A powerful, self-hosted administration and development tool for WordPress that helps you fix, manage, and optimize your WordPress site outside of WordPress itself.
WP Safe Mode is an essential tool for WordPress end users and developers. It provides a comprehensive set of features for managing WordPress installations, troubleshooting issues, performing backups, and optimizing performance - all without needing to access the WordPress admin panel.
Managed by: imbamarketing.com and cloud-industry.com
- WordPress Configuration - Edit wp-config.php constants and variables
- Plugin Management - Activate/deactivate plugins without accessing WordPress
- Theme Management - Switch themes and download default themes
- Database Management - Full and partial database backups (SQL/CSV formats)
- File Backups - Complete WordPress installation backups with ZIP archiving
- Error Log Viewer - View and search PHP error logs with formatted display
- .htaccess Editor - Edit and generate .htaccess files with common configurations
- robots.txt Manager - Create and edit robots.txt files
- Quick Actions - One-click actions for common tasks:
- Optimize database tables
- Enable/disable maintenance mode
- Delete spam/unapproved comments
- Delete post revisions
- Change site URL and home URL
- Scan WordPress core files
- Auto Backup - Configure automatic backups for files and database
- Search & Replace - Database search and replace functionality
-
Activity Log - Complete audit trail system:
- Track all user actions and system events
- Filter logs by action type and user
- View activity statistics
- Auto-cleanup of old logs
- IP address tracking
- JSON-based log storage (last 1000 entries)
-
Email Testing - Comprehensive email diagnostics:
- Test WordPress
wp_mail()function - Test PHP
mail()function - Check SMTP configuration
- Detect email plugins (WP Mail SMTP, etc.)
- View email configuration details
- Fallback support when WordPress not loaded
- Test WordPress
-
Security Scanner - Automated security auditing:
- File permission checks (wp-config.php, .htaccess)
- WordPress version comparison with latest
- Plugin security analysis
- Database security validation (table prefix)
- wp-config.php security settings check
- .htaccess security rules validation
- User account security analysis
- Security score calculation (0-100)
- Detailed recommendations for fixes
-
Performance Profiler - Real-time performance analysis:
- Server metrics (memory, disk, execution time)
- PHP metrics (version, OPcache status, extensions)
- Database metrics (table count, sizes, optimization status)
- WordPress metrics (version, plugins, themes, posts, comments)
- Automatic performance recommendations
- Resource usage tracking
- Optimization suggestions
-
Media Library Manager - WordPress media management:
- Browse media files with pagination
- Search and filter media files
- View file details (size, type, dimensions)
- Delete media files
- Media statistics and analytics
- Group by file type (image, video, audio, PDF)
- File existence verification
-
Database Optimizer - Advanced database maintenance:
- Analyze all database tables
- Find orphaned data (postmeta, commentmeta, term relationships)
- Detect duplicate data
- Find unused data (revisions, spam comments, trashed posts, expired transients)
- One-click table optimization
- Clean orphaned data
- Clean post revisions (configurable keep count)
- Clean expired transients
- Generate optimization recommendations
- CSRF Protection - All forms protected with CSRF tokens
- Rate Limiting - Brute force protection for login attempts
- Input Validation - Comprehensive input sanitization and validation
- SQL Injection Prevention - PDO parameter binding throughout
- Secure File Operations - Path validation and secure file handling
- Secure Sessions - HTTP-only and secure cookie settings
- AI Chat Assistant - Interactive troubleshooting with OpenAI GPT-4
- Error Log Analysis - AI-powered analysis of PHP errors with solutions
- Plugin Conflict Detection - Automatic detection of plugin conflicts
- Security Analysis - Comprehensive security audit and recommendations
- Performance Optimization - AI-suggested performance improvements
- Error Explanation - Simple explanations of complex errors
- AdminLTE 3 Design - Modern, responsive admin interface
- Single Page Application - No page reloads, smooth navigation
- Mobile Responsive - Fully optimized for mobile devices
- Real-time Updates - AJAX-powered dynamic content loading
- Loading States - Visual feedback during operations
- Bootstrap 4 - Modern UI components and styling
- Web Server: Apache (recommended) or Nginx
- PHP: 7.4 or newer (PHP 8.x recommended)
- MySQL: 5.7 or newer (or MariaDB 10.2+)
- Permissions: Write access to WordPress directory and backup storage
- WordPress: Functional WordPress installation
- Database: MySQL user with all privileges
- OpenAI API Key - For AI Assistant features (get from platform.openai.com)
-
Download/Clone the repository to your web server
git clone https://github.com/magnetoid/wpsafemode.git
-
Place in WordPress Directory
- Copy the
wpsafemodefolder to your WordPress root directory - Example:
http://www.yourdomain.com/wpsafemode/
- Copy the
-
Configure Settings
- Copy
settings.sample.phptosettings.php - Edit
settings.phpand configure:$settings['wp_dir']- Path to WordPress directory (default:../)$settings['sfstore']- Backup storage directory (default:sfstore/)
- Copy
-
Set Permissions
- Ensure backup directory is writable
- Ensure wp-config.php is readable/writable
-
Access the Tool
- Navigate to:
http://www.yourdomain.com/wpsafemode/ - Default login:
demo/demo - Important: Change default credentials in Global Settings immediately!
