Skip to content

KONDORDEVSECURITYCORP/wp-manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
app
app
 
 
bootstrap
bootstrap
 
 
config
config
 
 
database
database
 
 
public
public
 
 
resources
resources
 
 
routes
routes
 
 
storage
storage
 
 
tests
tests
 
 
.editorconfig
.editorconfig
 
 
.env.example
.env.example
 
 
.env.production.example
.env.production.example
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
artisan
artisan
 
 
composer.json
composer.json
 
 
composer.lock
composer.lock
 
 
deploy.sh
deploy.sh
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
phpunit.xml
phpunit.xml
 
 
postcss.config.js
postcss.config.js
 
 
tailwind.config.js
tailwind.config.js
 
 
tsconfig.json
tsconfig.json
 
 
vite.config.js
vite.config.js
 
 

Repository files navigation

GitHub Stars GitHub Forks GitHub Watchers



WP Manager

Manage thousands of WordPress sites from a single dashboard

The open-source, self-hosted alternative to ManageWP, MainWP, and InfiniteWP.
Bulk post management, credential validation, AI content generation -- all under your control.


Laravel Vue.js TypeScript Tailwind CSS PHP MySQL


WP Manager - WordPress Multi-Site Management Dashboard

If this project helps you, consider giving it a star -- it helps others discover it.


Features · Quick Start · How It Works · Security · Español

Why WP Manager?

Managing WordPress sites at scale is painful. You either pay for SaaS tools that own your data, or you manually log into each site one by one. WP Manager gives you:

  • Full control -- self-hosted, your server, your data, no third-party dependencies
  • No WordPress plugins required -- connects via REST API, XML-RPC, or wp-login fallback
  • Built for scale -- validated and tested with hundreds of sites simultaneously
  • AI-powered content -- generate articles with OpenAI (50+ models) directly from the dashboard
  • Security-first -- hardened against OWASP Top 10, encrypted credentials, per-user data isolation

Key Features

Site Management

  • Import sites from TXT files (multiple formats)
  • Chunk-based validation with live progress bar
  • Smart duplicate detection (client + server side)
  • Hierarchical folder organization
  • Role and permission detection per site

Content Operations

  • Create posts on multiple sites at once
  • Edit posts inline with connection status
  • Bulk delete posts from WordPress
  • Upload HTML/TXT files as posts
  • Load and edit WordPress pages

AI Content Generation

  • Integration with OpenAI (50+ models)
  • Template management for consistent output
  • Direct publishing to selected sites
  • Batch article generation

Security & Privacy

  • AES-256-CBC encrypted credentials
  • OWASP Top 10 hardened
  • Per-user data isolation
  • Audit trail on all operations
  • Rate limiting on all endpoints
Full module list (11 modules)
Module Description
Dashboard Real-time stats: total, valid, failed, pending sites with quick access links
Site Checker Import TXT, chunk-based validation with live progress, duplicate detection, search, export
Post Manager Load posts from WordPress, save to local DB, bulk delete from WP
Post Editor Edit posts inline with connection status indicator and permission badges
Post Creator Create posts on multiple sites simultaneously with results panel
Mass Editor Bulk operations on locally saved posts, export links
Content Uploader Upload HTML/TXT files as posts to multiple sites
Page Editor Load and edit WordPress pages with connection status
Article Generator Generate articles with OpenAI (50+ models, template management)
Site Manager View, import, and delete registered sites
Folder Manager Hierarchical folder tree, move sites, refresh post counts

Tech Stack

Layer Technology
Backend Laravel 13, PHP 8.3+, Eloquent ORM
Frontend Vue 3, Inertia.js 2, TypeScript 5, Heroicons
Styling Tailwind CSS 4
Database MySQL 8+
AI OpenAI API (GPT-4o, GPT-4, GPT-3.5, 50+ models)
Security 8 layers (OWASP Top 10 hardened)

Quick Start

Prerequisites

  • PHP 8.3+ with extensions: pdo_mysql, curl, xml, mbstring, openssl
  • Composer 2
  • Node.js 18+ and npm
  • MySQL 8+

Installation

git clone https://github.com/KONDORDEVSECURITYCORP/wp-manager.git
cd wp-manager
composer install
npm install

cp .env.example .env
php artisan key:generate

Configure your database in .env:

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_DATABASE=wp_manager
DB_USERNAME=your_user
DB_PASSWORD=your_password
php artisan migrate
npm run build
php artisan storage:link

# Create your admin account
php artisan tinker --execute="App\Models\User::create([
  'name' => 'Admin',
  'email' => 'admin@wpmanager.com',
  'password' => bcrypt('YourPassword123!'),
  'email_verified_at' => now()
]);"

Run

# Option 1: Single command (recommended)
composer dev

# Option 2: Two terminals
php artisan serve     # Terminal 1
npm run dev           # Terminal 2

Open http://127.0.0.1:8000 and start managing your WordPress sites.

