Version 1.4.1 released

Gosh darn those pesky bugs.

WP-CLI v1.4.1 fixes a few annoying regressions introduced in v1.4.0:

  • Strips Composer autoload of PHPCS references to prevent PHP notices in Phar build [#4477].
  • plugin status: Colorizes and adds a legend to listed drop-ins to prevent PHP notice [#62].
  • search-replace: Uses $wpdb->remove_placeholder_escape() when exporting in WP 4.8.3 and greater [#43].

Want to help us catch these bugs earlier? Run wp cli update --nightly in your local and staging environments to use the latest and greatest.

Contributors to this release (3 total): danielbachhubergitlost, mullnerz

What do you wish `wp scaffold` could do for you?

wp scaffold * presents a series of commands to help you quickly get up and running with your development project:

  • wp scaffold plugin generates a basic plugin, complete with unit tests.
  • wp scaffold post-type produces a full custom post type, with all of the different arguments you can change.
  • etc.

We’d like to make it even better! To help guide your feedback:

  • What basic code do you find yourself copy and pasting between WordPress projects?
  • Of the existing commands, are there ways you’d like to improve upon them?
  • What boilerplate/scaffolded code do you find most helpful in the other open source projects you use?

Consider this an open thread: we welcome all the ideas you have.

Version 1.4.0 released

Happy release day!

We’re excited to bring you WP-CLI v1.4.0. In just two short months, we’ve merged 308 pull requests from 42 contributors.

New faces

You may have noticed a few new faces around the project. This is our motley crew of committers:

  • Martin (@gitlost) lives in Dublin, Ireland. Check out his work with wp db search and wp search-replace --log (see below).
  • Siddharth (@Sidsector9) resides in Pune, India. His enhancements to wp doctor and wp profile will be available soon in a release near you.
  • Takayuki (@miya0001) is based out of Kyoto, Japan. He’s been making numerous improvements across the entire project; you never know what his next pull request will fix.

They’ve already had an amazing impact on the project. Please pass along your thanks when you have the chance.

Log search-replace transformations

If you’ve ever wanted to see what transformations are taking place with wp search-replace, now you can!

Use wp search-replace --log to display transformations as they happen, or wp search-replace --log=transformations.log to save the transformations to a file [#35, #39]:

$ wp search-replace 'http://' 'https://' --log
| Table      | Column       | Replacements | Type |
| wp_options | option_value | 3            | PHP  |
Success: Made 3 replacements.

It’s even more beautiful in color. Check out this asciicinema video for the full glory.

Note: wp search-replace is much slower when logging transformations, so please use it wisely.

See registered image sizes

Does uploading a new image take forever? You might have too many registered image sizes!

Both themes and plugins make use of add_image_size() [ref] to define names for image sizes they expect to use in templating. For each registered image size with a hard crop, WordPress has to create the cropped version on upload. With dozens of image sizes, uploading an image can take tens of seconds.

Use wp media image-size to see all of the image sizes registered to WordPress [#36, #37, #39, #49]:

$ wp media image-size --format=count

55 is too many!

Everything else in v1.4.0

New and notable

  • wp cli has-command: Detect whether a command is registered [#4349].
  • wp site (mature|unmature|public|unpublic): Manage mature and public status of a site [#63].
  • wp * (pluck|patch): Fetch and modify serialized data in options and meta [#24, #65].
  • wp user (spam|unspam): Mark a user as spam or not spam [#74, #86, #90].

