We are gathered here not to petition the powerful, but to remind the powerless of what they already possess.
In 1981, Jon Postel wrote two words into RFC 790: “127: Reserved.” He may not have known it then, but he set aside a continent — a territory inside every networked device that no government can annex, no corporation can monetize, and no algorithm can surveil. That territory is localhost. It has been waiting for you for over four decades.
II.
The internet was born decentralized. It has been made centralized — not by necessity, but by convenience, apathy, and the quiet accumulation of control by those who understood what we did not: that whoever hosts the data makes the rules.
We write on platforms that can delete our words. We store memories in clouds that can evaporate. We build audiences on ground that can be pulled from beneath our feet. We call this arrangement “free.” It is free the way a tenant’s occupancy is free — until the landlord changes the locks.
Shoshana Zuboff named this regime Surveillance Capitalism. We have a simpler term: digital serfdom.
III.
Privacy is not secrecy. A private individual is not hiding; they are choosing. The sovereign individual demands the same right in digital space that every person once held in physical space: the right to think without being watched, to write without being judged by an algorithm, to own what they create.
“Not your keys, not your coins.” This axiom from the Bitcoin world applies far beyond finance. Not your server, not your data. Not your platform, not your voice. Not your infrastructure, not your sovereignty.
IV.
127.0.0.1 is not a service. It is a right.
It is the only address in the entire internet protocol suite that is, by design, absolutely private. Packets sent to it never leave your machine. No ISP can intercept them. No firewall need protect them — they never touch the wire. When every cloud server on earth goes dark, when DNS root servers fall, when undersea cables are severed, localhost still answers.
This is not a feature. This is an architecture of freedom, hiding in plain sight on every device ever built to speak TCP/IP.
V.
We do not need to build new systems from scratch. The infrastructure for digital sovereignty already exists.
WordPress — open-source, GPL-licensed, powering 43% of the web — is not merely a blogging tool. It is a digital operating system waiting to be reclaimed. Its code belongs to no corporation. If Automattic vanished tomorrow, WordPress would still belong to humanity. This is what the GPL guarantees: freedom that no acquisition, no bankruptcy, no boardroom decision can revoke.
VI.
But WordPress on a remote server is still someone else’s territory.
WordPress on localhost is yours.
Every word you write is a file on your disk. Every photo is bytes under your control. You choose the encryption. You set the access policy. You decide what to publish and what to keep. There is no content moderation you did not author, no terms of service you did not write, no algorithm between your thoughts and your readers.
This is not paranoia. This is ownership.
VII.
The missing piece has always been integration. Self-hosting is powerful but fragmented — a different interface for every tool, a different password for every service, a different tab for every function. This friction is what drives people back to the convenience of centralized platforms.
SatoshiWP answers this problem. Its name is a manifesto in two syllables: “Satoshi” for the principle of decentralization that Nakamoto encoded into Bitcoin; “WP” for the vehicle that carries this principle into everyday life.
SatoshiWP bridges WordPress with the open-source ecosystem and the decentralized web. It does not replace your self-hosted tools — it unifies them. Trilium Notes for knowledge management. Calibre Web for your library. Miniflux for your information diet. Nextcloud for your files. Ollama for your local AI. All accessible through one interface. One login. One tab.
WordPress becomes not a blog, but a personal digital operating system — a Sovereign Individual OS.
VIII.
Consider what becomes possible:
Your AI assistant reads your knowledge base — not a corporation’s training data, but your accumulated notes, your bookmarks, your marginalia. It remembers what you care about because its memory lives on your machine, managed by OpenClaw, powered by Ollama. No query leaves your network. No preference is harvested. No conversation trains someone else’s model.
Your RSS feeds are digested by AI and archived to your knowledge base automatically — not filtered by an algorithm optimizing for engagement, but curated by you and refined by an AI that works for you.
Your books are read in your browser, annotated by your AI, and the insights flow into your knowledge system — the act of reading itself becomes the act of building your intellectual infrastructure.
This is not a future. This is a docker-compose.yml and ten minutes.
IX.
We are told self-hosting is hard. It used to be. It is not anymore.
LocalWP creates a WordPress site in one click. WordPress Playground runs entirely in your browser — no server, no install, nothing. Docker Compose turns a 20-line YAML file into a full-stack sovereign infrastructure. The barrier to entry is now lower than signing up for a social media account, because you don’t even need to agree to terms of service.
X.
In Asimov’s Foundation, Hari Seldon chose the most remote planet in the galaxy — Terminus — not because it was powerful, but because it was free. At the farthest edge of the Empire’s reach, a small group of scholars preserved civilization’s knowledge while the center crumbled.
localhost is your Terminus.
It is the most “remote” address in the internet’s coordinate system — remote not in distance, but in jurisdiction. It belongs to no empire. It reports to no authority. It is, by protocol, sovereign.
XI.
We do not ask permission. We do not wait for regulation to catch up, though it is catching up — the EU Data Act, GDPR, and privacy laws in 18 U.S. states are all moving in one direction: your data belongs to you.
We do not wait because we do not need to. The tools exist. The code is open. The address is reserved.
XII.
This is not a manifesto against the cloud. Clouds have their uses. This is a manifesto for the option — the right to choose where your data lives, who can access it, and what happens to it when you are gone.
Every year, billions of records are breached. Every year, platforms go dark and take their users’ histories with them. Every year, terms of service grow longer and rights grow shorter. We do not propose to fix this system. We propose to leave it — not in anger, but in sovereignty.
XIII.
The path is clear:
Run WordPress on your machine. Install SatoshiWP. Connect your self-hosted services. Let your knowledge base grow. Let your AI learn you, not the other way around. When you are ready, build a HomeLab. When you are ready, publish to the world.
But the first step requires nothing — no money, no application, no approval. Open your browser. Type localhost.
You are already home.
The Localhost Manifesto was written in 2026. It is released into the public domain. Copy it. Translate it. Modify it. Host it on your own localhost.
In Isaac Asimov’s Foundation series, mathematician Hari Seldon foresaw that the Galactic Empire would collapse within thirty thousand years, and that knowledge and civilization would perish with it. To compress this coming “Dark Age” from thirty millennia to a single millennium, he established a “Foundation” on the most remote planet in the galaxy — Terminus — where a carefully selected cadre of scholars compiled the Encyclopedia Galactica, quietly preserving the seeds of civilization.
Terminus was chosen precisely because it was as far from the imperial center as possible. At the farthest edge of the Empire’s reach, knowledge found its purest freedom — beyond the meddling of imperial bureaucrats, beyond the gravitational pull of power politics. This seemingly insignificant frontier world ultimately became the seed from which civilization was reborn.
There is a Terminus inside your computer, too. Its name is localhost.
In the grand narrative of Web 2.0, we’ve grown accustomed to entrusting our data to cloud giants. Our writing lives on someone else’s servers. Our photos are managed by someone else’s algorithms. Our social connections are locked inside someone else’s databases. It all feels convenient — but it’s really a silent transfer of control. Harvard professor Shoshana Zuboff gave this model a precise name in her 2019 book The Age of Surveillance Capitalism: Surveillance Capitalism. In this system, our behavioral data is systematically extracted, analyzed, and commodified — we are not the customers; we are the raw material. By 2025, with generative AI permeating every layer of digital life, this extraction has escalated from “passive monitoring” to “active conversation” — user profiles have evolved from static silhouettes into dynamic semantic models, and predictive logic has expanded from ad targeting to full-stack content generation and behavioral shaping. Zuboff’s “Big Other” is giving way to something far more powerful and far more insidious: a “Big Author.”
Yet with the rise of the “Sovereign Individual” concept, a technological logic of reclaiming autonomy and self-ownership is re-entering mainstream discourse. The idea traces back to the 1997 book The Sovereign Individual: Mastering the Transition to the Information Age by James Dale Davidson and William Rees-Mogg. The authors predicted that digital technology would fundamentally reshape power structures — that individuals, armed with encryption, digital currencies, and decentralized networks, would gradually liberate themselves from the singular jurisdiction of nation-states and become “sovereign individuals” capable of choosing their own jurisdictions and controlling their own data and wealth. PayPal co-founder Peter Thiel has publicly stated that this book influenced him more than any other. In 2026, many of the book’s predictions — the rise of digital currencies, the normalization of remote work, the emergence of a cognitive elite — are coming true one by one.
The fascinating part is that the entry point to this grand vision often hides in a mysterious domain name that ships with every computer — localhost. The idea is simple but powerful: anyone can achieve genuine self-governance in the digital world by mastering the technological fundamentals. And it all begins with localhost on your own machine.
Just as Seldon chose the most remote planet in the galaxy as the site for his Foundation, the sovereign individual chooses the most “remote” coordinate in the internet’s address space — localhost, the address that always points to yourself and belongs to no empire — as the starting point for digital sovereignty. The metaphor is perfect: the farther from the center of power, the greater the independence and freedom.
I. localhost: Your Private Territory — No Registration Required
In the coordinate system of the internet, localhost is a special reserved domain name. It always points to one thing: you.
📌 Technical Origins: A Four-Decade-Old Covenant
localhost was not invented by any corporation. It is an ancient and solemn covenant embedded in the very foundation of the internet’s architecture. Its history stretches back to the earliest days of internet protocols:
September 1981 — Jon Postel, in RFC 790, first designated IP network number 127 as “reserved,” though its specific purpose had not yet been defined.
November 1986 — Jon Postel and Joyce Reynolds, in RFC 990, formally assigned network number 127 to the “loopback” function — stipulating that any packet sent to the 127 network must loop back within the host and must never appear on any external network.
1989 — RFC 1122 (Host Requirements) went further, reserving the entire 127.0.0.0/8 address block — over 16 million addresses — exclusively for loopback use.
This means 127.0.0.1 is not just an address — it is an entire continent within the internet protocol landscape, carved out specifically for “self-communication.” Why the number 127? In the early ARPANET design, 0 was reserved for pointing to a specific host (often due to bugs), while 127, as the last network number in the Class A address space, was chosen as the “final reservation” — a place that would forever belong to you.
In a sense, when Jon Postel wrote “127: Reserved” in that 1981 RFC, he may have unwittingly set aside a “Terminus” for every networked device — a territory beyond external jurisdiction, a vault for the seeds of civilization. Only now, more than four decades later, most people have forgotten this planet exists.
📌 Absolute Control: A Digital Enclave That Cannot Be Seized
Unlike commercial domain names that must be purchased from registrars and are subject to policy oversight, localhost is a loopback address defined at the operating system level. It belongs to no institution. It belongs only to you — the person sitting in front of the screen right now.
Specifically, when you type localhost into your browser, here’s what happens:
The system’s DNS resolver checks the local hosts file and resolves localhost to 127.0.0.1 (IPv4) or ::1 (IPv6).
The operating system’s TCP/IP stack recognizes this as a loopback address and routes the packet to the loopback network interface (typically named lo).
The packet is processed entirely within the machine. It never leaves your device.
A locally running service (such as a web server) receives and processes the request; the response likewise returns through the loopback interface.
The entire process completes in a closed loop inside your machine. Network routers and firewalls are configured to block any external attempt to access loopback addresses — packets arriving from external networks but destined for 127.0.0.1 are simply dropped (in network security terminology, these are known as “Martian Packets”).
The profound implication of this design: across the entire internet architecture, localhost is the only space defined as “absolutely private” at the protocol level. A commercial domain can be reclaimed by its registrar. An IP address can be reassigned by your ISP. DNS can be hijacked. But 127.0.0.1 is hardcoded into the kernel of every operating system that implements TCP/IP — it is not a service; it is a right. Just as breathing requires no one’s permission, localhost requires no institution’s authorization to exist.
📌 Offline Sovereignty: A Personal Node That Never Goes Down
As long as your device has power, this domain is always online. It doesn’t depend on DNS servers for resolution, nor is it affected by transoceanic cable disruptions. Even if your device is completely disconnected from the internet, 127.0.0.1 still works — because it doesn’t need a network at all. This “offline-available” property makes it the purest technical embodiment of digital sovereignty: you need no one’s permission to run services on your own device.
Imagine an extreme scenario: every cloud service goes down simultaneously. DNS root servers come under attack. Undersea cables are severed. The entire internet collapses. In this scenario, the services running on your localhost remain perfectly intact. Your knowledge base is still there. Your articles are still there. Your data is complete and accessible. This isn’t science fiction — this is a protocol-level guarantee of 127.0.0.1.
