wordpress-expert

Run diagnostics across multiple saved site profiles sequentially with per-site status lines and a comparison matrix

Build a WordPress site from scratch — blank install, natural language, visual design, or URL clone

Connect to a WordPress site via SSH, local directory, Docker container, or git repository

Run diagnostic suite on a WordPress site with full, security-only, code-only, or performance modes

Full-workflow diagnostic investigation — intake questioning, site reconnaissance, smart skill planning, parallel execution, and findings verification

Start an interactive modification session for a WordPress directory — iterate on changes conversationally with git commits per step and a single versioned zip on completion

View connected sites, sync status, diagnostic health summaries, and manage site profiles

Evaluates WordPress sites against WCAG compliance and data privacy requirements. Use when auditing accessibility, reviewing GDPR compliance, or checking privacy implementations.

Install relevant WP.org plugins, generate AI placeholder content (pages, posts, menus), create placeholder images, and re-export the database for NL builds

Initialize git repository at build root, generate dynamic .gitignore excluding WP core and known components, commit after each build stage with conventional prefixes

Install, activate, and configure the WordPress MCP adapter in a build — copy from vendor/, activate via WP-CLI, re-export the database, write README.md, and update build.json

Session-aware per-step execution engine for /modify — surgical theme edits, WP-CLI content/plugin changes, lazy Docker startup, and versioned output on session completion

Scaffold a blank WordPress installation with Docker MySQL, WP-CLI, SQL export, zip packaging, and build.json manifest

Scrape a URL with Playwright headless browser, check robots.txt and display copyright disclaimer, sanitise all content with AI-generated placeholders, detect dynamic features, and produce a clean HTML/CSS directory for the build-visual FSE pipeline

Generate SETUP.md with priority-ordered plugin configuration and content replacement guidance, and update build.json with NL-specific metadata

Select, install, and activate an FSE block theme from WP.org based on a natural language site description — queries API with full-site-editing tag, evaluates by relevance/popularity/rating, falls back to curated list

Generate a custom FSE block theme from structured HTML/CSS design exports or screenshot images — extracts design tokens, maps HTML to Gutenberg blocks, bundles Google Fonts, and produces an installable theme with custom-{slug} prefix

Reviews WordPress code against WPCS standards, static analysis, architecture patterns, and error handling. Use when analyzing custom themes/plugins, checking coding standards, or reviewing code architecture.

Synthesizes findings from all diagnostic skills into a bullet-point health narrative grouped by domain (Security, Code Quality, Database Health, Performance, Architecture, Infrastructure). Applies the standard A-F grading matrix and produces a "Top 3 issues to fix first" ranked list. MUST run last in the skill sequence — it reads COMBINED_FINDINGS from all preceding skills.

Reviews WordPress architecture for CPT misuse patterns (dead CPTs, data-store abuse via row count gating), hook abuse (excessive callbacks, expensive init hooks, priority conflicts), and caching anti-patterns (missing persistent object cache, permanent transients). CPT checks require WP-CLI; hook and cache checks are static analysis on synced files. Each section self-gates independently.

Performs AI-powered code quality analysis on custom WordPress code (active theme + custom plugins) using a two-pass tiered approach - quick pattern scan for known anti-patterns, followed by deep AI contextual analysis on flagged files.

Checks wp-config.php for critical security misconfigurations (WP_DEBUG enabled, default salts, missing DISALLOW_FILE_EDIT, database credentials in version control)

Checks WordPress core files against official checksums to detect modifications, corruption, or potential compromise

Analyzes WordPress wp-cron scheduled events for health issues including overdue events (>1 hour), duplicate hook registrations, and excessively frequent intervals (<5 minutes). Requires WP-CLI. Self-gates when WP-CLI is unavailable.

Analyzes WordPress wp_options autoload bloat by measuring total autoloaded data size, listing all options above 10KB threshold sorted by size, and attributing each to known plugins via prefix matching. Uses dynamic table prefix via wp db prefix and routes all DB access through WP_CLI_PREFIX.