Command improvements

  • comment list:
    • Improves performance of --format=count [#64].
  • core download:
    • Use --skip-content to download WordPress without default themes/plugins (US locale only) [#37, #40, #41].
  • core update:
    • Makes use of halt_on_error to catch error and release lock [#38].
  • db export:
    • Includes Y-m-d in default export file name [#36].
  • db search:
    • Caters for reserved word column/table names [#40].
    • Changes default delimiter to chr(1) [#46].
    • Fixes match in non-regex case [#45].
    • Lessens context duplication by shortening and appending context if it overlaps with the next match [#55].
    • Avoids displaying default delimiter on regex fail in db search [#56].
  • export:
    • Adds --stdout to write WXR to STDOUT [#13].
    • Adds --max_file_size=-1 to avoid splitting export files [#12, #21].
    • Adds --max_num_posts=<num> to limit number of posts in an export file [#15].
  • import:
    • Avoids use of GLOB_BRACE for compatibility with Alpine Linux [#14].
  • media import:
    • Properly handles query strings on image import to prevent security error [#35].
    • Adds --preserve-filetime argument to support persisting file modification time [#42].
  • media regenerate:
    • Skips non-thumbnailed PDFs & other images rather than fail [#48].
  • package browse:
    • Adds deprecation notice [#36].
  • package install:
    • Supports package names that differ from repository names [#31].
  • package (install|uninstall):
    • Only includes Composer return code when it’s set [#40].
  • package uninstall:
    • Removes repository entry when uninstalling [#37].
  • plugin install:
    • Skips renaming ZIPs coming from a GitHub archive release/tag [#45].
  • plugin list:
    • Wraps all uses of get_plugins() with the all_plugins filter [#31].
    • Includes dropins like object-cache.php when listing installed plugins [#55].
  • plugin search:
    • Only displays pagination message when --format=table [#56].
  • scaffold child-theme:
    • Transforms spaces to underscores when scaffolding a child theme [#40].
  • scaffold plugin:
    • Adds package-lock.json, yarn.lock to distignore template [#57].
  • scaffold plugin-tests:
    • Uses $TMPDIR in bin/ to allow temp directory override [#39].
    • Uses latest branch for test library in bin/, and always gets the latest major release when 2 digit WP versions are used [#35].
    • Removes XDebug in scaffolded .travis.yml to improve performance [#49].
    • Improves error message when phpunit is run before bin/ [#55].
    • Shows progress when invoking phpcs [#64].
    • Adds PHP 7.0 and 7.1 to scaffolded GitLab configuration [#68].
  • scaffold (post-type|taxonomy):
    • Enhances pluralization by internalizing Doctrine library [#54, #58, #59].
  • search-replace:
    • Adds esc_sql_ident() function to escape column/table names [#23].
    • Adds --regex-delimiter argument and validation for the --regex-flags argument [#28, #29, #30].
    • Adds --report flag so report can be suppressed with --no-report; --report-changed-only flag option to only report changed fields [#32].
    • Avoids displaying default delimiter on regex failure [#40].
  • site delete:
    • Prevent deleting the root site on multisite, which WordPress core doesn’t permit [#73].
  • user import-csv:
    • Permits importing CSV from STDIN [#100].

Framework enhancements

  • Brings codebase inline with WordPress Coding Standards while narrowly avoiding committer mutiny [#4058].
  • Improves AutoloadSplitter regexes [#4422].
  • Add skips argument to WP_CLI\Utils\report_batch_operation_results() [#4429].
  • Provides dictionary-based suggestions for common misspellings [#4392].
  • Introduces new ‘halt_on_error’ to overload exit in WP_CLI\Utils\http_request() [#4383].
  • When extracting, fails back to tar xz when PharData throws an Exception [#4371].
  • Adds support for running commands over vagrant ssh [#4348].
  • Supports upper- and lowercase ‘Y’ when prompting a flag [#4334].
  • Gives suggestions when exiting early on wp help [#4266, #4303].

Contributors to this release (42 total): aaemnnosttv, AaronRutley, ako80218, anhskohbo, atimmer, BhargavBhandari90, danielbachhuber, desrosj, diggy, domantasg, drzraf, eliseferguson, ethanclevenger91, Flimm, fumikito, GaryJones, gitlost, goldenapples, hearvox, Ippey, javorszky, jdub233, johnbillion, kurudrive, Lewiscowles1986, mimosafa, mitchelldmiller, mitraval192, miya0001, n8finch, nameherocom, nextgenthemes, ryotsun, schlessera, shadyvb, Sidsector9, stevegrunwell, szepeviktor, takezou, Umangvaghela, waviaei, wp-make-coffee

WP Plugin & Theme Checksums Project – Update

The WordPress Plugin & Theme Checksums Project has been kicked off!