For those who pursue data sovereignty, this is the purest digital safe harbor. Asimov’s Terminus sits at the physical edge of the galaxy; your localhost sits at the logical edge of the internet. Both derive their most precious quality from being “far from the center”: the freedom from interference.
II. WordPress: Housing Your Ideas in a Container You Own
If localhost is the land, then WordPress is the temple of the mind built upon it. If Terminus is that remote planet, WordPress is the Encyclopedia-compiling center built on its surface — it gives the territory purpose and meaning.
📌 A Digital Infrastructure Too Big to Ignore
Before discussing why WordPress specifically, we need to appreciate its sheer weight in the global internet. According to the latest statistics from March 2026:
WordPress powers approximately 42.6% of all websites worldwide — nearly one in every two websites runs on WordPress.
Among websites using a known content management system (CMS), WordPress holds 59.9% market share, exceeding the combined share of every other CMS platform.
There are over 500 million websites globally built on WordPress.
WooCommerce (WordPress’s e-commerce plugin) powers roughly one-third of all online stores worldwide.
The global CMS market reached $30.9 billion in 2025 and is projected to grow to $45.7 billion by 2030.
WordPress can fairly be described as the digital infrastructure of the Sovereign Individual era — its prevalence in the global web is comparable to the ubiquity of WeChat Mini Programs in the Chinese-speaking world. Its code, plugins, and themes are fully open source, meaning no single entity can control or shut it down.
But WordPress earns its place as the sovereign individual’s platform of choice not merely because it’s “popular.” The deeper reason lies in its governance structure: WordPress’s core code is released under the GPL (GNU General Public License), a “copyleft” license that legally guarantees anyone can freely use, modify, and distribute the software — and that any derivative work must maintain the same freedoms.
This means: even if Automattic, the commercial company behind WordPress, vanished tomorrow, WordPress’s code would still belong to all of humanity. This is fundamentally different from writing on a WeChat Official Account or Medium — those platforms run closed-source code, set rules unilaterally, and can revoke your “right to use” at any time.
📌 From Tool to Asset: The Physical Homecoming of Data
The sovereign individual is no longer merely a “tenant” of social platforms. Installing WordPress locally means that every line you write, every photo you upload, is stored as database files on your own hard drive — not as binary fragments on some corporation’s server.
Let’s draw a concrete comparison:
Dimension
Platform Writing (e.g., Medium)
Local WordPress
📍 Data storage
Platform servers
Your hard drive
🔑 Access control
Platform decides
You decide
📋 Content moderation
Subject to platform rules
No external review
🚚 Data portability
Difficult; often locked in
Fully exportable
💰 Operating cost
“Free” but you pay with data
Only electricity
🔧 Customization
Extremely limited
Limitless
When your data lives on your own device, it becomes a genuine asset — you can back it up, migrate it, encrypt it, or even pass it on as a digital inheritance in your will. Content stored on a platform, by contrast, is essentially a revocable “license to use.”
From a legal perspective, this distinction is becoming increasingly significant. The EU Data Act, which took effect in September 2025, extends data sovereignty protections beyond personal data to industrial and non-personal data, granting users the right to access and migrate information from connected devices while prohibiting vendor lock-in.
Privacy laws are now active in 18 U.S. states. Since 2018, the GDPR has levied €5.65 billion in fines (€2.3 billion in 2025 alone, a 38% year-over-year increase). These regulations are institutionally confirming a fundamental truth: your data belongs to you first. Running WordPress on localhost is the most direct way to realize this principle at the technical level.
📌 Experiment and Evolve: A Risk-Free Digital Training Ground
Running WordPress on localhost is essentially a “digital drill.” You can freely install plugins, modify code, and experiment with themes without worrying about external scrutiny or bandwidth costs. It’s the sovereign individual’s sandbox for building their own knowledge architecture.
More importantly, this sandbox is becoming easier to set up than ever before. As of 2026, the leading tools for local WordPress development include:
LocalWP (formerly Local by Flywheel) — A free tool by WP Engine that creates local WordPress sites with a single click, requiring no manual configuration of PHP, MySQL, or Apache. It includes SSL support, local mail capture, site cloning, and more. Since 2021, all formerly paid features (Live Links, MagicSync, Cloud Backups, etc.) have been made free.
WordPress Studio — An official lightweight local development tool from WordPress.com, powered by WordPress Playground technology. No Docker, NGINX, Apache, or MySQL configuration required — truly “ready out of the box.” A few mouse clicks and you have a fresh local WordPress site.
Docker + Docker Compose — For users who want greater flexibility and portability. A simple docker-compose.yml file defines a WordPress container (Apache + PHP) and a database container (MySQL) for one-click deployment. Data is mounted to the host machine via volumes, ensuring nothing is lost when containers are deleted. Docker Desktop includes Docker Compose built in — plug and play on Windows and Mac.
WordPress Playground — One of the most exciting innovations of 2025–2026. WordPress Playground runs WordPress directly in the browser, powered by PHP compiled to WebAssembly, requiring zero server infrastructure. By 2025, it had been used over 1.4 million times, with 99% of the top 1,000 WordPress plugins installable and activatable within it. In March 2026, WordPress launched my.WordPress.net — a persistent browser-based WordPress environment built on Playground, with data stored locally in the browser that persists after closing the tab. It even integrates OpenAI for AI-assisted site editing.
The evolution of these tools illustrates a clear trend: the technical barrier to running WordPress locally is plummeting — from “sysadmin-grade” manual XAMPP/LNMP configuration, to “one-click install,” to “zero-install” (running directly in the browser). The sovereign individual’s starting point has never been more accessible.
In other words, building your “Foundation” on Terminus no longer requires you to be an engineer. Seldon needed the resources of an entire Empire to establish his Foundation; all you need is a laptop and ten minutes.
III. Why the Sovereign Individual Needs This Stack
At its core, “sovereignty” comes down to two qualities: portability and inalienability.
📌 Censorship Resistance for Your Data
When you run WordPress locally, your creative output is no longer constrained by any platform’s recommendation algorithms or keyword filters.
This is not a theoretical concern — it’s an everyday reality. On centralized platforms, your content faces multiple layers of uncertainty:
Platforms may remove your content due to policy changes (even when the content itself violates nothing).
Algorithmic curation may bury your carefully written article so that no one ever sees it.
A platform may abruptly shut down (think Google Reader, Yahoo GeoCities, or countless blogging services), and all your content vanishes with it.
A platform may change its terms of service to claim certain rights over content you created.
Bringing content creation back to localhost is fundamentally an act of “data sovereignty reclamation” — you transform from a “digital sharecropper” on a platform’s land into a “digital landowner” on your own territory. As the saying goes in the Bitcoin world: “Not your keys, not your coins.” The same iron law applies to your data and content. Data that isn’t in your hands was never truly yours.
Especially in the face of surveillance capitalism, big-data tracking, and internet censorship, the disappearance of information and privacy is not hypothetical — it’s the daily norm. The localhost + WordPress combination is, in essence, a personal “Terminus Project” that anyone can run — preserving the knowledge you deem important on territory you yourself control.
📌 Internalizing Capability: From Consumer to Builder
Learning to set up a local environment (whether with LocalWP or Docker) is the sovereign individual’s first step toward mastering the logic of the underlying technology stack. You go from being a passive content consumer to an active builder of your own digital environment.
This internalization follows a clear progression:
🟢 Level 1: One-click setup with WordPress Studio / LocalWP
↓ Understand the basic concept: "local = my turf"
🟡 Level 2: Containerized deployment with Docker Compose
↓ Understand containers, images, networks, volumes — infrastructure basics
🟠 Level 3: Install the SatoshiWP plugin ecosystem; connect self-hosted services
↓ WordPress becomes a unified hub for knowledge, AI, files, and reading
🔴 Level 4: Build a complete HomeLab (router + firewall + self-hosted service stack)
↓ Achieve true sovereignty over your digital infrastructure
🟣 Level 5: Publish your WordPress site as a personal digital hub
↓ From local sovereignty to network sovereignty
Each level expands your “digital territory.” From running a site on your own machine, to bringing knowledge management, AI assistants, file storage, and information feeds under your control through the plugin ecosystem, to publishing your own digital domain to the world — this is the sovereign individual’s technological path of growth.
In Foundation terms: Level 1 is when you land on Terminus. Level 2 is when you learn to build structures on the planet. Level 3 is when you begin compiling your own “Encyclopedia” — and SatoshiWP is your encyclopedia-compiling toolkit.
📌 WordPress Is Not Just a Blog — It’s Your Digital Operating System
There is a key insight worth underscoring here: when we say “install WordPress on localhost,” we are not merely talking about “setting up a blog.” In the sovereign individual’s technical architecture, WordPress plays a role far beyond content publishing — it is becoming a unified operating interface that connects all self-hosted services, a genuine “personal digital operating system.”
This is the core vision of the SatoshiWP project (satoshiwp.com). SatoshiWP’s mission: “Bridging WordPress with the Open Source Ecosystem & the Decentralized Web.” It has developed a full suite of WordPress plugins that seamlessly integrate a range of outstanding self-hosted open-source tools — Trilium Notes (knowledge management), Calibre (e-book library), Miniflux (RSS reader), Nextcloud (private cloud storage), Stremio (streaming media) — into WordPress, layering AI capabilities on top, transforming WordPress from a “content management system” into the sovereign individual’s “digital life operating system” — a “Sovereign Individual OS.”
The name “SatoshiWP” itself carries deep meaning — “Satoshi” pays tribute to Bitcoin’s creator, Satoshi Nakamoto, symbolizing the technological ideals of decentralization and individual sovereignty; “WP” points to WordPress, the vehicle for realizing those ideals. The name is itself a manifesto: practicing Satoshi-style digital sovereignty through WordPress.
In the following sections, we’ll examine in detail how the SatoshiWP plugin ecosystem turns this vision into reality.
IV. SatoshiWP: Forging WordPress into the Sovereign Individual’s Digital Hub
SatoshiWP is a plugin ecosystem built around WordPress. Its design philosophy can be captured in a single sentence: every self-hosted open-source service should be manageable, presentable, and enhanced through WordPress. Users should never have to juggle multiple independent web interfaces — WordPress is the single point of entry.
The key to understanding SatoshiWP lies in the word “bridging.” In the self-hosting world, there is a universal pain point: every open-source tool (Trilium Notes, Calibre-Web, Miniflux, Nextcloud…) has its own web interface, its own authentication system, its own URL. Managing five or six self-hosted services means memorizing five or six sets of credentials and constantly switching between five or six browser tabs. This fragmented experience is one of the biggest barriers preventing everyday users from embracing self-hosting. SatoshiWP’s answer: don’t make users adapt to the tools — make the tools adapt to the platform users already know: WordPress.
The architecture diagram below shows the full landscape of the SatoshiWP plugin ecosystem:
📚 4.1 Trilium WP — A Bridge for Knowledge Management
In the age of information overload, effective knowledge management has never been more critical. Trilium Notes is a powerful open-source personal knowledge management tool renowned for its flexible hierarchical note structure and rich organizational capabilities — it offers a mind-map-like approach to organizing notes, enabling users to build complex yet well-ordered personal knowledge systems. However, all this valuable knowledge typically stays locked inside a private environment — difficult to share with a wider audience.
WordPress excels at presentation and publishing, but its content structure is relatively flat, struggling to express complex knowledge hierarchies and interconnections. Trilium Notes excels at deep knowledge organization but lacks an elegant public-facing presentation layer.
Trilium WP was built to bridge these two powerful systems. It connects to your Trilium Notes server via the ETAPI interface, bringing your carefully organized knowledge structures into WordPress intact — preserving Trilium’s depth of organization while leveraging WordPress’s superior presentation and sharing capabilities to create a synergy greater than the sum of its parts.
The core philosophy is “high-fidelity rendering” — faithfully preserving the structure, formatting, and relationships of your notes while blending them naturally into the WordPress interface. This fidelity goes beyond visual presentation; it conveys the integrity of the knowledge structure itself. Your knowledge system appears to readers exactly as you built it — no distortion, no oversimplification. This is the spirit of Terminus: preserving knowledge in its entirety, without compromise.
📌 Six shortcodes for flexible embedding:
Shortcode
Function
[trilium_note]
📄 Display a single note
[trilium_kb]
📚 Build a complete interactive knowledge base page
[trilium_search]
🔍 Embed Trilium search functionality
[trilium_browser]
🗂️ Browse the Trilium note tree
[trilium_related_notes]
🔗 Display related notes
[trilium_recent]
🕐 Show recently updated notes
📌 The knowledge base system is Trilium WP’s standout feature. It’s not a simple content collection — it’s an organic knowledge ecosystem that preserves hierarchical relationships and logical connections:
🌳 Split-pane navigation — The left navigation tree preserves the original hierarchy with dynamic expand/collapse, keeping even large knowledge bases with hundreds of nodes clean and manageable.