Deploy to Production

bash deploy.sh
Production environment variables 
APP_ENV=production
APP_DEBUG=false
APP_URL=https://your-domain.com
SESSION_ENCRYPT=true
SESSION_SECURE_COOKIE=true
LOG_LEVEL=error

See .env.production.example for the full list.

How It Works

Validation Engine

WP Manager validates credentials using a 3-tier fallback chain for maximum WordPress compatibility:

REST API (/users/me?context=edit)
    |-- success --> roles + capabilities detected
    |-- fail ----v
XML-RPC (wp.getUsersBlogs + wp.getProfile)
    |-- success --> isAdmin + exact role detected
    |-- fail ----v
wp-login.php (form-based login)
    |-- success --> profile page scraping (best effort)
    |-- fail ----> site marked as invalid

Validation runs inline via chunked HTTP requests -- no queue worker needed. For 100 sites: ~2-3 minutes with a real-time progress bar.

Supported Import Formats

https://site.com/wp-login.php#username@password
https://site.com#username@password
https://site.com:username:password

Passwords with special characters (@, $, !, (, )) are fully supported.

Role Detection

Method What it detects
REST API All roles + full capabilities map (edit_posts, publish_posts, etc.)
XML-RPC isAdmin flag + exact role via wp.getProfile
Login Role from profile page (best effort)

Detected roles: administrator, editor, author, contributor, subscriber, and custom roles.

Security

Hardened against the OWASP Top 10:

# Threat Protection
A01 Broken Access Control User-scoped queries on all endpoints, ownership verification
A02 Cryptographic Failures WP passwords: AES-256-CBC, User passwords: bcrypt 12 rounds
A03 Injection Eloquent ORM parameterized queries, LIKE wildcard escaping
A04 Insecure Design Model hardening, password policy (min 8, mixed case, HaveIBeenPwned)
A05 Security Misconfiguration CSP, X-Frame-Options DENY, HSTS, COOP, CORP, Permissions-Policy
A06 Vulnerable Components npm audit clean (0 vulnerabilities)
A07 Auth Failures Per-user rate limiting (10-200 req/min), login throttling (5 attempts)
A08 Software Integrity MIME validation on uploads, DB::prohibitDestructiveCommands in production
A09 Logging Failures Audit trail on destructive operations with user_id, IP, timestamp
A10 SSRF Requests scoped to user-registered URLs only
Additional security measures
  • Input sanitization on all requests including JSON/AJAX (XSS protection)
  • Session: httpOnly, sameSite=lax, encrypted in production
  • CSRF on all POST/PUT/DELETE via Laravel middleware
  • $hidden = ['password'] on WpSite model (never in API responses)

Project Structure

wp-manager/
├── app/
│   ├── Http/
│   │   ├── Controllers/       # 13 controllers (11 modules + auth + profile)
│   │   └── Middleware/        # SecurityHeaders, SanitizeInput, ThrottleByUser
│   ├── Models/                # User, WpSite, Folder, SavedPost
│   ├── Policies/              # WpSitePolicy (authorization)
│   ├── Services/              # WordPressService (REST/XML-RPC/Login)
│   └── Traits/                # LogsActivity (audit trail)
├── resources/js/
│   ├── Components/            # StatusBadge, SmartPagination, etc.
│   ├── Layouts/               # AuthenticatedLayout, GuestLayout
│   └── Pages/                 # 11 module pages + Auth + Profile
├── database/migrations/       # Users, folders, wp_sites, saved_posts
├── deploy.sh                  # One-command production deploy
└── .env.production.example    # Production environment template

Contributing

Contributions are welcome. Please open an issue first to discuss what you would like to change.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

Roadmap

  • Docker / Docker Compose support
  • Plugin and theme management
  • Scheduled post publishing
  • Multi-language AI content generation
  • Webhook notifications
  • API for external integrations
  • User management with team roles

License

Proprietary software by KONDORDEVSECURITYCORP. All rights reserved.

Español

Descripcion

WP Manager es una aplicacion web auto-hospedada para gestionar multiples sitios WordPress a escala. La alternativa open-source y self-hosted a ManageWP, MainWP e InfiniteWP. Valida credenciales mediante una cadena de fallback REST API, XML-RPC y Login, detecta roles y permisos de usuario, y proporciona herramientas para gestion masiva de posts, generacion de contenido con IA y organizacion de sitios.

Todos los datos estan aislados por usuario -- cada usuario solo ve sus propios sitios, carpetas y posts.

Por que WP Manager?