- Navigate to:
Edit settings.php:
$settings['wp_dir'] = '../'; // WordPress directory path
$settings['sfstore'] = 'sfstore/'; // Backup storage directory- Get an OpenAI API key from platform.openai.com
- Go to Global Settings in WP Safe Mode
- Enter your OpenAI API key
- Save settings
WP Safe Mode provides a comprehensive REST API for all features:
GET /api/activity-log?action=list&limit=100- Get activity logsGET /api/activity-log?action=statistics- Get activity statisticsPOST /api/activity-log?action=clear&days=30- Clear old logs
GET /api/email?action=info- Get email configurationPOST /api/email?action=test- Test WordPress email (requires: to, subject, message)POST /api/email?action=test_php- Test PHP mail() function
GET /api/security-scanner?action=scan- Run comprehensive security scan
GET /api/performance?action=metrics- Get performance metrics
GET /api/media?action=list&limit=50&offset=0&search=term- List media filesGET /api/media?action=statistics- Get media statisticsPOST /api/media?action=delete- Delete media file (requires: file_id)
GET /api/database-optimizer?action=analyze- Analyze databasePOST /api/database-optimizer?action=optimize- Optimize all tablesPOST /api/database-optimizer?action=clean_orphaned- Clean orphaned dataPOST /api/database-optimizer?action=clean_revisions&keep=3- Clean revisionsPOST /api/database-optimizer?action=clean_transients- Clean expired transients
GET /api/system-health- Get system health metricsGET /api/file-manager?action=list&path=...- File manager operationsGET /api/users?action=list- User management operationsGET /api/cron?action=list- Cron job management
All API endpoints return JSON responses with success, message, and data fields.
wpsafemode/
├── assets/
│ ├── css/
│ │ └── admin-custom.css # Custom AdminLTE styles
│ └── js/
│ ├── app.js # Main application
│ ├── admin-custom.js # Admin customizations
│ └── modules/ # Feature modules (16 modules)
├── controller/
│ ├── main.controller.php # Base controller
│ ├── dashboard.controller.php # Main dashboard
│ ├── api.controller.php # API endpoints
│ └── ai.controller.php # AI features
├── model/ # Data models
├── view/ # View templates
│ ├── *-admin.php # AdminLTE views
│ └── *.php # Legacy fallback views
├── core/
│ ├── Config.php # Configuration management
│ ├── Database.php # Database connection
│ ├── Response.php # API response handler
│ ├── InputValidator.php # Input validation (single source of truth)
│ ├── Logger.php # Logging system
│ └── Cache.php # Caching system
├── security/ # Security classes
│ ├── SecurityFixes.php # Security utilities
│ ├── CSRFProtection.php # CSRF token management
│ └── RateLimiter.php # Rate limiting
├── services/
│ ├── AIService.php # AI service
│ ├── ActivityLogService.php # Activity logging
│ ├── EmailService.php # Email testing
│ ├── SecurityScannerService.php # Security scanning
│ ├── PerformanceProfilerService.php # Performance profiling
│ ├── MediaLibraryService.php # Media management
│ ├── DatabaseOptimizerService.php # Database optimization
│ ├── SystemHealthService.php # System health monitoring
│ ├── FileManagerService.php # File management
│ ├── UserManagementService.php # User management
│ └── CronService.php # Cron job management
└── settings.php # Configuration
- Backend: PHP 7.4+ with PDO (PHP 8.0+ recommended, fully PHP 8.1+ compatible)
- Frontend: JavaScript (ES6+), AdminLTE 3, Bootstrap 4, Material Design 3
- Framework: Custom MVC architecture with service layer
- Database: MySQL 5.7+ / MariaDB 10.2+ with PDO
- Security: CSRF protection, rate limiting, input validation, SQL injection prevention
- AI: OpenAI GPT-4 API integration
- Icons: Font Awesome 6, Material Icons
- Architecture: Service-oriented design with dependency injection support
- Caching: In-memory caching system for performance optimization
- Code Standards: PSR-compliant naming conventions with strict type hints
WP Safe Mode includes comprehensive security features:
- ✅ SQL Injection Prevention - PDO parameter binding throughout
- ✅ CSRF Token Protection - All forms protected with CSRF tokens