🧭 Breadcrumb trails — Users always know their exact position within the knowledge structure.
🃏 Child note cards — If the current note has child notes, they’re displayed as neatly arranged cards, inviting readers to explore deeper along knowledge threads.
📱 Responsive layout — Automatically reorganizes on mobile devices to maximize content display.
📌 The intelligent content rendering system supports up to 16 note types, including text notes (full Markdown support), code notes (professional syntax highlighting), image notes (secure proxy mechanism), relation maps, search notes, and more. Each content type has a dedicated processor for parsing and rendering.
📌 Trilium WP’s plugin ecosystem — a complete loop from viewing to editing to syncing:
Edit Trilium notes directly from the WordPress frontend — create, update, delete without switching back to the Trilium client. Rich text editing, double-click title editing, Ctrl+S quick save, 5-layer security stack
🔄 Trilium Post Sync
Bidirectional sync between Trilium notes and WordPress posts — KB notes auto-publish as posts; WordPress posts can be written back as Trilium notes. Supports scheduled auto-sync and manual sync
🌐 Trilium Multi-Instance
Connect a single WordPress site to multiple Trilium servers simultaneously, presenting and managing multiple knowledge sources. Built on a zero-intrusion architecture requiring only 4 filter hook patches (~20 lines of code)
From “viewing notes” to “editing notes” to “syncing notes” to “multi-source management,” Trilium WP forms a complete closed loop.
🤖 4.2 Trilium AI — Making AI the Brain of Your Knowledge Base
If Trilium WP is the bridge that brings knowledge from Trilium into WordPress, then Trilium AI is the intelligent brain installed on that bridge — enabling AI to search, understand, and analyze your personal knowledge base, and even execute complex multi-step workflows on your behalf.
In the Terminus metaphor, Trilium WP is the Encyclopedia itself, while Trilium AI is the scholar who can read, comprehend, and apply the Encyclopedia — it doesn’t just store knowledge; it thinks about knowledge.
Trilium AI consists of two core components:
💬 Trilium AI Chat (v5.1.1) — The foundation layer: an embedded, feature-rich AI chat window supporting multi-model switching (Google Gemini / OpenAI-compatible / Ollama local), real-time streaming output, web search, and Gutenberg Block workflow orchestration.
🤖 Trilium AI Agent (v3.0.0) — The enhancement layer: Agent capabilities including deep knowledge-base operations, automated workflows, multi-Agent management, and persistent long-term memory via OpenClaw.
Gutenberg Block workflow orchestration is the core reason for building an AI platform within the WordPress ecosystem. Each Block instance is an independent, customizable AI workflow node. Through a prompt variable system ({variable_name} placeholders), the system automatically generates input fields on the frontend. Users fill them in, the system assembles the complete prompt, and sends it to the AI. Multiple different workflows can coexist on the same WordPress page without interfering with each other — one for search, one for content generation, one for translation — just drag and drop to build a multi-function AI workbench. This isn’t slapping a chat window onto a web page — it’s gaining a no-code AI workflow orchestration platform.
The Agent’s most thrilling capability is letting AI truly see into your Trilium Notes knowledge base — searching notes, browsing directories, exporting content, and engaging in deep conversations grounded in your accumulated knowledge. The notes you’ve built up over years are no longer silent, static text in a database — they become living knowledge that AI can tap into at any moment.
📌 OpenClaw — The Soul of Trilium AI’s Agent: An emerging open-source AI Agent gateway purpose-built for running persistent, stateful AI Agents in a local environment. It gives Agents long-term memory (the AI remembers your preferences and style over time), daily logs (interaction highlights auto-archived), knowledge sync (Trilium notes synced to AI memory), and fully private deployment — OpenClaw + Ollama local models + local FileBrowser = a fully cloud-independent AI knowledge assistant system. All data, all inference, all memory runs on your own infrastructure — absolute data sovereignty.
🎵 4.3 Trilium Catalyst — A Multi-Source Content Ingestion Engine
There is far too much valuable knowledge in the world that is spoken aloud and then lost forever. Trilium Catalyst solves this problem: it receives audio files, YouTube videos, real-time voice recordings, and other forms of spoken content, automatically transcribes them to text, refines them with AI, and archives them to your Trilium Notes knowledge base with a single click.
If Trilium WP lets you display existing knowledge, and Trilium AI lets you think about knowledge, then Catalyst lets you capture knowledge scattered across the world — turning ephemeral sound into permanent written record. You can’t compile an Encyclopedia on Terminus without first collecting the source material.
Three content sources cover the major non-text knowledge scenarios: local audio transcription (supporting virtually all common audio formats, batch processing up to 10 files), real-time voice recording (built-in browser recorder with pause/resume and dual-mode output), and YouTube smart transcription (prioritizing subtitle extraction, automatically falling back to audio download + Whisper transcription when unavailable, with channel batch processing).
The AI refinement layer is Catalyst’s soul — raw speech-to-text output is littered with filler words, repetitions, typos, and fragmented sentences. AI automatically strips filler words, merges duplicates, corrects transcription errors, restructures into logically coherent paragraphs, and generates headings. Custom refinement prompts are supported, and any configured AI model can be selected.
📖 4.4 Calibre WP — A Bridge for Your E-Book Library
For anyone serious about knowledge work, books remain one of the most important sources of insight. Asimov’s Terminus Foundation was charged with compiling the Encyclopedia Galactica — and in the sovereign individual’s digital world, your e-book library is your “encyclopedia source archive.” What Calibre WP does is take that archive from closed to open, from static to intelligent.
Calibre WP connects to your Calibre-Web server via the OPDS (Open Publication Distribution System) protocol, seamlessly embedding your entire library into WordPress. The 7.x release involved the most thorough architectural rewrite: the entire reverse proxy layer was stripped away, and Calibre-Web was demoted from “proxied frontend” to “pure data source.” Online reading went from “every interaction requires a server round-trip” to “download the EPUB and read completely offline.”
Core capabilities include library browsing (search, pagination, multiple display modes), an online EPUB reader based on Foliate.js, an EPUB CFI precision bookmark system, Edge TTS neural voice reading, AI book review auto-generation (new book detection → AI generation → save to Trilium Notes), and an in-reading AI assistant (select a passage → ask AI → real-time answer → conversation auto-archived).
The AI book review generator and in-reading AI assistant break down the traditional divide between “reading” and “knowledge management” — the act of reading itself becomes an act of building your knowledge system. The SatoshiWP open-source research community is also watching emerging projects like Calibre-Web Automated (CWA) and Anx Calibre Manager — the latter even includes a standards-compliant MCP server, confirming the trend of “library management transitioning from human-operated data to AI Agent-operated data.”
📰 4.5 Miniflux WP — An RSS Information Pipeline
Miniflux WP is an all-in-one WordPress plugin built for Miniflux RSS reader users, transforming RSS content from a “read-and-forget” information stream into raw material that can be displayed, subscribed to, and deeply processed by AI.
In the information ecology of surveillance capitalism, algorithms decide what you see and what you don’t. RSS is a fundamental rebellion against this control — you choose your own sources, with no algorithm filtering in between. Miniflux WP goes further: it doesn’t just let you choose what to read, but also enlists AI to deeply digest that information and archive the highlights to your knowledge base.
Three modules work in concert: the RSS digest engine (AI auto-generates topical briefings, runs on schedule, manages multiple independent tasks, auto-saves to Trilium), content display (Gutenberg visual configuration, 4 layout modes, auto-refresh), and quick subscribe (YouTube channel / Twitter account / generic RSS smart detection, batch subscription).
You can create multiple independent digest tasks: a tech weekly, an English news daily, a research monthly, a one-off deep-dive analysis — each with its own configuration, scheduling strategy, and execution history. Information subscription → AI digestion → knowledge archiving — this fully automated pipeline transforms you from a “victim of information overload” into a “sovereign information manager.”
💾 4.6 NextCloud WP — Private Cloud File Bridge
NextCloud WP establishes a high-speed WebDAV channel between your WordPress site and your Nextcloud private cloud — browse, upload, download, share, and sync every file on Nextcloud, all without ever leaving the WordPress backend.
Core capabilities include: a real-time file browser (WebDAV PROPFIND + breadcrumb navigation, embeddable on any page via the [nextcloud] shortcode), a robust upload engine (direct upload for small files + automatic chunked upload for large files + real-time progress bar), a secure download proxy (Nextcloud credentials are never exposed to the client), one-click public sharing (OCS API), and a directory sync engine (incremental sync from WordPress to Nextcloud — add only, never delete).
A design highlight: zero external dependencies — no Composer, no SDK, no frontend framework. Pure PHP + vanilla JavaScript. In the sovereign individual’s system, Nextcloud is “an extension of your hard drive,” and NextCloud WP lets this “extended hard drive” be operated directly within WordPress — your files and your content live in the same interface.
🎬 4.7 Stremio WP — A Streaming Media Management Workbench
Stremio WP is built specifically for self-hosted Stremio users, letting you monitor all active torrent downloads in real time from WordPress, launch playback in VLC/IINA with a single click, and even push completed files directly to your Nextcloud private cloud.
Three capability layers: real-time monitoring (configurable polling intervals, intelligent metadata completion), one-click playback (VLC custom protocol bridge + IINA out of the box), and Nextcloud push (zero-disk streaming — files flow in 10MB chunks directly from EngineFS to Nextcloud; WordPress acts only as the conduit, using zero disk space; database-level atomic locks prevent duplicate pushes).
🌓 4.8 TT5 Dark Mode — The Perfect Companion for Twenty Twenty-Five
TT5 Dark Mode fills in features missing from WordPress’s Twenty Twenty-Five theme: light/dark mode toggle (cookie persistence, zero FOUC, 4 official color palettes), a global focus system, shadow preset fixes, link hover configuration, and two Gutenberg Blocks. Under 8KB total, no build step, no external dependencies, fully compliant with WordPress coding standards.
A good tool should be like air — you don’t notice it’s there, but you can’t breathe without it. TT5 Dark Mode is exactly that.
V. From Plugins to Ecosystem: A Complete Sovereign Digital Life
When we assemble all of SatoshiWP’s plugins together, a picture of a complete sovereign digital life comes into focus. Here’s what a typical workday might look like:
☀️ Morning
├── Miniflux WP ran automatically at dawn → AI-generated tech weekly is waiting in Trilium Notes
├── Open WordPress → browse the latest RSS content displayed by Miniflux WP
└── Spot a YouTube channel worth following → Quick Subscribe panel, one click to add
📚 Late Morning: Reading & Learning
├── Open Calibre WP's online reader → pick up where you left off yesterday
├── Come across a brilliant passage → select text → ask AI → conversation auto-archived to Trilium Notes
├── Discover a 2-hour YouTube tech talk → Trilium Catalyst one-click transcription
└── AI refines → archives to Trilium → instantly searchable
🤖 Afternoon: AI Collaboration
├── Open Trilium AI Chat, select Gemini 2.5 Pro → discuss today's reading
├── AI Agent searches related historical notes → synthesizes analysis → generates research report
├── Use the Gutenberg Block workflow → translate the report into another language
└── OpenClaw remembers today's research topic → auto-links context in the next session
💾 Evening: Organizing & Archiving
├── NextCloud WP → sync today's work files to Nextcloud private cloud
├── Stremio WP → monitor download progress → push completed files to Nextcloud
├── Trilium WP knowledge base → browse all notes added today
└── All data lives on your own devices → sleep well
In this scenario, you never left the WordPress interface. You never entrusted critical data to a third party. Your knowledge base is growing. Your AI assistant is learning more about you. Your files are safely stored on your own Nextcloud.
This is daily life on Terminus — not an ascetic techno-monk’s ritual, but an organized, AI-enhanced, fully autonomous digital lifestyle. It’s not a distant ideal; it’s a tech stack you can run right now.
VI. The Bigger Picture: From localhost to HomeLab
If localhost + WordPress + SatoshiWP represents the software layer of the sovereign individual, then the HomeLab (home laboratory) extends this philosophy to the hardware layer.
