TechEarl

Using AI with WP-CLI for Faster WordPress Operations

The WP-CLI patterns that compose well with AI assistants: multi-step plans with checkpoint approval, generated one-off scripts, database surgery, content migrations at scale, and what to never delegate.

Ishan Karunaratne⏱️ 11 min readUpdated
Share thisCopied
WP-CLI patterns that compose with AI: multi-step plans, generated scripts, database surgery, content migrations, what to never delegate. Real commands, real limits.

WP-CLI is already the highest-leverage tool on a WordPress server. Pairing it with an AI assistant changes which jobs you reach for it on. The workflows that benefit most are the ones where the typing is mechanical but the planning is not: multi-step ops with branching logic, one-off migration scripts, database surgery, and cross-site audits. The workflows where AI assistance is a net loss are the ones with no rollback, where the speed-up tempts you to skip verification. Both halves matter.

Jump to:

Why WP-CLI and AI compose well

WP-CLI is a discoverable, text-in / text-out tool. Every subcommand has predictable flags, the output is parseable JSON or table format on demand, and the error messages name what failed. That is exactly the surface an AI assistant can reason about with high accuracy. Compare it to clicking around the admin UI, where the AI has no eyes: clicking is the wrong abstraction for AI augmentation, scripting is the right one.

The second reason is reversibility. Most WP-CLI operations are either read-only (wp post list, wp plugin status, wp option get) or have a clean inverse (wp plugin deactivate reverses wp plugin activate). The destructive operations (wp db reset, wp post delete) are well-known and easy to guard against. That makes WP-CLI a safer surface to hand off than, say, mysql against the live database, where a missing WHERE clause is unrecoverable.

I have been driving WordPress over WP-CLI since the early 2010s. The shift over the last two years is not what WP-CLI does. It is how much I delegate to it. The hand-typed wp post list --post_type=... for the fiftieth time becomes "describe the report you want and I will compose the command." That is the difference.

Pattern 1: The multi-step plan with checkpoint approval

This is the workflow that earns the highest return for the lowest risk. You describe the goal as a numbered plan; the assistant runs each step, reports the result, and waits for approval before continuing. The plan is the contract.

A real example from a directory site migration:

text
On staging.example.com:

1. Snapshot the database to /backups/pre-migration-$(date +%Y%m%d).sql.gz.
2. Count posts of post type "provider" and report the number.
3. Count posts where ACF field "verification_status" is "pending" and
   report.
4. For each pending provider, set ACF field "review_queue_priority"
   to "normal".
5. Confirm by re-reading three random pending providers and printing
   their new review_queue_priority value.

Pause for my approval between steps 1 and 2, and between steps 4 and 5.

Each step is a single wp invocation. The assistant runs them in order, surfaces the count, waits where I told it to wait. The two checkpoints are placed where the cost of being wrong is highest: after the snapshot (so I confirm the snapshot is actually safe before any writes), and before the verification (so I see the writes happened on real data before they get confirmed).

The reason this beats a hand-written script: the plan is in plain language, the steps are auditable in transcript, and I do not have to write the script in the first place. The script effectively writes itself, command by command, with me reviewing each one.

Pattern 2: Generating one-off migration scripts

When the plan is too big to run interactively, the move is to generate a one-off WP-CLI script (a custom command in mu-plugins/ or a standalone PHP file run via wp eval-file) and run it after review.

The prompt shape I use:

text
Write a WP-CLI command class (extends WP_CLI_Command) that:
- Iterates all "listing" posts.
- For each post, reads the ACF field "city" (a text field with the
  full city name).
- Looks up the matching city in the "city" taxonomy.
- Creates the term if it doesn't exist.
- Assigns the listing post to that taxonomy term.
- Logs every assignment with --debug.
- Supports --dry-run that prints what it would do without writing.
- Supports --batch=N (default 100) so large sites can be processed in
  manageable chunks.