Here’s a quick run-down of the current state of affairs:

  • The server side of the development will be managed in, whereas the consuming client code development will be managed in for now.
  • Project collaboration and coordination will happen in a dedicated #cli-checksums channel (not created yet, WIP:
  • It now looks like the most promising approach is to directly build the checksum generation into the existing .org infrastructure, as the code that is generating the ZIP downloads can easily be extended to generate and store the checksums at the same time. @dd32 is currently working on proof-of-concepts to evaluate the best approach for this in
  • The current timeline for following through with the project is:
    • Planning phase: Oct 3 – Oct 24
    • Implementation phase: Oct 25 – Nov 14
    • Integration phase: Nov 15 – Nov 22
  • Several companies have offered to support this project with development time or other help, and are already invested in differing degrees: DreamHostPagely, Plesk, Savvii.

UPDATE (Oct. 17th): We opted to keep project collaboration and coordination in the general #cli channel for now, instead of in a dedicated channel.


Daniel likes these issues

WP-CLI’s next release, v1.4.0, is just around the corner: Tuesday, October 17th. If you’ve contributed to WP-CLI before, here are a few moderately advanced issues I’d love to see fixed in the next release:

Read through the contributing guide for a refresher on the process. Feel free to ask questions on the specific issue, or join us in the #cli channel with any questions you might have.

Good first issues for new contributors

Want to submit your first pull request to WP-CLI? We’ve identified a few good first issues for you to get your feet wet:

  • Link to code review guidelines from PULL_REQUEST_TEMPLATE
    We’ve published code review guidelines that now need to be incorporated into our PULL_REQUEST_TEMPLATE scaffolding. This issue involves a one-line change to a template file.
  • List dropin plugins in wp plugin list
    For those using a db.phpobject-cache.php, or similar, it’d be helpful to display them when running wp plugin list. This issue involves writing a bit of code with Behat functional tests around the behavior.
  • Add pre-built dictionary of “did you mean…” suggestions
    When a user mistypes a command argument, WP-CLI tries to suggest the correct argument. In certain cases, the algorithm needs enhancement from a dictionary of pre-defined corrections. This issue involves reviewing WP-CLI command arguments, writing a bit of code to produce a dictionary around the most sensible corrections, and enhancing our existing PHPUnit tests for the feature.
  • Handle all cases for Utils\wp_version_compare()
    As it turns out, WordPress has some version strings that version_compare() can’t handle. Our existing utility is inadequate for all of the cases, so we should update. This issue involves tracking down all potential version strings, writing a bit of code, and enhancing our existing PHPUnit tests for the feature.
  • Explain why certain tables can be skipped when using wp search-replace
    There are a couple of cases, indicated in the issue, where tables can be skipped or “missed” entirely. This issue involves adding some explanation of these cases to the existing command documentation.

Read through the contributing guide for details on how to get started. Feel free to ask questions on the specific issue, or join us in the #cli channel with any questions you might have.

WordPress Plugin and Theme Checksums Project – Announcement


WP-CLI provides a way for system administrators to verify the integrity of the WordPress core files. Through wp checksum core, you can easily verify that a given installation has not been tampered with. It not only checks whether the correct files are in place, but also that their content has not been changed. This is possible because WordPress provides an official API to check the expected core file checksums at

Having this kind of functionality for plugins and themes as well would be a huge security benefit. It would allow you to check the file integrity of an entire site, possibly in an automated fashion. However, there is no centralized way of retrieving the file checksums for plugins or themes yet, and the alternative of downloading the plugins and themes from the official servers first just to check against them is wasteful in terms of resources and bandwidth.

