The WordPress page lets you deploy, manage, and monitor WordPress installations directly from your control panel. You can install WordPress with one click, manage updates and plugins without logging into wp-admin, take snapshots before changes, scan for vulnerabilities, and access your admin panel with passwordless login.
Go to Development > WordPress to get started.
Deploying WordPress#
On the Deploy tab:
- Select your website from the dropdown. The document root fills in automatically.
- Enter a site title (letters, numbers, hyphens, and spaces).
- Enter an admin email address.
- Click Deploy.
The system creates a MySQL database, deploys the latest WordPress version, and configures everything automatically. The status in the installations table changes from “deploying” to “active” when it’s done.
Admin credentials are not sent by email. Once deployment finishes, use the Admin login action to access your WordPress dashboard with passwordless authentication. From there you can set a password if you need one.
If you need a temporary URL before your DNS is ready, use the HUC (Hostney User Content) URL found under your virtual host settings.
Important: The directory must be empty or non-existent. If files already exist in the target folder, deployment will fail.
Scanning for existing installations#
If you installed WordPress manually or through another method, use the Scan tab to register it with the control panel:
- Select your website.
- Click Scan.
The scanner checks for standard and bootstrapped WordPress structures, detects the version, and registers the installation. Once scanned, all management features become available.
No WordPress plugins are required for this integration. Make sure your
wp-config.php
has the correct
WP_SITEURL
and
WP_HOME
values. After scanning, you can find the exact code snippet under the installation’s Integration action.
Installations table#
The main table shows all your WordPress installations with:
- Website – The domain name
- Version – The installed WordPress version
- Security – A vulnerability count badge (if any vulnerabilities are detected)
- Status – Color-coded badge:
- Active (green) – Running normally
- Deploying (blue) – Installation in progress
- Scanning (blue) – Auto-detection in progress
- Updating (blue) – Updates being applied
- Failed (red) – Deployment failed (click to see the error)
- Suspended (gray) – Account suspended
Actions in the dropdown menu:
- Visit site – Opens your website
- Admin login – Creates a secure one-time login session
- Manage – Opens the full management dashboard
- Unregister – Removes the installation from the control panel (does not delete files or databases)
- View error / Remove – Available for failed deployments
Managing a WordPress installation#
Click Manage on any active installation to open the management dashboard. It has eight tabs.
Updates tab
The top of the page shows overview cards with the count of pending updates and the status of each auto-update category.
Auto-update settings
Configure how WordPress handles updates automatically:
- Minor core updates – Security patches and minor releases. Enable or disable, with an optional delay of 0-7 days.
- Major core updates – Version upgrades (e.g., 6.4 to 6.5). Enable or disable, with an optional delay of 0-7 days.
- Plugin updates – All plugin updates. Enable or disable, with an optional delay of 0-7 days.
- Theme updates – All theme updates. Enable or disable, with an optional delay of 0-7 days.
- Update window – Optionally restrict updates to a specific time window (e.g., 22:00 to 06:00). Supports overnight windows that cross midnight.
Click Save to apply your auto-update configuration.
Pending updates list
Each pending update shows the current version, the new version, when it was found, and when it’s scheduled (based on your delay settings). You can:
- Click Update on any individual item to apply it immediately, bypassing the delay.
- Click Update all in the header to queue all eligible updates at once.
Premium plugins that require manual downloads are marked with a “Premium” badge and can’t be auto-updated. Failed updates show a “Failed” badge.
The page auto-refreshes every 30 seconds while updates are in progress.
Plugins tab
Shows all installed plugins in a card grid with overview cards at the top (total, active, inactive, broken counts).
Each plugin card shows:
- Name and description
- Status badge (Active, Inactive, or Broken)
- Health indicator
- Version and author
- Activate or Deactivate button
Header actions:
- Sync – Refreshes the plugin list from WordPress
- Activate all – Activates every plugin
- Deactivate all – Deactivates every plugin (useful when troubleshooting)
The grid is searchable and sortable by name, status, health, version, or author.