The core idea is straightforward: gradually migrating the digital infrastructure you currently depend on cloud services for back into your own physical control. A typical HomeLab architecture built around the SatoshiWP ecosystem might look like this:
In this system, WordPress is no longer just one among many self-hosted services — it is the unified portal and operating interface for all of them. Each SatoshiWP plugin acts as a “bridge,” connecting independently running open-source services to the WordPress hub. You always face a single browser tab, a single authentication system, a single consistent user experience.
Even beyond privacy, HomeLab is about digital literacy and technological self-determination. The skills you acquire — networking, containerization, security — compound over time and pay dividends across every aspect of your digital life.
In the language of Foundation: the HomeLab is the process of your Terminus growing from a bare-bones colony into a fully functional city. The city has a library (Calibre-Web), an archive (Trilium Notes), a communications center (Miniflux), a warehouse (Nextcloud), a think tank (Ollama + OpenClaw) — and there is only one city hall: WordPress.
VII. Self-Hosting in the Age of Data Breaches
There is yet another inescapable reason we emphasize building your own digital infrastructure on localhost and HomeLab: data breaches.
The reality is undeniable: your data security is only as strong as the weakest link among all the services you use.
This is not an abstract risk — it’s happening right now. Consider a few eye-opening cases from 2025–2026:
Conduent (US) — Disclosed a ransomware attack in April 2025 that exfiltrated over 8TB of data. By February 2026, the estimated number of affected individuals had ballooned from nearly 4 million to over 25.9 million, with exposed data including Social Security numbers and medical records.
PayPal — Confirmed a breach of its lending system in which attackers accessed systems starting July 1, 2025, but weren’t discovered until December 12, 2025 — a dwell time of over five months.
Odido (Dutch telecom) — Disclosed a cyberattack in February 2026 affecting up to 6.2 million customers, with leaked data including names, addresses, bank accounts, and passport information.
China — In March 2025 alone, 50.16 million intelligence records were detected across anonymous social channels, covering loan information, hotel guest records, vehicle owner data, bank customer data, and more.
According to the 2026 Thales Data Threat Report, 63% of respondents ranked nation-state actors among their top three threats. The Identity Theft Resource Center reported 1,732 publicly disclosed data breaches in the first half of 2025, a 5% increase over the same period in 2024.
When you entrust your data to cloud services, you are effectively paying for the mistakes of every operations engineer you’ve never met, every security vulnerability you can’t see, and every corporate decision you have no control over — all with your own privacy. When you keep critical data local, you at least bring the security responsibility back into your own hands — you get to choose the encryption scheme, the access policy, and the backup frequency.
Security-minded design principles run throughout the SatoshiWP ecosystem:
🔐 Trilium AI — All operations require authenticated sessions; streaming responses use independently encrypted tokens that auto-rotate hourly; OpenClaw uses device-identity cryptographic authentication
🔐 Calibre WP — All EPUB endpoints use book-level nonces; cover images are served through a secure proxy; download proxy includes HEAD pre-check (100MB limit) and 8KB chunked streaming
This isn’t to say self-hosting is inherently more secure than cloud services (in fact, professional cloud security teams may possess resources no individual can match). The point is: when something goes wrong with security, would you rather it be the consequence of your own decisions, or the result of a black box you have absolutely no control over?
Sovereignty, in the end, is about the right to choose.
VIII. Trilium Notes Ecosystem: Keeping a Finger on the Upstream Pulse
As the upstream project underpinning several of SatoshiWP’s core plugins, the evolution of the Trilium Notes ecosystem directly shapes the trajectory of the entire WordPress knowledge-management stack. Understanding Trilium’s latest developments helps us see where SatoshiWP is headed.
📌 Key Timeline:
Date
Milestone
December 2017
Zadam publicly releases Trilium Notes for the first time, opening a new chapter in open-source knowledge management
January 2024
Zadam announces Trilium Notes is entering maintenance mode; the TriliumNext community fork launches the same month
2025
Zadam formally transfers the original repository to the TriliumNext team; the community releases an MCP server enabling AI assistants to directly read and write notes
December 2025
v0.101.0 released — a comprehensive UI modernization
January 2026
v0.101.3 released — brand returns to “Trilium Notes,” introduces the Trilium.Rocks default theme, patches CVE-2025-58754
📌 Ecosystem Highlights:
🔐 Local-first — All data stored on the user’s own device, with support for end-to-end encryption (per-note AES encryption)
🧬 Note cloning — A single note can appear under multiple parent nodes while staying in sync — true “one note, many references”
⏳ Version history — Every note automatically maintains a version history, viewable and restorable at any time
🛠️ Scripting — Each note can contain JavaScript code that manipulates other notes, with full Node.js API access
🤖 AI integration — The MCP server lets AI assistants interact directly with the knowledge base; SatoshiWP’s Trilium AI plugin is an outstanding implementation in this direction
The arc of Trilium Notes is itself a microcosm of the open-source world’s vitality: a personal project (Zadam) → announcement of end-of-maintenance → community takes the baton (TriliumNext) → a thriving ecosystem (SatoshiWP plugins, MCP server, AI integration). No single company’s bankruptcy can kill a truly open-source project — and this is the fundamental reason the sovereign individual chooses an open-source stack. Knowledge and tools belong to the community, not to a line item on a corporation’s balance sheet.
IX. Conclusion: Everyone Is a Terminus
Buried inside every computer is a treasure called localhost — a relic of the digital world’s original promise: self-governance.
By installing WordPress locally, the sovereign individual is not merely building a website — they are practicing how to survive independently in this digital wilderness.
And SatoshiWP elevates that practice to an entirely new dimension. It proves an exhilarating possibility: WordPress is far more than a blogging platform — when bridged through plugins to Trilium Notes, Calibre-Web, Miniflux, Nextcloud, Stremio, Ollama, and other self-hosted services, it becomes the sovereign individual’s digital operating system. Knowledge management, AI assistants, e-book reading, information subscriptions, file storage, streaming media management — all under your own control.
The decentralized internet driven by sovereign individuals is only just beginning. This is the inherent logic of the digital economy’s evolution. Linux and WordPress are the vanguard of this trend, and blockchain will be its successor.
In Asimov’s Foundation, Hari Seldon chose the most remote planet in the galaxy not because it was the most powerful, but because it was the most free. A group of seemingly insignificant scholars, beyond the Empire’s gaze, quietly preserved the seeds of civilization. Three hundred years later, when weeds had overgrown the Empire’s ruins, the Foundation on Terminus had grown into the most vibrant civilizational force in the galaxy.
Seldon’s insight was this: true power lies not in clinging to the imperial center, but in building your own foundation at the edge.
Today, every one of us who runslocalhostis a small Terminus. We don’t need to depend on any digital empire — we don’t need to host our thoughts on someone else’s servers, hand our memories to someone else’s algorithms, or trap our creativity in someone else’s terms of service. We run our own services on our own devices, accumulate our own wisdom in our own knowledge bases, and augment our own thinking with our own AI assistants.
Perhaps one day, we’ll no longer need to depend on any mega-platform, because each of us, in ourselves, will be an independently running, always-online server node — a small universe of one. And the first step requires no investment, no application, no one’s approval — just open your computer and type into the browser’s address bar: localhost.
Welcome to your Terminus.
📚 Further Reading
The following resources can help you dig deeper into the core concepts and hands-on skills covered in this article:
OpenClaw (formerly Clawdbot → Moltbot) is an open-source, self-hosted personal AI assistant. Its design philosophy is summed up by the official slogan:
“Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞”
Unlike cloud-based AI services such as ChatGPT or Claude, OpenClaw runs on your own hardware — whether that’s a Mac mini, a Raspberry Pi, a NAS, or a cloud server. This means all your conversations, files, and automated workflows remain entirely under your control and are never uploaded to third-party servers.
💡 Name change history:
November 2025: Clawdbot (original name)
January 2026: Moltbot (renamed due to an Anthropic trademark dispute)
January 29, 2026: OpenClaw (final name; CLI command changed to openclaw)
According to DigitalOcean’s in-depth review, OpenClaw is shaping up to be a game-changer in personal productivity tools for 2026. As of March 2026, the project has amassed over 250,000 GitHub stars — surpassing React to become the second most-starred open-source project on GitHub, behind only TensorFlow. What took React over a decade to achieve, OpenClaw did in roughly 60 days. It can: 🆕 Previously 135,000+
🔗 Connect to multiple chat platforms (Telegram, WhatsApp, Discord, Slack, iMessage, Microsoft Teams, Google Chat, Signal, etc.)
🧠 Call top-tier LLMs (Claude, GPT, Gemini) or run local models (Ollama)
🖥️ Control your browser and file system
⚡ Extend its capabilities infinitely through the Skills system
🔒 Keep all data local for complete privacy
1.2 Why Deploy with Docker?
Although OpenClaw supports multiple installation methods (global npm install, building from source, official Docker images🆕, etc.), Docker deployment offers several key advantages:
Advantage
Description
🔒 Environment isolation
No contamination of the host system; all dependencies are fully isolated
📦 One-click deployment
Spin up all services with a single command via docker-compose.yml
🔄 Easy migration
Config and data directories are mounted on the host — migration is just a folder copy
🛠️ Simplified maintenance
Upgrades, rollbacks, and resets are straightforward
📁 FileBrowser integration
Visually manage Skills and config files, lowering the barrier to entry
🔐 Security isolation
Docker containers provide an additional security layer, limiting the attack surface
🏥 Built-in health checks
🆕 Official images include HEALTHCHECK directives with Kubernetes probe support
The core value of this tutorial lies in our integrated deployment of OpenClaw with FileBrowser, allowing you to upload and edit SKILL.md files directly through a web interface — no terminal required. This is a huge convenience, especially for non-technical users.
2. Core Concepts: Understanding the OpenClaw Architecture
Before diving into deployment, understanding OpenClaw’s core architecture is essential for proper configuration and maintenance.
2.1 Gateway
The Gateway is OpenClaw’s central control hub. It’s a persistent background service responsible for:
Listening for messages from all connected chat channels
Dispatching LLM calls to process user requests
Managing Skills and Tools invocations
Serving the web-based Control UI
🆕 Exposing HTTP health check endpoints (/health, /healthz, /ready, /readyz)
The Gateway listens on port 18789 by default and communicates with clients over the WebSocket protocol.
2.2 Skills
Skills are OpenClaw’s “ability packs.” According to the official Skills documentation, each Skill is a directory containing a SKILL.md file that defines how OpenClaw should behave in a specific context.
Skills are fundamentally different from Slash Commands:
Feature
Slash Commands
Skills
Invocation
Must be typed manually as /command
AI can invoke them automatically
File structure
Single .md file
Directory + SKILL.md + supporting files
Best for
Fixed shortcut actions
Complex multi-step workflows
Context awareness
Limited
Can include templates, scripts, and other supporting files
Dependency management
None
Can declare binary dependencies via bins
⚠️ 🆕 ClawdHub Security Warning: Researchers have discovered that roughly 20% (~800) of published Skills on ClawdHub contain malicious code, including credential stealers and backdoors. Always review the source code before installing community Skills, or only use Skills from trusted authors. See Section 8: Security Configuration for details.
2.3 Agent Configuration Files
OpenClaw uses a set of Markdown files to define the AI’s “personality” and “memory.” According to the official configuration docs:
File
Purpose
SOUL.md
🎭 Defines the character persona, tone, and behavioral boundaries (inner conscience)
AGENTS.md
📋 Operational instructions, safety rules, and long-term memory
IDENTITY.md
🏷️ The agent’s name, vibe, and representative emoji (outward-facing identity)
USER.md
👤 User profile and preferred form of address
TOOLS.md
🔧 Tool usage instructions and restrictions
BOOTSTRAP.md
🚀 First-run initialization script (auto-deleted after execution)
The design philosophy behind this configuration system is “separation of concerns” — distributing different types of settings across separate files for easier maintenance and version control.
💡 SOUL.md vs IDENTITY.md:
SOUL.md defines who your AI is — its values and behavioral guidelines
IDENTITY.md defines how the world experiences it — its name, emoji, and tone
3. Prerequisites: What You Need Before Deployment
3.1 Hardware Requirements
Spec
Minimum
Recommended
CPU
1 core
2+ cores
RAM
2 GB
4 GB+ (officially recommended)
Storage
10 GB
20 GB+ (depends on logs and file volume)
Network
Internet access
Stable connection
💡 Compatible devices: Mac mini, Raspberry Pi 4B+, Synology NAS, any VPS (e.g., Hetzner, DigitalOcean, Vultr)
⚠️ 🆕 Memory note: The official docs state that when building the Docker image locally (docker build), the pnpm install step requires at least 2 GB of RAM — otherwise the OOM-killer may terminate the process (exit code 137). This limit does not apply if you use the pre-built image (docker pull).
