Description
Maintenance Agent keeps your WordPress sites updated, hardened, and recoverable — so staying current is no longer a risk or a chore. You get a complete maintenance toolkit: careful updates, security hardening, instant rollback, emergency recovery, anti-bot features and Coming Soon page.
Drive it with your own AI assistant, manually, or through the free companion app — which adds the dashboards, manual controls and a specialized agent that runs the whole cycle based on dependencies and site history.
Protect and harden — via wp-admin or remote (FREE)
- 20 hardening and anti-bot features: security headers, HSTS, hide usernames, generic login errors, disable the file editor, force SSL on admin, block xmlrpc, block PHP execution in uploads, block sensitive files, honeypot URLs, bad-bot blocklist, directory listing off — and more. Each with a plain-English helper, all off by default.
- Login gate: protect your login with a PIN page that stops login-hammering bots before WordPress even boots (saves server resources).
- Every
.htaccesschange backed up automatically first, restorable in one click — plus an FTP kill-switch. - Animated Coming Soon page and maintenance mode, configurable and SEO-aware.
Careful maintenance toolset — for agents and custom integrations (FREE)
- Works with any MCP-capable AI assistant, your scripts, or CI. Registered with the WordPress Abilities API (WP 6.9+), standard Application Password auth.
- Full site stack and health reports: versions, every plugin and theme, update availability, recent errors.
- A lightweight health signal, readable any time: database reachable, recent fatals, free disk space, stalled cron, auto-disabled plugins, active cache layer.
- Point-in-time snapshot of every plugin, theme, core, and the database — taken before anything is touched.
- The building blocks for careful, one-at-a-time updates: update a single item, flush caches, run a health check — sequenced by whatever drives it (the app’s agent, your script, or your AI assistant).
- Install, activate, deactivate, or remove any plugin or theme.
- Per-item restore: roll back only what broke — no full-site backup restore needed.
- Optional backup-plugin trigger (UpdraftPlus, BackWPup), cache flush, error-log tail.
There is no AI inside the plugin itself — it is a deterministic toolkit. Intelligence lives in whatever you connect to it.
Dashboards and a specialized agent — via the companion app (FREE TIER)
- The free plan is real and permanent (no credit card, no trial clock): one agent audit, 5 agent maintenance runs, 1 archived restore point, maintenance dashboards.
- Specialized agent with memory that runs the whole cycle: snapshot reasoned dependency update order verify each step decides rollback if something breaks reports.
- Dashboard with stack overview, health, pending updates, status, theme/plugin installer, and more.
- Narrated, read-only first scan — see what the agent thinks of your site before anything is ever changed.
- Live run view (watch the agent do maintenance work), run history and reports, a Time Machine restore point, per-site notes.
More sites, scheduling, and monitoring — paid plans (optional)
The free plan runs the full agent and dashboards within a small monthly allowance. Paid plans lift the limits and add what matters once you manage more than one site:
- From a single site to a whole portfolio — more sites, more runs.
- Scheduling: a weekly maintenance rhythm per site, run unattended, reported back.
- Uptime, SSL and domain monitoring — external checks enriched with insider context (it knows which run touched the site and what changed).
- Cross-site installer: install, update, or harden plugins and themes across the whole fleet in one pass.
- Fleet-wide hardening — the security toolkit applied to many sites at once.
- Longer restore-point history, client reports under your agency branding, per-client routing.
Pricing and the full comparison are on the website. The plugin never requires a paid plan — or any plan.
Why Maintenance Agent?
Updates should be careful, observable, and reversible. Most tools update everything at once and hope; this one is built the other way.
- It reasons before it acts: reads your stack, plans a dependency-aware order, updates one item at a time, verifies each step — then decides, per failure, whether to retry, skip, roll back, or stop.
- Everything is reversible: a snapshot before anything is touched, per-item rollback, and an emergency companion that recovers a site even when the site itself won’t boot.
- Drive it your way: click it in the dashboard, ask the in-app assistant, or run it from your own AI assistant over MCP — the same safe operations, three ways in.
- Your data stays in the EU: hosted in Germany, GDPR-aligned with a data-processing agreement, credentials encrypted at rest, and onboarding that never asks for your admin password.
Full features, screenshots, and pricing: https://kreiswolke.com/wp-maintenance-agent/
External services
1. The Kreiswolke companion app (optional, opt-in only)
The plugin contacts the companion app only if you explicitly connect your site (a “Connect” action in the plugin’s settings). Without connecting, the plugin sends nothing anywhere.
When you connect:
- The connection is established through a consent screen on the app. During pairing, the site URL and cryptographic public keys are exchanged, and a standard WordPress Application Password is created for the app — after you accept the terms on the consent screen.
- A connected app can then read the site reports described above and perform the maintenance operations you authorize (updates, rollback, hardening configuration), authenticated by that Application Password plus a per-site request signature.