Save to mu-plugins/cli-commands/migrate-listing-cities.php and register
the command as `wp listing migrate-cities`. Do not run it.

What you get back is a complete custom command, registered correctly. You review it (look for the WHERE clauses, look for the writes, look for off-by-one bugs in the batching), run it dry-run on staging, check the output, run it for real on staging, verify, then run on production.

The acceleration is real. A migration script that would have been ninety minutes to write and test by hand becomes about twenty minutes including review. The judgment about whether the migration is correct (the WHERE clause, the edge cases, the data integrity guarantee) is still yours. The boilerplate around it is not.

Pattern 3: Database surgery with wp db query

Sometimes WP-CLI's built-in commands cannot do what you need and the answer is raw SQL through wp db query. This is the highest-risk pattern in the article and also the one where AI assistance pays the most, because the typing burden of "construct a six-table join with a subquery" is what makes me write the query in the first place.

A representative prompt:

text
Write a SQL query to run via `wp db query` that returns every post
where:
- post_type is "provider"
- post_status is "publish"
- the post has an ACF "claimed_by_user_id" meta_value that is NOT NULL
- AND the corresponding wp_users.user_email is from one of these domains:
  example.com, test.example.com, dev.example.com
- AND the post has been modified in the last 90 days

Return: ID, post_title, post_modified, the claiming user_email.
Order by post_modified DESC. Add LIMIT 200 as a guard.

Do not write any UPDATE or DELETE. SELECT only.

The "SELECT only, no UPDATE or DELETE" line is non-negotiable on prompts that produce SQL. It is the prompt-side equivalent of "least privilege". When I do need a mutation query, I write it as a separate prompt explicitly scoped, and I always wrap the mutation in a transaction or take a snapshot first.

The hallucination risk is real but bounded. The model knows the WordPress core schema well (wp_posts, wp_postmeta, wp_users, wp_usermeta, wp_options, wp_term_relationships). It is less reliable on plugin-specific tables, where you should always paste the relevant wp_* table CREATE statement (wp db query "SHOW CREATE TABLE wp_some_plugin_table") into the prompt before asking for the query.

Pattern 4: Cross-site audits and bulk reporting

For agencies and multi-site operators, the report-generation pattern is the everyday workhorse. The goal is usually some flavor of "which of our sites are running an outdated version of plugin X" or "which sites have the security update applied and which do not."

The pattern in WP-CLI is straightforward: loop over a list of sites (via SSH or wp site list on multisite), run a wp plugin status or wp option get on each, aggregate. The acceleration with AI is in composing the loop and the parser without typing it out.

text
I have a CSV at ~/sites.csv with two columns: ssh_host, wp_path.
Generate a bash script that:
- Reads each row.
- For each site, SSHes in and runs `wp plugin list --format=json --path={wp_path}`.
- Parses the JSON locally and prints a tab-separated report with:
  hostname, plugin_name, version, status (active/inactive).
- Continues on per-site failures (printing "FAILED: hostname" to stderr).
- Does not fail the whole run if one site is unreachable.

Output the script to ~/scripts/audit-plugins.sh and explain how to
invoke it. Do not run it.

The output is a bash script that uses wp over ssh, parses with jq, and produces a clean aggregated report. I run it; if the output looks right, I keep the script. If not, I describe the fix and regenerate. The script is throwaway, not infrastructure, but the throughput is high enough that "write a one-off audit script" went from a half-day task to a coffee-break task.

Pattern 5: Generating wp-cli.yml configs and aliases

The least glamorous WP-CLI feature is also where AI assistance compounds across every other workflow: the wp-cli.yml config file and the @alias system. A well-configured wp-cli.yml means every wp invocation in a project auto-applies the right --path, --user, --url, and --skip-plugins flags. A well-configured alias means wp @prod plugin list reaches the production server over SSH with the correct user, key, and path, no flag-juggling.