Themes tab
Shows all installed themes with overview cards (total count and active theme name).
Each theme card shows:
- Theme screenshot (or a placeholder)
- Name, description, version, and author
- Active badge on the current theme
- Activate button on inactive themes
Click Sync to refresh the theme list from WordPress.
Search & replace tab
Performs find-and-replace operations across your WordPress database using WP-CLI. Useful for changing URLs after a domain migration or fixing serialized data.
- Enter the search value and replace value.
- Click Start.
The job runs in the background. The right column shows your job history with status (Pending, Processing, Completed, or Failed), the replacement count, and timestamps. Click Clear all to remove the history.
Make sure you have a recent snapshot before running search and replace. Database changes can’t be undone.
Snapshots tab
Snapshots capture the state of your WordPress files and database at a point in time. They’re created automatically before updates and can be created manually.
Click Create snapshot to take a manual snapshot. Each installation can hold up to 3 snapshots.
Each snapshot card shows:
- Creation date and time
- Type (Manual, Automatic, or Pre-update)
- Size and file count
- Status (Completed, Creating, Restoring, Failed, or Timed out)
Actions:
- Restore – Replaces your current WordPress installation with the snapshot data. A warning reminds you that all current files and database content will be overwritten.
- Delete – Permanently removes the snapshot. Type DELETE to confirm.
Snapshots are not full backups. For complete account backups, use the Backups feature.
Staging tab
Coming soon. This tab will let you test theme changes, plugin updates, and content modifications in an isolated environment before pushing to production.
Vulnerabilities tab
Shows security vulnerabilities detected in your WordPress core, plugins, and themes. The system checks daily against the Wordfence Intelligence vulnerability database.
Each vulnerability shows:
- Severity badge (Critical, High, Medium, or Low)
- CVSS score
- CVE ID (linked to the National Vulnerability Database)
- The installed version and the patched version (if a fix is available)
- Update button if a patch exists
- Dismiss button to hide the vulnerability from the active list
Toggle Show dismissed to see vulnerabilities you’ve previously dismissed.
The tab badge in the navigation shows the count of active (non-dismissed) vulnerabilities.
Security tab
Server-level security settings for your WordPress installation:
- SSO-only login – Blocks direct access to wp-login.php. Users must log in through the control panel’s admin login feature. Prevents brute-force attacks against your login page.
- Disable XML-RPC – Blocks the xmlrpc.php endpoint, which is commonly exploited for DDoS amplification and brute-force attacks. Only disable this if you specifically need XML-RPC (some older plugins and the WordPress mobile app use it).
- Block REST API user enumeration – Prevents the /wp-json/wp/v2/users endpoint from exposing your user list. Blocks one of the most common reconnaissance steps in WordPress attacks.
- Block PHP in uploads – Prevents PHP files from being executed in the wp-content/uploads directory. If an attacker manages to upload a malicious PHP file, this setting ensures it can’t run.
These settings are enforced at the server level (nginx), not through WordPress plugins. Changes take 1-2 minutes to apply.
Admin login (SSO)#
The admin login creates a one-time secure session that logs you into WordPress without entering credentials. It works from both the installations table and the management dashboard.
- Click Admin login.
- Click Create session.
- A 60-second countdown starts. Click Open admin before the timer expires.
- WordPress opens in a new tab and you’re logged in automatically.
If the session expires, click Create new session to generate another one.
If you have a HUC (Hostney User Content) URL enabled, you can toggle the option to open the admin through the HUC URL instead of your primary domain. This is useful when your DNS isn’t pointing to Hostney yet.
Unregistering a WordPress installation#
If you want to remove a WordPress site from the control panel’s management system, click Unregister in the dropdown menu. Type UNREGISTER to confirm.
Unregistering removes the installation from the control panel only. Your website files, database, and content are not deleted. The site continues running normally.