Hacking WP Engine’s web based WP-CLI

Last year WP Engine started rolling out WP-CLI to select partners. I was glad to be included in one of the early batches. Their implementation of WP-CLI is partial, excluding a number of commands. Also calling it “command line” is a bit of a stretch as everything is done through the web browser. Even so, this is a step in the right direction.

So WP-CLI on WP Engine, as it stands today, is pretty sad. You get a new tab called “Advanced” which gives you a web based console allowing you to input one line commands. There is no way to connect from your command line and no way to input/run your own custom scripts. It’s all one command at a time.

Screen Shot 2016-03-07 at 12.24.56 PM

While one off commands are useful for things like updating urls from dev to live, the true power of WP-CLI comes from automation. In order to automate anything, I was left to hacking.

Breaking apart WP Engine’s implementation

When you type a command into WP Engine’s web based console, it sends/receives information via an ajax request. The URL endpoint follows the format:

https://my.wpengine.com/installs/[install_name]/wp_cli

Using Postman I was able to break down the request into 3 required fields.

  • Command parameter – The actual command being sent to the command line
  • X-CSRF-Token – For authentication
  • Cookie – For authentication

With that I was able to successfully mimic and inject my own commands directly to WP Engine’s endpoint using Postman.

Postman

Automating

In order to begin my own scripting, I created a php wrapper. With this in place I can begin to make shell scripts. The following will output the version of WordPress, siteurl and home.

php wp_engine_cli.php -i anchorhosting -c "core version"
php wp_engine_cli.php -i anchorhosting -c "option get siteurl"
php wp_engine_cli.php -i anchorhosting -c "option get home"

Final thoughts

This is clearly a hack. Before running the php script, I first need to grab updated token and cookie values via the Chrome inspect tool and plug them into the php script. With all that aside, it actually works. I can now write a single shell script which will do XYZ on any number of my WP Engine installs. Success!

After talks with many different employees at WP Engine, it’s clear root access is never going to happen. I believe a WP Engine API is inevitable. In fact their endpoint for WP-CLI clearly exists as it’s what the web console talks to. It’s just a matter of time before WP Engine creates a legitimate way for developers to access it. Once that happens all of this hacking will not be necessary. Until then, Enjoy!