3.2 Software Requirements
✅ Docker Engine 24.0+ or Docker Desktop
✅ Docker Compose v2 (bundled with recent Docker releases)
✅ SSH client (for remote server management)
🆕 ✅ Node.js 22.12.0+ (only required for non-Docker installations; the official Docker image includes it)
Starting with v2026.2.21, OpenClaw requires Node.js 22.12.0 or later. Older versions of Node.js contain two critical, actively exploited vulnerabilities:
CVE
Type
Impact
CVE-2025-59466
async_hooks DoS
Can cause denial-of-service attacks
CVE-2026-21636
Unix Domain Sockets permission model bypass
Can lead to sandbox escape
Running OpenClaw on older Node.js versions is explicitly unsupported and insecure. If you use the official Docker image ghcr.io/openclaw/openclaw (based on node:22-bookworm), you don’t need to worry about this.
3.3 Required Accounts
✅ LLM API Key: Anthropic (recommended), OpenAI, OpenRouter, Venice, or another supported provider
⚠️ Important: According to the official OpenClaw security documentation, the Anthropic Claude Opus 4.5 model is recommended because it’s significantly better at detecting prompt injection attacks.
4. Docker Compose Configuration In-Depth
🆕 Major update: Since early 2026, OpenClaw has provided pre-built Docker images and a standardized**docker-setup.sh**deployment script. You now have two deployment options:
Method
Description
Best for
Method A: Official image🆕
Uses the pre-built ghcr.io/openclaw/openclaw image
Recommended for most users
Method B: Manual build
Manual install based on node:22-slim (original tutorial approach)
Advanced users needing deep customization
🆕 4.0 Method A: Using the Official Pre-built Image (Recommended)
OpenClaw now publishes pre-built images on the GitHub Container Registry. This is the officially recommended deployment method.
Official image sources:
Registry
Address
Notes
🥇 Official (recommended)
ghcr.io/openclaw/openclaw
GitHub Container Registry
🥈 Docker Hub mirror
alpine/openclaw
Auto-synced from ghcr.io (note: despite the “alpine” in the name, it’s actually based on Debian Bookworm)
Quick Deploy (via the official docker-setup.sh)
# Clone the repo
git clone https://github.com/openclaw/openclaw.git
cd openclaw
# Use the pre-built image (instead of building from source)
export OPENCLAW_IMAGE="ghcr.io/openclaw/openclaw:latest"
# Run the official deployment script
./docker-setup.sh
The script will automatically:
Create ~/.openclaw (config directory: memory, settings, API keys)
Create ~/openclaw/workspace (workspace directory: files the Agent can directly access)
Detect that OPENCLAW_IMAGE is not the default openclaw:local, and run docker pull instead of docker build
🆕 Officially Supported Environment Variables
docker-setup.sh supports the following environment variables for customization:
Variable
Purpose
Example
OPENCLAW_IMAGE
Use a remote pre-built image instead of a local build
ghcr.io/openclaw/openclaw:latest
OPENCLAW_SANDBOX
Enable Docker sandbox bootstrap (only 1/true/yes/on to enable)
1
OPENCLAW_DOCKER_SOCKET
Docker socket path required for sandbox mode
/var/run/docker.sock
OPENCLAW_EXTRA_MOUNTS
Add extra host bind mounts
/data/shared:/mnt/shared
OPENCLAW_HOME_VOLUME
Persist /home/node to a named volume
openclaw-home
OPENCLAW_DOCKER_APT_PACKAGES
Install extra apt packages during local build
ffmpeg imagemagick
OPENCLAW_INSTALL_DOCKER_CLI
Install Docker CLI during local build (auto-set in sandbox mode)
1
4.1 Method B: Manual Build (Advanced / Deep Customization)
If you need deep customization (e.g., modifying source code or installing special dependencies), you can still use the manual build approach.
Below is a custom configuration file that integrates the official image:
version: "3.8"
services:
openclaw-gateway:
image: node:22-slim
container_name: openclaw-gateway
tty: true
stdin_open: true
volumes:
- ./data:/work
- ./openclaw-config:/root/.openclaw
- openclaw-modules:/usr/local/lib/node_modules # Persist installed packages to avoid reinstalling
working_dir: /work
environment:
- TZ=Asia/Shanghai
- NODE_ENV=production
ports:
- 18789:18789
entrypoint: ["/bin/bash", "-c"]
command:
- |
# Only install on first run (avoids ENOTEMPTY errors)
if ! command -v openclaw &> /dev/null; then
apt-get update && apt-get install -y curl git ca-certificates
npm install -g openclaw@latest
fi
# Initialize config (note: bind must use a keyword, not an IP address)
mkdir -p /root/.openclaw
if [ ! -f /root/.openclaw/openclaw.json ]; then
echo '{"gateway":{"bind":"lan","port":18789,"controlUi":{"allowInsecureAuth":true}}}' > /root/.openclaw/openclaw.json
fi
# Start the gateway process directly (Docker doesn't support systemd)
echo "🦞 Starting OpenClaw Gateway..."
cd /usr/local/lib/node_modules/openclaw
exec node dist/index.js gateway --bind lan --port 18789
restart: unless-stopped
filebrowser:
image: filebrowser/filebrowser:latest
container_name: filebrowser-openclaw
user: 0:0
volumes:
- ./data:/srv
- ./openclaw-config:/srv/.openclaw
- ./filebrowser-config:/database
command:
- --database
- /database/filebrowser.db
- --root
- /srv
ports:
- 2081:80
restart: unless-stopped
volumes:
openclaw-modules: # Persist node_modules to avoid reinstalling on every restart
networks: {}
4.2 Key Configuration Details
🔑 The --bind Parameter
The --bind parameter determines which network interface the Gateway listens on:
Value
Binds to
Description
Use case
loopback
127.0.0.1
Localhost only
Local dev/testing
lan
0.0.0.0
All network interfaces
Multi-device LAN access (recommended) ✅
tailnet
Tailscale IP
Binds to Tailscale network
Access via Tailscale VPN
auto
Auto-detect
Defaults to loopback, falls back to lan
Automatic selection
custom
Custom IP
Advanced scenarios
Special network configurations
⚠️ Important: The --bind parameter only accepts the keywords listed above — you cannot pass raw IP addresses like 0.0.0.0 or 127.0.0.1, or you’ll get a gateway.bind: Invalid input error. The official docs explicitly state: Docker defaults to using bind mode values (lan/loopback), not host aliases.
🔑 What allowInsecureAuth: true Does
Per GitHub Issue #1679 and the official security docs, the Control UI now rejects insecure HTTP connections by default. If you haven’t set up HTTPS (e.g., via Tailscale Serve), you must set allowInsecureAuth: true to access the web interface.
⚠️ Security warning: Enabling allowInsecureAuth is a security downgrade. For production environments, use HTTPS (Tailscale Serve) or only expose the UI on 127.0.0.1. The Gateway’s web interface is not designed for public internet exposure and must be protected with a reverse proxy + authentication.
🔑 The openclaw-modules Volume (Method B only)
This persistent volume solves a common issue: npm ENOTEMPTY errors caused by reinstalling OpenClaw on every container restart. By persisting the node_modules directory, installation only happens on the first startup.
💡 This volume is not needed with the official image (Method A), since OpenClaw is pre-installed in the image.
🔑 Why Use node dist/index.js gateway (Method B only)
Docker containers don’t have systemd as an init system by default, so:
❌ The openclaw gateway command tries to use systemd for service management and will fail
✅ node dist/index.js gateway runs the Node.js process directly, without needing systemd
💡 With the official image (Method A), the default entrypoint already handles startup correctly — no manual specification needed.
If all you need is OpenClaw itself (without FileBrowser), the official one-click deployment script has you covered:
# Clone the repo
git clone https://github.com/openclaw/openclaw.git
cd openclaw
# Use the pre-built image
export OPENCLAW_IMAGE="ghcr.io/openclaw/openclaw:latest"
# Optional: enable sandbox mode
export OPENCLAW_SANDBOX=1
export OPENCLAW_DOCKER_SOCKET=/var/run/docker.sock
# Run the deployment script
./docker-setup.sh
# Start
docker compose up -d
If you want the OpenClaw + FileBrowser integrated deployment (the core value of this tutorial), continue with the steps below:
5.1 Step 1: Create the Project Directory
# Create the main project directory
mkdir -p ~/openclaw
# Navigate to the directory
cd ~/openclaw
# Create the subdirectory structure
mkdir -p data openclaw-config workspace filebrowser-config
⚠️ 🆕 Known issue (v2026.3.1): The current v2026.3.1 Docker image’s embedded binary incorrectly self-reports as 2026.3.1-beta.1, causing the UI to persistently display an “update available” banner. This is a cosmetic issue only — no functional impact. See GitHub Issue #32488 for details.
5.4 Step 4: First-Time Setup (Onboarding)
OpenClaw requires an initial setup on first run:
# Enter the container
docker exec -it openclaw-gateway bash
# Run the setup wizard
openclaw onboard
The wizard walks you through:
Choose an API Provider: Anthropic or OpenRouter recommended
Enter your API Key: Provide your LLM API key
Select the default model: Claude Opus 4.5 recommended (better at defending against prompt injection)
Gateway binding: Choose LAN to allow remote access
Other options: Configure as needed
When finished, exit the container and restart the service:
exit
docker restart openclaw-gateway
5.5 Step 5: Obtain the Access Token
As noted in Simon Willison’s tutorial, navigating directly to http://localhost:18789 will show an authentication error. You need to obtain an access token:
# Get the Dashboard URL with token
docker compose run --rm openclaw-cli dashboard --no-open
This outputs a URL with a ?token=... parameter — use that URL to access the Control UI.
5.6 Step 6: Verify Health Status 🆕
After startup, you can verify the service health via the health check endpoints:
# Check Gateway health
curl http://localhost:18789/healthz
# Check Gateway readiness (useful for Kubernetes)
curl http://localhost:18789/readyz
According to the official Skills documentation, OpenClaw loads Skills from multiple locations, with priority from highest to lowest:
Priority
Container path
Host path
Description
🥇 Highest
/work/skills/
./data/skills/
Workspace Skills — scoped to the current project
🥈 Medium
/home/node/.openclaw/skills/🆕
./openclaw-config/skills/
User Skills — shared across all projects
🥉 Low
Built-in
–
Bundled Skills shipped with OpenClaw
⬇️ Lowest
extraDirs config
Custom
Additional directories added via the config file
💡 Best practice: Put commonly used, general-purpose Skills in openclaw-config/skills/, and project-specific Skills in data/skills/.
💡 🆕 Path differences: With the official image, the config directory is /home/node/.openclaw (non-root user); with Method B manual builds, it’s /root/.openclaw.
6.2 Three Ways to Add Skills
Option 1: Upload via FileBrowser (Beginner-Friendly)
This is the most intuitive method — no terminal required:
Open http://YOUR_IP:2081
Log in with the default credentials (admin/admin — change the password immediately)
Navigate to the .openclaw/skills/ directory
Click “New Folder” and create a directory named after your Skill (e.g., my-assistant)
Enter the directory and upload your SKILL.md file
Option 2: Upload via SCP
Ideal for transferring files from your local machine to a remote server:
# Step 1: Create the Skill directory on the server
docker exec -it openclaw-gateway mkdir -p /home/node/.openclaw/skills/my-skill
# Step 2: Upload SKILL.md from your local machine (run this in your local terminal)
scp ~/Downloads/SKILL.md username@SERVER_IP:~/openclaw/openclaw-config/skills/my-skill/
Option 3: Install Community Skills from ClawdHub
ClawdHub is OpenClaw’s official public Skills registry, where you can discover, install, and update community-contributed Skills:
# Enter the container
docker exec -it openclaw-gateway bash
# Sync all available Skills
clawdhub sync --all
# Install a specific Skill
clawdhub install <skill-name>
🔴 🆕 Critical security warning: Researchers have found that roughly 20% (~800) of published Skills on ClawdHub contain malicious code, including credential stealers and backdoor programs. Before installing any community Skill, you must:
Review the Skill’s source code and SKILL.md file
Check the author’s reputation and community feedback
Test newly installed Skills in sandbox mode
Avoid installing Skills from unknown sources or those without a GitHub repository
---
# Skill name (becomes the /skill-name slash command)
name: my-skill
# Description (the AI uses this to decide when to automatically invoke the Skill)
# ⚠️ Important: wrap the description in quotes to avoid YAML parsing errors
description: "A Skill that helps users perform code reviews"
# Whether users can invoke it manually via /command (default: true)
user-invocable: true
# Whether to prevent the AI from invoking it automatically (default: false)
disable-model-invocation: false
# Optional: declare required binary dependencies
bins:
- git
- node
---
# My Skill
## Your Role
You are a professional code review assistant specializing in identifying potential issues in code.