  • Control total -- self-hosted, tu servidor, tus datos, sin dependencias de terceros
  • Sin plugins de WordPress -- conecta via REST API, XML-RPC o wp-login
  • Hecho para escala -- validado y probado con cientos de sitios simultaneamente
  • Contenido con IA -- genera articulos con OpenAI (50+ modelos) desde el dashboard
  • Seguridad primero -- OWASP Top 10, credenciales encriptadas, aislamiento por usuario

Caracteristicas Principales

Gestion de Sitios

  • Importar sitios desde archivos TXT
  • Validacion por chunks con progreso en vivo
  • Deteccion inteligente de duplicados
  • Organizacion en carpetas jerarquicas
  • Deteccion de roles y permisos

Operaciones de Contenido

  • Crear posts en multiples sitios a la vez
  • Editar posts inline con estado de conexion
  • Eliminar posts masivamente
  • Subir archivos HTML/TXT como posts
  • Cargar y editar paginas de WordPress

Generacion de Contenido con IA

  • Integracion con OpenAI (50+ modelos)
  • Gestion de plantillas
  • Publicacion directa a sitios seleccionados
  • Generacion de articulos por lotes

Seguridad y Privacidad

  • Credenciales encriptadas con AES-256-CBC
  • OWASP Top 10 hardened
  • Aislamiento de datos por usuario
  • Auditoria en todas las operaciones
  • Rate limiting en todos los endpoints

Instalacion Rapida

git clone https://github.com/KONDORDEVSECURITYCORP/wp-manager.git
cd wp-manager
composer install && npm install

cp .env.example .env
php artisan key:generate

Configurar .env con credenciales MySQL:

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_DATABASE=wp_manager
DB_USERNAME=tu_usuario
DB_PASSWORD=tu_contraseña
php artisan migrate
npm run build
php artisan storage:link

# Crear usuario administrador
php artisan tinker --execute="App\Models\User::create([
  'name' => 'Admin',
  'email' => 'admin@wpmanager.com',
  'password' => bcrypt('TuPassword123!'),
  'email_verified_at' => now()
]);"

Ejecutar

# Opcion 1: Un solo comando (recomendado)
composer dev

# Opcion 2: Dos terminales
php artisan serve     # Terminal 1
npm run dev           # Terminal 2

Abrir http://127.0.0.1:8000

Despliegue en Produccion

bash deploy.sh
Variables de entorno para produccion 
APP_ENV=production
APP_DEBUG=false
APP_URL=https://tu-dominio.com
SESSION_ENCRYPT=true
SESSION_SECURE_COOKIE=true
LOG_LEVEL=error

Ver .env.production.example para la lista completa.

Como Funciona la Validacion

REST API (/users/me?context=edit)
    |-- exito ---> roles + capabilities detectados
    |-- falla ---v
XML-RPC (wp.getUsersBlogs + wp.getProfile)
    |-- exito ---> isAdmin + rol exacto detectado
    |-- falla ---v
wp-login.php (login por formulario)
    |-- exito ---> scraping de pagina de perfil
    |-- falla ---> sitio marcado como invalido

Para 100 sitios: ~2-3 minutos con barra de progreso en tiempo real. Sin queue worker necesario.

Formatos de Importacion

https://sitio.com/wp-login.php#usuario@contraseña
https://sitio.com#usuario@contraseña
https://sitio.com:usuario:contraseña

Seguridad (OWASP Top 10)

# Amenaza Proteccion
A01 Control de Acceso Roto Queries scoped por usuario, verificacion de ownership
A02 Fallos Criptograficos WP: AES-256-CBC, Usuarios: bcrypt 12 rounds
A03 Inyeccion Queries parametrizadas con Eloquent
A04 Diseño Inseguro Model hardening, politica de contraseñas robusta
A05 Mala Configuracion CSP, HSTS, X-Frame DENY, COOP, CORP
A06 Componentes Vulnerables npm audit limpio
A07 Fallos de Autenticacion Rate limiting por usuario, throttling de login
A08 Integridad de Software Validacion MIME, comandos destructivos prohibidos en prod
A09 Fallos de Logging Auditoria completa con user_id, IP, timestamp
A10 SSRF Requests limitados a URLs registradas

Licencia

Software propietario de KONDORDEVSECURITYCORP. Todos los derechos reservados.

KONDORDEVSECURITYCORP

If you find this useful, please give it a star. It helps more than you think.

About

Manage thousands of WordPress sites from a single dashboard. Validate credentials, bulk post management, AI content generation. Built with Laravel 13 + Vue 3 + TypeScript.

github.com/KONDORDEVSECURITYCORP/wp-manager

Topics

php wordpress vuejs laravel typescript dashboard wordpress-api rest-api owasp self-hosted content-management openai xmlrpc multi-site tailwindcss site-management inertiajs ai-content wordpress-manager bulk-operations

Resources

Readme

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages