+                else
+                    check "Authentication" "HTTP $AUTH_CODE"
+                fi
+            else
+                check "Authentication" "Could not parse credentials"
+            fi
+        else
+            check "Authentication" "WP_SITES_CONFIG not set"
+        fi
+        ;;
+    dns-change)
+        # Check Hostinger API
+        if [ -n "${HOSTINGER_API_TOKEN:-}" ]; then
+            HAPI_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 -H "Authorization: Bearer $HOSTINGER_API_TOKEN" "https://api.hostinger.com/api/dns/v1/zones" 2>/dev/null || echo "000")
+            if [ "$HAPI_CODE" = "200" ]; then
+                check "Hostinger API" "ok"
+            elif [ "$HAPI_CODE" = "530" ]; then
+                check "Hostinger API" "Site Frozen (HTTP 530)"
+            else
+                check "Hostinger API" "HTTP $HAPI_CODE"
+            fi
+        else
+            check "Hostinger API" "HOSTINGER_API_TOKEN not set"
+        fi
+        ;;
+    delete|plugin-deactivate)
+        # Lighter check — just confirm auth works
+        if [ -n "${WP_SITES_CONFIG:-}" ]; then
+            CREDS=$(echo "$WP_SITES_CONFIG" | python3 -c "import json,sys; c=json.load(sys.stdin)[0]; print(c['username']+':'+c['password'])" 2>/dev/null || echo "")
+            if [ -n "$CREDS" ]; then
+                AUTH_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 -u "$CREDS" "$SITE_URL/wp-json/wp/v2/users/me" 2>/dev/null || echo "000")
+                if [ "$AUTH_CODE" = "200" ]; then
+                    check "Authentication" "ok"
+                else
+                    check "Authentication" "HTTP $AUTH_CODE"
+                fi
+            fi
+        fi
+        ;;
+esac
+
+echo "---"
+if [ "$ERRORS" -gt 0 ]; then
+    echo "RESULT: $ERRORS check(s) failed — operation NOT safe to proceed"
+    exit 1
+else
+    echo "RESULT: All checks passed — safe to proceed"
+    exit 0
+fi

package/servers/wp-rest-bridge/build/server.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/servers/wp-rest-bridge/build/server.js

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+// src/server.ts - WP REST Bridge MCP Server (multi-site)
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { allTools, toolHandlers } from './tools/index.js';
+import { z } from 'zod';
+const server = new McpServer({
+    name: 'wp-rest-bridge',
+    version: '1.1.0',
+});
+// Register multi-site management tools
+server.tool('switch_site', { site_id: z.string().describe('Site ID to switch to (e.g., "opencactus", "bioinagro")') }, async (args) => {
+    const { switchSite } = await import('./wordpress.js');
+    try {
+        const newSite = switchSite(args.site_id);
+        return { content: [{ type: 'text', text: `Switched to site: ${newSite}` }] };
+    }
+    catch (error) {
+        return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
+    }
+});
+server.tool('list_sites', {}, async () => {
+    const { listSites, getActiveSite } = await import('./wordpress.js');
+    const sites = listSites();
+    const active = getActiveSite();
+    const result = sites.map(s => `${s === active ? '● ' : '  '}${s}`).join('\n');
+    return { content: [{ type: 'text', text: `Configured sites:\n${result}` }] };
+});
+server.tool('get_active_site', {}, async () => {
+    const { getActiveSite } = await import('./wordpress.js');
+    return { content: [{ type: 'text', text: getActiveSite() }] };
+});
+// Register all WordPress content tools from the ported modules
+for (const tool of allTools) {
+    const handler = toolHandlers[tool.name];
+    if (!handler)
+        continue;
+    const wrappedHandler = async (args) => {
+        const result = await handler(args);
+        return {
+            content: result.toolResult.content.map((item) => ({
+                ...item,
+                type: 'text',
+            })),
+            isError: result.toolResult.isError,
+        };
+    };
+    const zodSchema = z.object(tool.inputSchema.properties);
+    server.tool(tool.name, zodSchema.shape, wrappedHandler);
+}
+async function main() {
+    const { logToStderr, initWordPress } = await import('./wordpress.js');
+    logToStderr('Starting WP REST Bridge MCP server...');
+    try {
+        await initWordPress();
+        const transport = new StdioServerTransport();
+        await server.connect(transport);
+        logToStderr('WP REST Bridge MCP server running on stdio');
+    }
+    catch (error) {
+        logToStderr(`Failed to initialize: ${error}`);
+        process.exit(1);
+    }
+}
+process.on('SIGTERM', () => process.exit(0));
+process.on('SIGINT', () => process.exit(0));
+process.on('uncaughtException', (error) => {
+    process.stderr.write(`Uncaught exception: ${error}\n`);
+    process.exit(1);
+});
+main().catch((error) => {
+    process.stderr.write(`Startup error: ${error}\n`);
+    process.exit(1);
+});