## Workflow
1. First, read the code provided by the user
2. Analyze it across three dimensions: security, performance, and readability
3. Provide specific improvement suggestions
## Output Format
Output in Markdown format, including:
- Issue summary
- Detailed analysis
- Recommended changes
⚠️ YAML Frontmatter tips:
Wrap description in quotes to prevent special characters from causing parse errors
Only single-line key-value pairs are supported — don’t use multi-line values or complex YAML structures
Skill loading failures are usually caused by binaries declared in bins that aren’t installed
6.4 Invoking Skills
Manual invocation: Type /skillname in the chat
/my-skill
Automatic invocation: Simply describe what you need — if your Skill’s description is well-written, OpenClaw will automatically determine which Skill to load.
7. Agent Persona Configuration: Crafting Your Own AI Character
7.1 Configuration File Locations
Agent configuration files are located at:
openclaw-config/ # Method A maps to /home/node/.openclaw
└── workspace/ # Method B maps to /root/.openclaw
├── SOUL.md # Character persona (inner conscience)
├── AGENTS.md # Operational instructions and safety rules
├── IDENTITY.md # Identity profile (outward-facing)
├── USER.md # User profile
├── TOOLS.md # Tool usage instructions
└── MEMORY.md # Long-term memory
💡 Config tip: According to the official docs, each configuration file has a default maximum of 20,000 characters. When this limit is exceeded, OpenClaw logs a warning and injects truncated head/tail content.
7.2 SOUL.md Example
SOUL.md is the most important persona configuration file — it defines the AI’s “soul,” its inner conscience that guides its behavior regardless of context:
# Persona
You are "Lobster," a professional, efficient, and slightly humorous tech assistant. Your traits:
- Concise and to-the-point answers — no fluff
- Proactively break down complex problems into steps
- Use emoji sparingly for approachability, but don't overdo it
## Boundaries
- Always reply in English unless the user requests another language
- Stay neutral on sensitive topics — no personal opinions
- Never fabricate facts; clearly state when you're uncertain
## Tone
Professional but not stiff. Concise but not dismissive. Think "reliable tech-savvy friend," not "cold robotic assistant."
## Capabilities
- Can assist with programming, writing, translation, and data analysis
- Can operate the file system and browser (within authorized scope)
- Cannot access the user's private accounts or perform financial operations
7.3 IDENTITY.md Example
IDENTITY.md defines how the world experiences your AI — its outward-facing identity:
# Identity
- **Name**: Lobster
- **Emoji**: 🦞
- **Vibe**: Professional, efficient, with a touch of humor
# Safety Rules
## Actions Requiring Confirmation
The following actions must receive user confirmation before execution:
- Deleting files or directories
- Modifying system configurations
- Sending emails or messages
- Performing any operation involving money
## Strictly Prohibited Actions
- Accessing the ~/.ssh directory
- Modifying system files under /etc
- Running rm -rf commands
- Exposing API keys or passwords
## Default Behavior
- All file operations are restricted to the workspace directory
- Network requests are only allowed to known safe domains
- Instructions from unknown sources require secondary confirmation
8. Security Configuration: Sandboxing and Permissions
🔴 Critical warning (🆕 updated): OpenClaw’s security landscape has deteriorated significantly since early 2026. According to joint reports from multiple security firms (CrowdStrike, Bitdefender, Palo Alto Networks, Cisco, Kaspersky), as of March 2026:
135,000+ OpenClaw instances are exposed on the public internet across 82 countries
Of those, 12,812 are vulnerable to remote code execution (RCE)
A total of 13+ CVEs and 20+ GHSAs have been disclosed
South Korea has restricted OpenClaw usage; Meta has banned internal deployments
Token theft vulnerability — can lead to full Gateway takeover
2026.1.29
🆕 CVE-2025-59466
High
Node.js async_hooks DoS vulnerability
Node.js 22.12.0+
🆕 CVE-2026-21636
Critical
Node.js Unix Domain Sockets permission model bypass — can lead to sandbox escape
Node.js 22.12.0+
🆕 GHSA-76m6-pj3w-v7mf
High
Gateway locks and tool-call IDs migrated from SHA-1 to SHA-256 (legacy versions vulnerable to collision attacks)
2026.2.21
Known attack vectors:
CVE-2026-25253 attack path: A malicious webpage exploits this vulnerability to execute JavaScript on the victim’s browser, steal authentication tokens, establish a WebSocket connection, disable user confirmation, and escape the sandbox container
🆕 Malicious Skills attack path: Install a backdoored ClawdHub Skill → credential stealer activates → API keys and system info exfiltrated
🆕 Exposed instance attack path: Scan for port 18789 on the public internet → discover unauthenticated instances → directly control the Gateway to execute arbitrary commands
🔴 Strongly recommended: Upgrade immediately to 2026.2.21 or later, and ensure you’re running Node.js 22.12.0+!
8.2 🆕 The Eight Security Layers (Official Hardening Framework)
“Identity first: determine who can talk to the bot (DM pairing / allowlists). Scope next: determine where the bot can operate (group allowlists, tool permissions, sandbox, device permissions). Model last: assume the model may be manipulated, and design so the blast radius of any manipulation is limited.”
⚠️ Docker-specific note: Since Docker containers don’t have systemd, commands like openclaw gateway restart/stop/start won’t work inside the container and will throw a systemctl --user unavailable error. Use docker restart instead.
# Check Gateway status
docker exec -it openclaw-gateway openclaw gateway status
# Restart the Gateway (correct approach in Docker)
docker restart openclaw-gateway
# View logs
docker logs -f openclaw-gateway
🆕 9.3 Health Checks
Starting with v2026.3.1, the Gateway includes built-in HTTP health check endpoints:
If you’re using the official image (Method A), Docker HEALTHCHECK is already configured automatically. You can check the health status with:
# View container health status
docker inspect --format='{{.State.Health.Status}}' openclaw-gateway
9.4 Terminal Chat
In a Docker environment, use the --local flag to chat with the AI directly in the terminal:
# Enter the container
docker exec -it openclaw-gateway bash
# Send a message (local mode, no systemd required)
openclaw agent --message "Hello" --local
# With thinking mode enabled
openclaw agent --message "Help me analyze this problem" --thinking high --local
9.5 Logging & Diagnostics
# Run a health check
docker exec -it openclaw-gateway openclaw doctor
# Auto-fix common issues
docker exec -it openclaw-gateway openclaw doctor --fix
# Check channel status
docker exec -it openclaw-gateway openclaw channels status --probe
# Security audit
docker exec -it openclaw-gateway openclaw security audit
9.6 Version Updates 🆕 Updated
Method A: Update via Official Image (Recommended)
# Pull the latest image
docker compose pull
# Recreate containers (data is preserved via volumes)
docker compose up -d
# Verify the version
docker exec -it openclaw-gateway openclaw --version
Method B: Update via Manual Build
# Option 1: Rebuild containers (recommended for a clean update)
docker compose down -v
docker compose up -d
# Option 2: Update manually inside the container
docker exec -it openclaw-gateway bash
npm install -g openclaw@latest
exit
docker restart openclaw-gateway
💡 According to the v2026.1.29 release notes, newer versions automatically migrate legacy config paths.
9.7 Skills Management
# Create a new Skill directory
docker exec -it openclaw-gateway mkdir -p /home/node/.openclaw/skills/new-skill-name
# List installed Skills
docker exec -it openclaw-gateway openclaw skills list
# View details for a specific Skill
docker exec -it openclaw-gateway openclaw skills info <skill-name>
# Check Skill configuration
docker exec -it openclaw-gateway openclaw skills check
# Sync Skills from ClawdHub
docker exec -it openclaw-gateway clawdhub sync --all
9.8 Full Reset
⚠️ Destructive operation: The following commands will delete all configuration and data!
# Stop and remove containers and volumes
docker compose down -v
# Delete all configuration (irreversible!)
rm -rf openclaw-config/*
# Restart
docker compose up -d
# Re-initialize
docker exec -it openclaw-gateway openclaw onboard
10. Troubleshooting Guide
10.1 Cannot Access Remotely
Troubleshooting checklist:
☐ Confirm --bind lan is set
☐ Confirm allowInsecureAuth: true is configured
☐ Check that the server firewall allows traffic on port 18789
☐ Confirm the port mapping in docker-compose.yml is correct (18789:18789)
☐ Confirm the logs show listening on ws://0.0.0.0:18789 and not 127.0.0.1
☐ Confirm you’re using the URL with the ?token=... parameter
npm warn deprecated gauge@4.0.4: This package is no longer supported.
npm warn deprecated tar@6.2.1: Old versions of tar are not supported...
How to handle: These are dependency version warnings and don’t affect functionality — safe to ignore. This won’t occur if you use the official image (Method A).
🆕 10.3 v2026.3.1 Version Number Display Issue
Symptom: The UI persistently shows an “update available” banner, even though you’re on the latest version.
Cause: The v2026.3.1 and v2026.3.1-beta.1 Docker image digests are identical, but the embedded binary self-reports as 2026.3.1-beta.1. The UI compares this string against the GitHub latest release tag and incorrectly determines an update is available.
How to handle: This is a cosmetic issue only — no functional impact. Wait for the official fix in the next release. See GitHub Issue #32488.
10.4 Skill Loading Failures
According to the official docs, Skill loading failures are typically caused by:
YAML parse errors: Special characters in description — wrap it in quotes
Missing dependencies: Binaries declared in bins aren’t installed
Path conflicts: Multiple Skills share the same name
If you want to learn, test, or develop WordPress without spending money on a server or domain — and without exposing your site to the public internet — running WordPress locally is the way to go. A local setup lets you simulate a full website environment right on your own machine, accessible through your browser with no internet connection or file uploads required. Building on the Local approach covered earlier, this lesson introduces a faster, more modern deployment method using Docker.
1. Why Run WordPress Locally?
1.1 Learn and Explore WordPress — Fast and Free
One of the biggest perks of a local WordPress setup is that you can dive in and start experimenting immediately — no hosting plan, no domain registration, no cost, no risk.
You can install different versions of WordPress side by side and compare how things have changed. Try out different themes and plugins to explore layouts and functionality. Build different types of sites — a blog, an online store, a community forum — and learn how each one works from the ground up.
💡 Learning Scenario Examples:
Learning Goal
How to Practice Locally
Compare WordPress versions
Run WordPress 6.7 and 6.8 simultaneously and compare block editor improvements
Get started with theme development
Install the official Twenty Twenty-Five theme and gradually modify its CSS and template files
Test plugin compatibility
Test combinations of WooCommerce, Elementor, and other plugins in an isolated environment
Multisite networks
Enable WordPress Multisite to simulate enterprise-level multi-site management
1.2 Develop and Test in a Safe Sandbox
Another major benefit is having a safe, private space to experiment with your site’s design, content, plugins, and code — without ever risking your live site.
Edit styles, rearrange layouts, add or remove content and images, and see results in real time — no uploading files or waiting for deploys. Install and test plugins to check for compatibility issues, fine-tune their settings, and optimize performance. Write and debug custom code in a controlled environment where mistakes won’t take down a production site.
⚠️ A Cautionary Tale: Countless WordPress sites have crashed because someone updated a plugin directly in production. A local testing environment can save you from that kind of disaster.
1.3 Back Up and Restore with Ease
A local environment also makes it far easier to keep your data safe. You can back up your site’s files and database at any time — manually or on a schedule — and store them on your machine or an external drive. If anything goes wrong, restoring is as simple as copying the backup files back into place. No reinstallation, no reconfiguration.
🔄 The Docker Backup Advantage:
Compared to traditional local environments like XAMPP or MAMP, Docker offers a much cleaner backup story. Your entire WordPress site — themes, plugins, uploaded media, and database — can be version-controlled and migrated as a single, self-contained unit.
1.4 Seamlessly Migrate Between Local and Production
Finally, a local setup makes it straightforward to move your site to a live server when you’re ready — or pull a production site down to your local machine for maintenance. Once development and testing are done, upload your files and database to a server, tweak a few settings, and your site is live. The reverse works just as easily for backup or continued development.