A prompt that I use when onboarding a new site:

text
Generate a wp-cli.yml for a multi-environment WordPress site with:
- A "@dev" alias pointing at the local Docker WP at
  /var/www/html (no SSH).
- A "@stage" alias pointing at user "deploy" on staging.example.com
  at /var/www/example/staging.
- A "@prod" alias pointing at user "deploy" on www.example.com
  at /var/www/example/prod.
- Default flags: --skip-themes for performance on remote, --user=1
  on local.
- A user "wp" subgroup with config defaults that suppress color in
  CI environments (when CI=true).

Output the file. Explain how each alias would be invoked.

The output is a complete, valid YAML file that you can drop into the project root. The first time you do this manually it takes thirty minutes of cross-referencing the WP-CLI handbook. After the first time, you stop doing it manually. This is the kind of small win that the strategy work on a WordPress agency stack ends up being mostly composed of.

What to never delegate

Honesty over enthusiasm, like always. Some operations belong on the human side of the line regardless of how good the model is.

wp db reset, wp db drop, wp site empty. These are non-recoverable without a backup. Never let an assistant invoke them as part of a multi-step plan, no matter how confident the plan looks. If your plan needs a reset, take the snapshot manually, run the reset manually, then hand back to the assistant for whatever comes next.

Mass user deletion. wp user delete with anything but a single explicit user ID is a trap. I have seen plans that wanted to "deactivate spam users" turn into mass deletions because the AI's understanding of "spam" did not match mine. User deletion always goes through a manual review of the user list first.

Production credentials in the same shell as the assistant. This is the broader version of the earlier rule. If your assistant has your production SSH key loaded, the assistant can deploy as fast as it can reason. That is sometimes what you want; far more often, the human-in-the-loop on production is exactly what catches the bad command before it ships. Staging and local can take the agentic loop directly. Production goes through the pull request.

wp search-replace without --dry-run first. Always. The flag exists for a reason. Search-replace bugs are the canonical "I did not realize that string also appeared in serialized PHP" disaster. Dry-run, eyeball the count, then run for real.

How this fits with Claude CLI specifically

I cover the Claude CLI side of this in detail in Using Claude CLI to Manage WordPress Sites. The article you are reading now is about the WP-CLI patterns themselves, not about any one assistant. The same patterns work whether you are pairing WP-CLI with Claude Code, with ChatGPT, with a custom in-house tool, or with whatever comes next. The patterns are what travels; the assistant is the disposable part.

What this means in practice for a small agency: invest in the WP-CLI fluency. Invest in the wp-cli.yml and the aliases and the custom commands in mu-plugins/cli-commands/. Then the AI assistant becomes additive on top, not the architecture itself. When the assistant changes (and it will), your workflows do not break, because the workflows live in WP-CLI, not in the chat session.

If you are wondering whether to standardize your team's WordPress operations around WP-CLI before adding AI, the answer is yes. WP-CLI is the multiplier. The AI assistant multiplies the multiplier. Skipping the WP-CLI step and going straight from admin-UI to AI-driven workflows leaves the biggest accelerator on the table.

Sources

Authoritative references this article was fact-checked against.

TagsWordPressWP-CLIAIDevOpsAgencyDatabase

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

AI

Using AI to Update ACF Fields and WordPress Content

AI plus WP-CLI plus ACF is the canonical pattern for bulk content updates that used to take a careful afternoon. Schema-aware update_field calls, content rewrites at scale, image alt backfills, and the safety patterns that prevent disasters.

AI

Using Claude CLI to Manage WordPress Sites

How I use Claude CLI to run WordPress and ACF work end-to-end: ACF field group generation, WP-CLI orchestration, log triage, plugin debugging, bulk content ops. Concrete prompts, what it gets wrong, and where it fits in an agency workflow.

AI

Using AI to Help Manage WordPress Infrastructure

AI plus SSH plus the standard server toolkit (systemd, nginx, fail2ban, certbot) accelerates infrastructure work without replacing the sysadmin judgment. Log triage, config audits, deploy verification, security review. Plus what to never delegate.