The aim of this project is to extend the checksum verification and its underlying infrastructure so that it can reliably and efficiently check the integrity of plugins and themes as well.

Project Stages

The project will be structured into four stages. Each stage will be followed by a detailed report, containing a summary of the stage’s efforts as well as a clear enumeration of decisions and results.

A. Initiation (← we are here)

During this initial project stage, we raise awareness of the project and discuss it with key stakeholders, sponsors, and volunteers.

We’ll evaluate the alternative approaches with all involved parties to distill the most viable path to a maintainable solution.

Finally, we’ll define a clear scope for the project, and the metrics that define its success. We plan for a working beta version by end of November, so we will want to keep the scope tight for this first iteration.

B. Planning

After we’ve decided on a specific route to follow, we can start planning the details of the solution we want to implement.

This stage will result in a project roadmap with milestones and their respective deliverables. It will also produce a list of requirements, like the provisional budget for infrastructure, the decisions needed or the estimated workload for each milestone.

C. Implementation

After we’ve planned all the technical details and broke down the work involved, we’ll start with building the infrastructure and implementing the client and server software.

The specifics of how this stage will be handled should have been laid out during the planning stage already, so this stage is all about execution and monitoring progress.

D. Integration

During the final project stage, we will move all code and infrastructure to reside under the official domain and complete the integration with the WordPress Core and the WP-CLI tool.

Get Involved!

This project will have a huge impact on the perceived and effective security of WordPress installations. It can greatly reduce the amount of malware-infested sites plaguing the internet, and through the substantial market share of WordPress, improve the general browsing experience for all net citizens.

If you want to get involved, you’d ideally meet the following criteria:

  • You have a vested interest in security and/or system administration in a WordPress context.
  • You can spare a consistent average of ~5+ hours/week (hopefully on your employer’s time).
  • You have experience with one or more of the types of components this project requires.

If this is you, please get in touch with us, either by commenting on this post or by joining the discussion in the following GitHub issue:

We will have a formal kickoff during the next WP-CLI office hours in the #cli channel on October 3rd, 2017 at 16:00 UTC. Feel free to join the discussion and help us get this ball rolling.

Free WP-CLI stickers for your event!

Want to share your love of WP-CLI with your community?

Starting today, you can fill out this form to request stickers (free of charge) to distribute at your WP-CLI-related event (WordCamp, meetup, or otherwise).

Some fine print to be aware of:

  • Requests must be made at least four weeks in advance of the event by an official organizer of the event.
  • Offer is for up to 50 stickers to any geographic region Stickermule can ship to.
  • Stickers must be made available in a public common area and announced at the beginning or end of the WP-CLI session.

Feel free to reach out to danielbachhuber on Slack with any questions. Happy scripting!

X-post: Community Conduct Project – Kick off meeting scheduled for 17:00 UTC on the 5th September 2017

X-comment from Comment on Community Conduct Project – Kick off meeting scheduled for 17:00 UTC on the 5th September 2017

Version 1.3.0 released

Happy release day! After 210 total merged pull requests, we’re excited to bring you WP-CLI v1.3.0.

Install packages with shortened identifiers

Recently, we have been discussing the future of the WP-CLI package index. Our conclusion was to deprecate the existing package index for now and provide a new mechanism for more easily installing external commands that are hosted on GitHub.

As of WP-CLI v1.3.0, whenever you provide a package identifier in the form of <vendor>/<package>, WP-CLI will first check the deprecated package index (for backward compatibility reasons), and then check for a GitHub repository that matches this identifier. This also accepts all version qualifiers/requirements that Composer can parse.