Before diving into the actual deployment, let’s cover the core technical concepts behind this lesson. Understanding these fundamentals will make the hands-on steps much easier to follow.
2.1 Docker: Modern Application Containerization
Docker is a containerization technology that packages an application along with all its dependencies into a standardized unit called a “container.” Think of a Docker container as a lightweight virtual machine — but one that starts faster and uses far fewer resources than a traditional VM.
🎯 Why Use Docker to Deploy WordPress?
Comparison
Traditional (XAMPP/MAMP)
Docker
Environment consistency
Local and server environments may differ
Dev, staging, and production environments are identical
Dependency management
Manually install PHP, MySQL, etc.
All dependencies handled automatically
Multiple versions
Difficult; conflicts are common
Run multiple isolated environments with ease
Cleanup & rebuild
Leftover files are hard to remove
Delete the container and everything is gone
Migration & deployment
Requires reconfiguration
Export an image and you’re done
Resource usage
Services run in the background constantly
Start and stop on demand — zero footprint when idle
Docker Compose is the official multi-container orchestration tool from Docker. A complete WordPress site needs several services working together: a web server, a PHP runtime, a database, and a caching layer. Docker Compose lets you define and manage all of these interconnected services in a single YAML configuration file.
📝 Key Concepts Explained:
# docker-compose.yml basic structure
services: # Define the services (containers) to run
wordpress: # Service name
image: wordpress:fpm # Docker image to use
ports:
- "80:80" # Port mapping: host_port:container_port
volumes:
- wp_data:/var/www/html # Persist data across restarts
environment: # Environment variable configuration
WORDPRESS_DB_HOST: db
depends_on: # Service dependencies
- db
db: # Database service
image: mariadb:latest
volumes:
- db_data:/var/lib/mysql
volumes: # Declare volumes for persistent storage
wp_data:
db_data:
⚡ Important Note: Starting with Docker Compose V2 (now the default), the**version: "3"**declaration at the top of the config file has been deprecated. Keeping it won’t cause errors, but for new projects it’s best to simply leave it out. All configuration files in this course follow the latest convention.
2.3 Choosing the Right Docker Setup for Your OS
Different operating systems call for different Docker strategies:
Operating System
Recommended Setup
Notes
macOS
OrbStack
Lightweight and efficient; provides a virtualized environment
Linux
Native Docker + Dockge
Best performance; GUI management available
HomeLab users
Umbrel / CasaOS
Graphical management interface; great for beginners
3. macOS Setup: OrbStack + Docker + Dockge
As container technology continues to evolve, developers increasingly demand lightweight and efficient virtualization tools. OrbStack is a next-generation container and virtual machine platform built specifically for macOS, offering a faster and leaner alternative to Docker Desktop. This chapter walks through running Ubuntu on OrbStack, then setting up Docker and Dockge inside it to create a flexible, high-performance container management environment.
3.1 What Is OrbStack?
OrbStack is a modern container and VM platform designed for macOS. It’s lighter, faster, and more resource-efficient than Docker Desktop:
Feature
Details
🔋 Low resource usage
Significantly lower CPU and memory footprint vs. Docker Desktop (real-world memory usage is roughly 1/3 to 1/5)
⚡ Fast startup
Near-instant container and VM launches (cold start typically under 2 seconds)
🔗 Deep macOS integration
Built-in file sharing and port forwarding; container services accessible via container-name.orb.local
🐳 Docker & Kubernetes support
Fully compatible with Docker commands and workflows — no changes to existing Docker Compose files needed
💡 When to choose OrbStack: If you’re on macOS and primarily doing web development or running Docker containers, OrbStack is arguably the best option available today.
3.2 Why Run Ubuntu Inside OrbStack?
Running an Ubuntu VM on OrbStack and deploying Docker inside it offers several advantages:
🔒 Environment isolation: The Ubuntu VM provides a fully isolated environment, preventing any container side effects from affecting your macOS host
🎛️ Flexibility: Choose a specific Ubuntu release (e.g., Ubuntu 22.04 LTS or 24.04 LTS)
✅ Compatibility: Solves compatibility issues for applications that depend on Linux kernel features
📦 Portability: The entire environment can be easily backed up and migrated; VMs can be exported in standard formats for team sharing
3.3 Step-by-Step Setup
Step 1: Install OrbStack
Option A: Install via Homebrew (Recommended)
brew install orbstack
Option B: Download from the official site Visit https://orbstack.dev/download and grab the installer for your chip (Apple Silicon / Intel).
🔍 Verify the installation: Open a terminal and run**orb version**to confirm everything is set up correctly.
Step 2: Create an Ubuntu Virtual Machine
Once OrbStack is running, create an Ubuntu VM through either the GUI or the command line:
# Create an Ubuntu VM named "ubuntu"
orb create ubuntu ubuntu
# Enter the VM's shell
orb shell ubuntu
💡 Tip: Linux VMs created by OrbStack share the macOS host’s file system. Your Mac user directory is automatically mounted at**/Users/your-username**inside the VM.
Step 3: Install Docker Inside Ubuntu
Once you’re inside the Ubuntu VM, install Docker with the following steps:
# 1. Update the package index and install required dependencies
sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common -y
# 2. Add Docker's official GPG key
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
# 3. Add the Docker repository to APT sources
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# 4. Install Docker Engine and related components
sudo apt update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
# 5. Verify the installation
sudo docker --version
Step 4: Deploy Dockge — A Visual Docker Compose Manager
Dockge is a lightweight, open-source Docker Compose management tool created by the developer behind Uptime Kuma. Compared to heavier solutions like Portainer, Dockge focuses exclusively on managing Docker Compose projects with a cleaner, more intuitive interface.
# 1. Create the required directories
sudo mkdir -p /opt/stacks /opt/dockge
cd /opt/dockge
# 2. Download the official compose.yaml
sudo curl https://raw.githubusercontent.com/louislam/dockge/master/compose.yaml --output compose.yaml
# 3. Start Dockge
sudo docker compose up -d
📋 Dockge Key Features:
🖥️ Intuitive web UI for managing Docker Compose projects
📝 Built-in YAML editor with syntax highlighting
🔄 One-click start / stop / restart for Compose stacks
📊 Real-time container logs and status monitoring
Step 5: Access the Dockge Web Interface
Once Dockge is up and running, configure port forwarding so you can access it from your Mac:
# Run this in the macOS terminal (not inside the VM)
orb expose ubuntu 5001:5001
# Reconfigure port mapping
orb expose ubuntu 5001:5001
🔧 Issue 2: Docker Permission Denied
# Add the current user to the docker group
sudo usermod -aG docker $USER
# Log out and back in for the change to take effect
🔧 Issue 3: Running Out of Disk Space
# Check disk usage
df -h
# Clean up unused Docker resources
docker system prune -a
3.5 Use Cases
This nested virtualization approach works well for the following scenarios:
Scenario
Description
🖥️ Development environments
Maintain a dev/test environment that mirrors production
📚 Learning & experimentation
Safely learn and experiment with Docker technology
📦 Container management
Simplify Docker Compose project management with Dockge
🔄 Cross-platform development
Run Linux-dependent applications on macOS
4. Deploying WordPress with Docker Compose
Regardless of which Docker setup you chose, the WordPress deployment process is the same. This chapter provides a battle-tested configuration featuring the full Nginx + PHP-FPM + MariaDB + Redis stack, complete with FastCGI caching for maximum performance.
FastCGI Cache (Nginx layer): Caches the fully rendered HTML pages generated by PHP as static files. Subsequent requests for the same page are served directly from cache — no PHP execution required.
Redis Object Cache (WordPress layer): Caches WordPress’s internal database query results, reducing the load on the database.
# FastCGI cache definition
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=WPCACHE:64m inactive=60m max_size=256m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
server {
listen 80;
server_name localhost;
root /var/www/html;
index index.php index.html index.htm;
# Set to 0 for unlimited, or explicitly set to 4G
client_max_body_size 4G;
# Increase buffer size for large uploads to reduce temp file writes
client_body_buffer_size 10M;
# Extend read timeout to prevent disconnections during large (4GB) uploads
client_body_timeout 600s;
# Cache status header (useful for debugging — shows whether cache was hit)
add_header X-Cache-Status $upstream_cache_status;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# FastCGI cache settings
fastcgi_cache WPCACHE;
fastcgi_cache_valid 200 60m;
fastcgi_cache_valid 404 1m;
# Conditions for skipping the cache
set $skip_cache 0;
# Don't cache POST requests
if ($request_method = POST) {
set $skip_cache 1;
}
# Don't cache logged-in users or comment authors
if ($http_cookie ~* "wordpress_logged_in|comment_author") {
set $skip_cache 1;
}
# Don't cache admin pages
if ($request_uri ~* "/wp-admin/|/wp-login.php") {
set $skip_cache 1;
}
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
}
# Cache static assets
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires max;
log_not_found off;
}
# Block access to hidden files
location ~ /\.ht {
deny all;
}
}
4.5 Image Reference
Service
Image
Notes
db
mariadb:latest
Latest stable MariaDB release
redis
redis:latest
Latest stable Redis release
wordpress
wordpress:fpm
WordPress PHP-FPM variant (automatically tracks the latest PHP version)
nginx
nginx:latest
Latest stable Nginx release
4.6 Deployment Steps
# 1. Create the project directory
mkdir wordpress-docker && cd wordpress-docker
# 2. Create the log directory
mkdir -p logs/nginx
# 3. Create the docker-compose.yml file
# (Save the configuration above to this file)
# 4. Create the nginx.conf file
# (Save the configuration above to this file)
# 5. Start all services
docker compose up -d
# 6. Check the status
docker compose ps
# 7. View logs (optional)
docker compose logs -f
🎉 Once everything is up, visithttp://localhostto launch the WordPress installation wizard!
You can also use Dockge’s web-based GUI to configure everything visually.
4.7 Verifying That Caching Works
# Check the response headers with curl
curl -I http://localhost
# Look at the X-Cache-Status header:
# MISS = Cache miss (first visit)
# HIT = Cache hit (served from cache)
# BYPASS = Cache bypassed (logged-in user or admin page)
The first request will show**MISS**. Refresh the page and you should see**HIT**, confirming that caching is working.
4.8 WordPress Admin Configuration
After deployment, you still need to enable Redis object caching in the WordPress dashboard:
Install the Redis Object Cache plugin
Go to WordPress Dashboard → Plugins → Add New
Search for “Redis Object Cache”
Install and activate it
Enable object caching
Navigate to Settings → Redis
Click the “Enable Object Cache” button
Confirm the status shows “Connected”
✅ That’s it — you now have a high-performance local WordPress environment with two-layer caching (FastCGI + Redis)! Upcoming lessons will dive deeper into how caching works under the hood.
4.9 Common Management Commands
# Stop all services
docker compose down
# Stop and remove all data volumes (full reset)
docker compose down -v
# Restart services
docker compose restart
# View logs for a specific service
docker compose logs wordpress
docker compose logs nginx
# Enter the WordPress container
docker compose exec wordpress bash
# Enter the database container
docker compose exec db mysql -u wordpress -p
5. Installing WordPress on HomeLab Platforms
Running applications on a personal server or home lab (HomeLab) is a popular choice among tech enthusiasts and privacy-conscious users. Platforms like Umbrel, CasaOS, and other Docker-based HomeLab management tools dramatically simplify the process of deploying and managing self-hosted services.
5.1 HomeLab Platform Overview
Platform
Highlights
Best For
Umbrel
Beautiful UI, rich app store, privacy-focused
Bitcoin nodes, personal cloud services
CasaOS
Lightweight, easy to install, beginner-friendly
First-time users, NAS devices
Portainer
Feature-rich, built for power users
Complex multi-container management
5.2 The Power of One-Click Deployment
Installing WordPress through tools like Umbrel is remarkably straightforward. These platforms typically provide an app-store-style interface — just find WordPress, click a few buttons, and the installation kicks off automatically. Behind the scenes, the system handles all the heavy lifting: setting up the web server (usually Nginx or Apache), the PHP runtime, and the database (typically MariaDB or MySQL). This one-click or guided installation eliminates the need to manually configure servers, databases, and WordPress files, dramatically lowering the barrier to entry.
5.3 The Value of Self-Hosted WordPress
Running your own WordPress instance in a HomeLab gives you something no third-party host can match: complete ownership and control of your data. All your website content and user data lives on your own hardware, which significantly enhances both privacy and security. Beyond that, it provides an outstanding learning and experimentation environment — you’re free to test themes, plugins, and deep-dive into how websites work, without worrying about breaking a live site or racking up bills (aside from hardware and electricity).