- ✅ Rate Limiting - Brute force protection for login attempts (5 attempts/5 minutes)
- ✅ Input Validation - Centralized
InputValidatorclass with strict type checking - ✅ XSS Prevention - Output escaping and input sanitization
- ✅ Secure File Operations - Path validation and secure file handling
- ✅ Path Traversal Protection - Realpath validation for all file operations
- ✅ Secure Session Management - HTTP-only and secure cookie settings
- ✅ PHP 8.0+ Compatibility - Modern error handling with
Throwable - ✅ No Circular Dependencies - Clean architecture prevents security gaps
- Fully responsive design
- Mobile-optimized sidebar
- Touch-friendly interface
- Optimized loading screens
- Mobile-specific CSS optimizations
- Single Page Application (SPA) - No page reloads, smooth navigation
- AJAX-Powered Loading - Dynamic content loading without full page refresh
- Efficient Caching - In-memory caching system for repeated operations
- Optimized Asset Loading - Minimized HTTP requests
- Database Optimization - Query optimization and prepared statements
- Lazy Loading - Load resources only when needed
- Service Architecture - Modular design for better code organization and maintainability
- Clean Code - Reduced codebase size through refactoring (43 lines removed in v1.0.1)
- Type Safety - Strict type hints reduce runtime overhead
- No Code Duplication - Single source of truth pattern eliminates redundancy
Released: December 2025
-
Malware Scanner (Signature Match)
- Scans
.phpfiles for suspicious functions (eval,base64_decode,shell_exec) - Identifies known malware patterns (obfuscated code, backdoors)
- Displays severity levels (Critical, Warning, Info)
- Direct links to inspect suspicious files in File Manager
- Scans
-
Emergency Admin Link ("Magic Login")
- Generates a temporary, secure one-time login link
- Bypasses password requirements (useful if locked out or hacked)
- Uses secure token validation with expiration
-
Database Inspector
- Full table browser with pagination
- View table schema (columns, indexes)
- Execute custom SQL queries via API
- Integrated into new "Database Inspector" view
-
Dark Mode Support
- Toggle between Light and Dark themes
- Persists preference via local storage
-
Enhanced System Health
- Database Insights: Identifies largest tables and fragmented tables
- Auto-Security Scan: AI-powered security analysis integration
-
Secure Architecture
- Secure Backups: Replaced
SELECT INTO OUTFILEwith PHP CSV generation (safer, works without FILE privilege) - CSRF Protection: Extended to all AI and API endpoints
- Secure Backups: Replaced
Released: December 2025
-
Service Layer Expansion
- Created
ThemeServiceto handle all theme-related operations - Enhanced
PluginServicewith complete plugin management capabilities - Refactored
DashboardControllerto use dependency injection for services - Removed direct model dependencies from controller
- Improved separation of concerns
- Created
-
Code Quality
- Added strict type hints to
DashboardControllermethods - Added return type declarations (
: void,: bool,: array) - Fixed lint errors and improved code standards compliance
- Removed unnecessary serialization logic
- Added strict type hints to
- CSRF Protection
- Implemented CSRF token validation for all
DashboardControlleractions - Secured plugin and theme management forms
- Secured backup and settings operations
- Implemented CSRF token validation for all
Released: November 2025
- Fixed undefined class references - Resolved fatal errors caused by
SecureInputclass references - Fixed circular dependencies - Eliminated circular references between
InputValidatorandSecureInput - Fixed syntax errors - Resolved missing closing braces in
UserManagementService - Fixed method compatibility - Updated all deprecated method calls to use new naming conventions
-
Input Validation Architecture
- Consolidated all input validation into
InputValidatoras single source of truth - Converted
SecureInputto legacy compatibility wrapper - Added
filenameandtable_namesanitization types - Removed code duplication (43 lines of code removed)