# Install vendor/command from GitHub (uses
$ wp package install vendor/command

# Install version 1.0.5 of vendor/command:
$ wp package install vendor/command:v1.0.5

# Install commit 95ce52b of vendor/command:
$ wp package install vendor/command:dev-master#95ce52b

New commands

Wondering whether a specific string exists in your database? Wonder no more! Use the new wp db search to search through all text columns in your database for your specified string (or regex pattern) [#29, #33]:

# Search through the database for the 'http://' regular expression, printing stats.
$ wp db search 'http:\/\/' --regex --stats
Success: Found 99146 matches in 10.752s (10.559s searching). Searched 12 tables, 53 columns, 1358907 rows. 1 table skipped:

Need easy access to the database prefix for chaining into other commands? Use wp db prefix to print it out [#22]:

$ wp db prefix

Everything else in v1.3.0

Command improvements

  • wp config *:
    • Errors early when no wp-config.php can be found [#22].
  • wp config create:
    • Generates keys/salts locally and use API as fallback [#25].
  • wp config get:
    • Adds --constant=<constant> or --global=<global> to get the value of a specific constant or global [#16].
    • Indicates files included by wp-config.php [#18].
  • wp core (multisite-install|multisite-convert):
    • Use --skip-config to avoid addition of multisite constants to wp-config.php file [#18].
  • wp import:
    • Prevents non-existent directories from ending up in the list of files to import [#8].
  • wp media *:
    • Changes media noun to ‘items’ in most cases, to reflect multi-type nature of media [#18].
  • wp media import:
    • Adds --skip-copy flag to allow import of media from local filesystem without moving on disk [#21].
  • wp package install:
    • Adds support for short package identifiers [#22].
  • wp post term delete:
    • Implements --all flag to remove all terms from a post [#23].
  • wp scaffold *:
    • Creates phpcs.xml.dist instead of custom-named phpcs.ruleset.xml [#19].
    • Better support for symbolic links [#26].
    • Changes the grunt config for addtextdomain to override all text domains by default [#28].
  • wp search-replace:
    • Includes --format=count to only show number of rows affected [#14].
  • wp term (get|update|delete):
    • Introduces --by=<type> argument to get/update/delete term by slug [#27].
  • wp user *:
    • Support fetching users with an email address in the login field [#21].
  • wp super-admin remove:
    • Allows revoking super-admin of non-existent user [#6].

Framework enhancements

  • Fixes autoload file names for $custom_vendor condition [#4147].
  • Saves runtime config so it can be passed as args to Runner::run_alias_group() invocation [#4148].
  • Manually loads comments if opcache.save_comments is disabled [#4161].
  • Allows numbers in subcommand names and arguments [#4164, #4269].
  • Fixes double slash in boot-phar.php path [#4169].
  • Allows root use of wp cli info, in addition to wp cli update [#4177].
  • Updates SSH URL parser regexp to allow for null port number [#4182].
  • Add WP_CLI\Utils\get_home_dir() helper function [#4184].
  • Reduces included files (Behat/PHPUnit in particular) in built Phar [#4185].
  • Behat: Allows test DB user + pass to be set by environment variables [#4196].
  • Fixes output in JSON format in case of error while encoding [#4199].
  • Passes WP_CLI_STRICT_ARGS_MODE on to --ssh=<ssh> if set [#4207].
  • Displays a more helpful error message when site cannot be found [#4212].
  • Fixes broken indentation on Windows systems because of line endings [#4221, #4222].
  • Adapts --ssh=<ssh> flag to work with Docker and Docker Compose [#4240].
  • Checks for availability of proc_open/close in various scenarios [#4245].

Contributors to this release (45 total): aaemnnosttv, BhargavBhandari90, chetansatasiya, chriszarate, cjhaas, colemanedwards, danielbachhuber, davetha, drrobotnik, electrokit, emgk, emirpprime, erikjoling, fjarrett, freegenie, gitlost, greatislander, iansvo, Ippey, jalavoy, jameselks, joehoyle, johnbillion, @JPry, junaidbhura, kouratoras, lucatume, @mapk, mikeschinkel, miya0001, @murtzsarialtun, nikolov-tmw, pierre-dargham, plastikdreams, rahul286, ronaksampat, schlessera, Sidsector9, soulseekah, szepeviktor, tfrommen, vbaranovskiy-plesk, westonruter, wp-make-coffee, wpbullet