- The plugin itself initiates only one outgoing call: if the plugin is disconnected, deactivated with disconnect, or deleted, it sends a short, best-effort notification to the app — containing the event name, the site URL, and the pairing identifier — so the app stops treating the site as managed. No other data is in that call.
- You can disconnect at any time from the plugin’s settings; uninstalling removes the credentials on the site (and revokes the Application Password).
Service provider: Kreiswolke
Terms of service: https://kreiswolke.com/terms/
Privacy policy: https://kreiswolke.com/privacy-policy/
2. api.wordpress.org
Site stack reports enrich plugin information (latest version, last-updated date, requirements) through WordPress core’s own plugins_api() — the same wordpress.org API your site already uses for the update screen.
3. Requests to your own site
Several features fetch a URL on your own site (never a third party): the post-update health check (pinned to your site’s address), the webserver-detection probe, the login-gate self-test, and a one-time compatibility probe before writing an ErrorDocument rule. These are loopback self-checks, listed here so they are not mistaken for external calls.
Screenshots






FAQ
Can I use this with my own AI assistant or scripts?
Yes — that’s what it’s designed for. Every capability is a REST endpoint, registered with the WordPress Abilities API (WP 6.9+), so any MCP-capable client you trust — or plain curl — can discover and use them. Authentication is a standard WordPress Application Password; destructive operations are snapshot-first with on-disk verification. The plugin is useful to humans and to whatever tooling you already run.
Does the plugin work without the companion app?
Yes, fully. The app adds orchestration (the maintenance agent, scheduling, multi-site dashboards, reports); the plugin alone gives you the reports, rollback, careful updates, and hardening on a single site.
Does it send my data anywhere?
Not unless you connect it to the companion app, and then only as described under “External services”. There is no telemetry, no tracking, no phone-home.
Why does it install an MU-plugin?
The emergency companion exists for exactly one scenario: a failed update breaks the main plugin (or the site), and you still need the heartbeat, the maintenance splash, and the restore tools to work. A regular plugin can’t promise that — an MU-plugin can. It is written atomically (no half-written file can white-screen a site), updated only on activation/version change, and removed on uninstall.
Why does it write to .htaccess?
Only when you enable an Apache-level hardening feature, and only inside one clearly marked block. The plugin backs up your
.htaccessbefore every change, offers one-click restore, ships a kill-switch (create one file via FTP and all rules turn off), and removes the block fully on deactivation/uninstall. Blocking at the webserver is the point of these features: the request is rejected before PHP starts.What is the login gate, and can it lock me out?
The gate puts a small PIN page in front of
wp-login.php. It was built after watching bots hammer login pages on real servers: every attempt boots PHP, WordPress, and the database — a WordPress-layer rate limiter still pays that cost on each hit. The gate stops those requests at the webserver, before WordPress runs; bot/load protection is the primary purpose, the added login secrecy is a bonus. It is opt-in, requires a PIN before it can be enabled, and is built to fail open: if the plugin is removed by any means, the rule disables itself; a kill-switch file disables it instantly; logout/password-reset URLs are never blocked.Why does the code contain base64, unserialize, and error handlers?
base64 encodes/decodes Ed25519 signature material and HTTP Basic auth — both are binary-to-text transports, not obfuscation; every site is commented. The single
unserialize()reads WordPress’s own Application Passwords usermeta and is hardened withallowed_classes => false. The error handler and shutdown hooks feed the plugin’s own error log and let a restore endpoint return structured JSON even if a fatal occurs; the handler returnsfalseso PHP’s normal error flow is untouched.Does it work on nginx?
Everything except the Apache-level rules, which are detected as not applicable; for each, the plugin shows an equivalent nginx snippet to paste into your server config instead of pretending it worked.
Is there AI in the plugin?
No. The plugin is a deterministic toolkit — predictable, inspectable, no model calls. AI-assisted planning happens in the optional companion app, server-side, only for connected sites.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Kreiswolke Maintenance Agent Toolkit” adalah perisian sumber terbuka. Orang-orang berikut telah menyumbang kepada pemalam ini.
PenyumbangTranslate “Kreiswolke Maintenance Agent Toolkit” into your language.
Berminat dalam pembangunan?
Layari kod, periksa repositori SVN, atau langgani log pembangunan dengan RSS.
Changelog
1.0.0
- Initial public release.
- Pre-update snapshot and per-item rollback for plugins, themes, core, and the database, with an archive of recent runs.
- Security and anti-bot hardening toolkit — security headers, xmlrpc / sensitive-file / author-enum protection, block PHP execution in uploads, optional PIN login gate — with automatic .htaccess backups and an FTP kill-switch.
- Site stack and health reporting; one-at-a-time updates with per-step health checks; cache flush; error-log tail.
- Animated Coming Soon page and maintenance mode.
- Registered with the WordPress Abilities API (WP 6.9+) so MCP-capable assistants can discover the tools.
- Optional, consent-based pairing with the Kreiswolke companion app for orchestrated multi-site maintenance.