Analyzes WordPress post revision accumulation by counting total revisions, breaking down counts by parent post type via SQL JOIN, checking the WP_POST_REVISIONS constant for all four possible values (unlimited/true/false/number), computing a post count for per-post averages, and estimating database savings from setting a revision limit of 10. Uses dynamic table prefix via wp db prefix and routes all DB access through WP_CLI_PREFIX.

Detects WordPress transient buildup by counting live and expired transients via direct SQL with UNIX_TIMESTAMP() comparison, measuring total transient storage size, and computing the expired-to-live ratio for severity assessment. Uses dynamic table prefix via wp db prefix and routes all DB access through WP_CLI_PREFIX. Never uses wp transient list --expired (that flag does not exist).

Checks WordPress file permissions via SSH for security misconfigurations — audits wp-config.php, .htaccess, wp-content/uploads/, and debug.log with per-file severity thresholds. SSH-only; skips with explanatory finding for non-SSH sources.

Audits HTTPS/SSL configuration for WordPress sites — checks siteurl/home URL schemes and FORCE_SSL_ADMIN via WP-CLI (when available), and scans all PHP/JS files for hardcoded http:// mixed-content URLs in local codebase.

Scans locally synced WordPress files for suspicious code patterns and potential malware using pattern matching. Detects obfuscation chains, backdoor signatures, suspicious file placements, and dangerous function usage with false positive reduction.

Detects potential N+1 query patterns in custom WordPress theme and plugin PHP code using three confidence tiers (High/Medium/Low). Skips well-known third-party plugins. Provides rewrite suggestions using actual variable names extracted from the code.

Audits WordPress user accounts for security issues (default admin username, excessive administrators, inactive privileged users)

Checks WordPress core, PHP, MySQL/MariaDB, plugin, and theme versions for compatibility issues and available updates via WP-CLI and WordPress.org API. Identifies outdated software that may have known vulnerabilities or compatibility problems.

Integrates WP-CLI Profile command (wp-cli/profile-command package) for runtime performance timing. Shows stage breakdown (bootstrap/main_query/template) and top 5 slowest hooks. When the profile package is not installed, produces itemized Info findings for each skipped check and offers to install.

Structured context gathering before diagnostics — asks about symptoms, timeline, environment, scope, urgency, and prior work to produce a focused investigation plan

Analyzes WordPress performance across database queries, PHP execution, frontend rendering, and caching layers. Use when investigating slow pages, optimizing load times, or reviewing caching strategy.

Identifies and resolves conflicts between WordPress plugins and themes. Use when debugging plugin conflicts, theme switching issues, or JavaScript/CSS collisions.

Compiles diagnostic findings from all diagnostic skills into structured markdown reports with health grades (A-F), executive summaries, categorized findings, and archives them in memory/{site-name}/ with latest.md and archive/ rotation.

Structures diagnostic findings for both technical and non-technical audiences with severity ratings, evidence-based reporting, and action logging. Use when generating reports, communicating findings, or logging diagnostic actions.

Post-diagnostic verification — checks that findings address the original concern, skills ran as planned, and results are internally consistent

Evaluates WordPress codebase against OWASP Top 10 and WP-specific vulnerability patterns. Use when reviewing code security, auditing plugins/themes, or investigating security incidents.

Pre-diagnostic SSH reconnaissance — gathers environment data, recent changes, error logs, and server health to inform diagnostic skill selection and focus areas

Guides WordPress testing strategy including PHPUnit with WP_UnitTestCase, test categories, coverage targets, and test design principles. Use when writing tests, setting up test infrastructure, or reviewing test coverage.

Post-report aggregator that runs after report-generator writes latest.md to classify findings as NEW or RECURRING, patch inline badges, append a resolved-findings list, and persist trend data in memory/{site}/trends.json using a 2-slot scan rotation (current + prior). Never connects to WordPress, runs WP-CLI, or greps code files.

Reviews WordPress architecture patterns including theme structure, plugin design, data modeling, and integration patterns. Use when evaluating custom themes/plugins architecture, data model choices, or integration design.