← ~/articles

Letting AI maintain a WordPress site: three months in

cover image 16:9Letting AI maintain a WordPress site: three months in

In April I handed the routine maintenance of a production WordPress site — updates, backups, broken-link triage — to an AI agent with shell access to the staging box. This is what three months of that actually looks like.

The setup

Everything runs through WP-CLI. The agent never touches the admin UI; every change is a command, and every command is logged to an append-only file the agent can’t edit.

$ wp plugin update --all --dry-run
$ wp db export backups/$(date +%F).sql
$ wp core verify-checksums

NOTEDry-run first, always. The one incident in three months came from skipping it.

What the agent handles well

Plugin updates are the obvious win: 41 of 44 went through without human review. The agent reads the changelog, runs the update on staging, diffs the rendered critical pages, and only then promotes.

update pipeline

Where it fails silently

Visual regressions in areas the diff doesn’t cover — a widget in the footer, an embed behind a consent banner. The agent reports “no changes detected” and moves on. You need a human pass on anything the crawler can’t see.

Guardrails that earned their keep

Read-only production credentials, a staging-first rule enforced at the SSH config level, and a hard cap on database operations per session. Boring, and exactly why it works.