- Enhanced validation with null/empty checks
- Consolidated all input validation into
-
Method Naming Standardization (PSR Compliance)
- Converted all service methods from
snake_casetocamelCase - Added strict type hints to all method signatures
- Added return type declarations for better type safety
- Improved PHPDoc comments throughout
- Converted all service methods from
-
Service Method Updates:
ActivityLogService: get_logs() → getLogs() clear_old_logs() → clearOldLogs() get_statistics() → getStatistics() EmailService: test_email() → testEmail() get_email_info() → getEmailInfo() test_php_mail() → testPhpMail()
- Clean Dependencies - No circular class dependencies
- Type Safety - Strict type hints on all refactored methods
- Backwards Compatibility - 100% maintained through wrapper classes
- Code Quality - Consistent coding standards across all services
- Maintainability - Easier to maintain with single source of truth pattern
- Updated all deprecated
FILTER_SANITIZE_STRINGusage - Improved exception handling with
Throwableinstead ofException - Version-aware filtering for PHP 8.1+ (
FILTER_SANITIZE_FULL_SPECIAL_CHARS) - Enhanced error logging with file and line information
- ✨ AI-Powered Features - Complete AI Assistant with OpenAI GPT-4 integration
- 🎨 AdminLTE 3 Redesign - Modern, professional admin interface
- 🔄 JavaScript Refactoring - Complete SPA architecture with 21+ modules
- 🔒 Security Enhancements - Comprehensive security fixes and improvements
- 📱 Mobile Optimization - Full mobile responsive design
- 🧹 Code Cleanup - Removed 50+ unused files, modernized codebase
- ⚡ Performance Improvements - Faster loading, better UX
- 🏗️ Service Architecture - Modular service-based architecture for better maintainability
- 📊 Activity Log - Complete audit trail system for tracking all user actions with filtering and statistics
- 📧 Email Testing - Test WordPress and PHP email functionality with SMTP configuration detection
- 🔍 Security Scanner - Automated security vulnerability scanning with 0-100 security score
- 📈 Performance Profiler - Real-time performance metrics, analysis, and optimization recommendations
- 🖼️ Media Library Manager - Complete WordPress media file management with search and statistics
- 🗄️ Database Optimizer - Advanced database optimization with orphaned data cleanup and analysis
- 🔧 Core Classes - New core classes: Config, Database, Response, InputValidator, Logger, Cache
- 🛡️ Enhanced Security - PHP 8.0+ compatibility, improved error handling, comprehensive input validation
- Added login feature with secure authentication
- Added global settings feature
- Automatically create settings.php if doesn't exist
- All backups stored in wp safe mode storage
- Minor fixes
- Quick actions, .htaccess generator, robots.txt editor
- PHP error_log read functionality
- Maintenance mode
- Optimize tables, delete spam comments
- Search database, autobackup features
- New design
- Major code fixes
Contributions are welcome! Please feel free to submit a Pull Request.
Please check license.txt or visit http://wpsafemode.com/licenses/
CloudIndustry - http://cloud-industry.com
Contributors:
- Nikola Kirincic
- Marko Tiosavljevic
- Daliborka Ciric
- Luka Cvetinovic
- Nikola Stojanovic
- This tool is production-ready but always test in development first
- Always test in a development environment first
- Always backup your site before making changes
- Change default login credentials immediately after installation
- PHP 8.0+ Recommended - Full compatibility with PHP 8.1+
- Code Quality - Follows PSR standards with strict type hints
- Please do not remove branding or links
- For support, visit http://wpsafemode.com/
- Website: http://wpsafemode.com/
- Issues: Use GitHub Issues for bug reports
- Feedback: Visit the website to leave feedback
Special thanks to all contributors and the WordPress community for their support and feedback.
Trademark Note: WP Safe Mode and wpsafemode are trademarks of Cloud Industry LLC, © Cloud Industry LLC, all rights reserved.
Best Regards,
Cloud Industry Team