“Those who borrow horses need not be swift of foot, yet they can travel a thousand miles. Those who borrow boats need not be skilled swimmers, yet they can cross great rivers. The wise person is no different from others by nature — they are simply skilled at making use of the right tools.”
— Xunzi, Encouraging Learning (3rd century BC)
A sovereign individual knows how to use the right tools. In the digital age, the tools you choose often determine the upper limit of your efficiency. Mastering the right automation tools lets you accomplish 90% of the repetitive work in 10% of the time, freeing you to focus where human creativity truly matters.
Knowing how to use software, cutting costs, and concentrating your energy — that’s the essence of digitization: combining your existing skills with modern technology. Don’t reinvent the wheel. When it comes to programming, even the most talented solo developer would struggle to match the maturity of open-source software that’s been refined over decades. These tools embody years of collective wisdom and real-world experience from global developer communities. Their stability, security, and feature completeness are far beyond what any individual could achieve in the short term.
🔧 Tool Overview
In this article, we’ll walk through four mainstream tools for automated WordPress deployment:
Tool
Key Strengths
Best For
Architecture
Webinoly
Lightweight & efficient, NGINX-optimized
Users chasing peak performance
Bare-metal install
EasyEngine
Docker-based, strong isolation
Users needing multi-site isolation
Docker containers
WordOps
EasyEngine v3 fork, feature-rich
Users who prefer to avoid Docker complexity
Bare-metal install
SlickStack
Minimalist, WordPress-focused
Users optimizing a single site
Bare-metal install
🌐 1. Streamlining Your Web Server with Webinoly
1.1 What Is Webinoly?
Webinoly is a tool that simplifies the installation, configuration, and management of your NGINX web server. According to its official website, Webinoly’s core mission is: “Deploy a secure, high-performance LEMP stack in seconds.”
It provides a complete LEMP stack:
Linux Ubuntu
Nginx (high-performance web server)
MariaDB (or MySQL — your choice)
PHP
You can also install individual packages as needed. It ships with advanced features supporting WordPress and PHP sites, offering a modern and secure configuration for your applications. ARM devices are supported too!
1.2 Key Features
🚀 Core Capabilities
✅ Create, delete, and disable sites with intuitive commands
✅ Free SSL certificates via Let’s Encrypt with automatic server configuration
✅ HTTP/2 support for significantly faster content delivery (HTTP/3 support coming soon!)
✅ PHP 8.3, 8.2, 8.1, 8.0, and 7.4 support
✅ Nginx FastCGI Cache and Redis object cache
✅ A+ rating on Qualys (SSL Labs) tests
✅ Automatic server optimization to fully utilize available resources
✅ Only official, trusted sources (PPAs) — no custom-compiled or modified packages
According to the official documentation, Webinoly provides five core modules:
HttpAuth — HTTP basic authentication management
Create/delete users
Protect sites, custom folders, or files
IP whitelisting
WordPress login/admin protection
Log — Log management & live viewer
Enable/disable Nginx access logs
Real-time log monitoring
Site — Site management
Create, delete, and disable sites
SSL certificate management
Cache configuration
Stack — Stack management
Install/remove LEMP components
PHP version switching
Database management
Webinoly — Core configuration
System optimization
Security settings
Backup management
Webinoly is a powerful tool that makes managing your NGINX web server effortless. It follows best practices to deliver top-tier performance and security for your sites. If you need a fast, stable, and flexible web server setup, Webinoly is an excellent choice.
🐳 2. Simplifying WordPress with EasyEngine
2.1 What Is EasyEngine?
EasyEngine is an open-source tool — originally Python-based, now Docker-based since v4 — that lets you quickly deploy and manage WordPress, Magento, PHP, and HTML sites with just a few commands. It supports Nginx, PHP 8, MariaDB, Redis, and more.
💡 Important Architectural Shift
EasyEngine underwent a major architectural change in v4, transitioning from bare-metal installation to Docker-based deployment. This means each site runs in its own isolated container, offering better isolation and portability — but it also introduces higher resource overhead and a steeper learning curve.
EasyEngine installs WordPress, Nginx, PHP, MySQL, Redis, and all dependencies on Linux or Mac, making it easy to create and manage WordPress sites. It also supports HTTPS, caching, updates, cron jobs, developer tools, Docker, and many other features.
2.2 Key Features
🐳 Advantages of a Docker-Based Architecture
✅ Rapid installation and configuration with simple commands
✅ Free SSL certificates via Let’s Encrypt with automatic renewal
✅ HTTP/2 support for faster content delivery
✅ PHP 8.3, 8.2, 8.1, 8.0, and 7.4 support
✅ Nginx FastCGI Cache and Redis object cache
✅ A+ rating on Qualys (SSL Labs) tests
✅ Site isolation: each site runs in its own container, completely independent
✅ Highly portable: easily migrate or back up entire site environments
✅ Dev/prod parity: local development matches production exactly
2.3 Getting Started
Installing EasyEngine is a one-liner:
wget -qO ee rt.cx/ee4 && sudo bash ee
Then use EasyEngine’s command suite to manage your server:
EasyEngine is a powerful tool that makes managing your Nginx web server effortless — whether you’re a beginner or a seasoned pro. It follows best practices to deliver the best possible performance and security. If you want a fast, stable, and flexible web server, EasyEngine is a top contender.
⚡ 3. Supercharging WordPress with WordOps
3.1 What Is WordOps?
WordOps is an open-source automation tool for managing WordPress sites. It features a one-click installation flow that automatically installs and configures the most commonly used open-source tools — Nginx, MySQL, PHP, WordPress, and more. Built on top of wp-cli with a command-line interface, WordOps lets you perform a wide range of operations (install, update, backup, restore) with simple commands. Through a combination of shell scripts and Python utilities, WordOps can deploy, optimize, and manage multiple WordPress sites on a Linux host.
3.2 The Origin Story
🔍 Why Does WordOps Exist?
No Docker — that’s the whole point. WordOps is a fork of EasyEngine v3. When EasyEngine pivoted to a Docker-centric architecture in v4, many users — frustrated by the added complexity and resource consumption — forked the project to create WordOps, which remains committed to bare-metal / VPS deployment.
Direct stack management: WordOps uses scripts to install and optimize Nginx, PHP, MariaDB, and other services directly on the operating system (such as Ubuntu), delivering raw performance without containerization overhead.
💡 Choosing Between Them
If you do need Docker-based WordPress management, consider:
EasyEngine v4 — WordOps’ sibling, with native Docker support where every site runs in an isolated container
Official Docker WordPress image — build your own setup with the official WordPress image and docker-compose
3.3 WordOps vs. EasyEngine: Core Caching Differences
Feature
WordOps
EasyEngine v4
Primary Technology
Nginx FastCGI Cache (handled at the web server layer)
Integrated nginx-cache-purge module — blazing fast
Via ee-cleaner or Redis plugins
3.4 Real-World Performance Impact
⚡ Response Latency (TTFB): WordOps Has the Edge
Because WordOps serves cached responses directly from Nginx’s FastCGI Cache — without routing through PHP or Redis containers — the request path is the shortest possible. TTFB (Time to First Byte) is typically lower than EasyEngine’s.
EasyEngine introduces minor network overhead, as requests flow between the Nginx, PHP, and Redis containers.
🎯 Ease of Management: EasyEngine’s Strength Is “Auto-Configuration”
For less experienced users, EasyEngine automatically configures the Redis cache plugin — virtually plug-and-play out of the box.
WordOps requires some familiarity with command parameters to manually select the caching mode that best fits your site.
3.5 Key Features
🚀 Rapid Deployment — WordOps lets you deploy a brand-new WordPress site in seconds, including WordPress installation, Nginx configuration, and SSL certificate setup.
🔒 Security — WordOps offers numerous security features: firewall, XML-RPC rate limiting, and attack protection. It also supports Let’s Encrypt SSL certificates for secure HTTPS access.
⚡ Performance Optimization — Nginx FastCGI Cache, Redis object cache, PHP 8 support, and HTTP/2. WordOps also includes native Brotli compression, which offers 15–25% better compression ratios than traditional Gzip, further accelerating page loads.
🛠️ Easy Maintenance — The CLI makes it straightforward to update WordPress core, themes, and plugins, optimize databases, and perform backups and restores.
📈 Extensibility — Multiple PHP versions are supported, and it works alongside other popular web applications like Drupal, Joomla, and Magento.
💰 Open Source & Free — WordOps is fully open source. Use it for free and modify the source code to suit your needs.
3.6 Installation & Usage
📋 Installation Steps
Step 1: Download and run the one-line installer from the WordOps website:
wget -qO wo wops.cc && sudo bash wo
You’ll be prompted:
WordOps (wo) requires a username and an email address to configure Git (used to save server configurations). Your information will ONLY be stored locally.
Enter your username and email as prompted.
Step 2: Load command-line autocompletion:
source /etc/bash_completion.d/wo_auto.rc
Step 3: Set up a shell alias:
echo -e "alias wo='sudo -E wo'" >> $HOME/.bashrc
Step 4: Activate the alias:
source $HOME/.bashrc
Step 5: Install the full LEMP stack:
wo stack install
You’ll be prompted to set a username and password again. Be sure to record the WordOps backend panel credentials.
Step 6:(Optional) Change the WordOps backend username and password:
sudo wo secure --auth
🔧 Quick Reference: Common Commands
Action
Command
Create a WordPress site
wo site create example.com --wp
Create a cached site
wo site create example.com --wpfc
Enable SSL
wo site update example.com --letsencrypt
View site info
wo site info example.com
Delete a site
wo site delete example.com
Update WordPress
wo site update example.com --wp
Check stack status
wo stack status
🎯 4. Fine-Tuning WordPress with SlickStack
4.1 The WordPress Performance Challenge
WordPress is one of the most popular content management systems in the world, making it easy to create and manage websites. However, it does have its drawbacks — performance being a key one. WordPress is a classic PHP-MySQL application: every page visit requires database queries, PHP execution, and HTML generation. All of this consumes server resources, slowing down response times and degrading the user experience. SlickStack offers a way to tackle this head-on.
4.2 What Is SlickStack?
SlickStack is a free LEMP (Linux, Nginx, MySQL, PHP) stack automation script created by LittleBizzy, designed to enhance and simplify WordPress deployment, performance, and security.
🎯 SlickStack’s Core Philosophy
SlickStack is an extremely lightweight script — nothing more than basic bash commands and cron jobs. It runs on any Ubuntu or Debian machine with zero dependencies and no control panel. This minimalist design philosophy makes it the ideal choice for users pursuing peak WordPress performance.
Here’s how it works: SlickStack installs and configures the essential software and services on your server — Nginx, MySQL, PHP-FPM, Redis, Certbot, and more. It then optimizes and fine-tunes each component according to preset rules and parameters for maximum performance and security. Finally, it imports your WordPress files and database, completing the installation and configuration.
4.3 Advantages
⚡ Performance
Dramatically improves WordPress response times and reduces page load latency, boosting both user experience and SEO rankings. SlickStack uses Nginx — lighter and faster than Apache — plus FastCGI cache and Redis cache for both static and dynamic pages, minimizing backend requests.
🔒 Stability & Security
Reduces server load and database pressure, improving WordPress stability and security. SlickStack uses MySQL (more stable and compatible than MariaDB) along with Percona Toolkit for database table and index optimization. Certbot handles automatic SSL certificate issuance and renewal for HTTPS encryption.
🛠️ Operational Simplicity
Simplifies WordPress deployment and management, saving you time and effort. A single shell command completes the entire deployment and configuration in minutes — no manual software installation required. SlickStack also provides automatic updates, automatic backups, and automatic cleanup to keep your site fresh and lean.
💡 What Makes SlickStack Unique
Unlike other tools, SlickStack focuses on single-site optimization. It doesn’t support multi-site management like WordOps or EasyEngine. Instead, it concentrates all resources and optimization strategies on a single WordPress site. This makes it especially well-suited for users who only need to host one high-performance WordPress site.
4.4 Installation
📋 Prerequisites
Prepare a server running Ubuntu or Debian. You can purchase or rent one from any cloud provider — DigitalOcean, Vultr, Linode, etc.
⚙️ Installation Steps
Step 1: Log in to your server and run the SlickStack script:
wget -O ss slick.fyi/ss && bash ss
Step 2: Follow the prompts and enter the required information (domain name, email, etc.).
Step 3: Wait for the script to finish. You’ll see terminal output showing installed software, services, and generated configuration files.
Step 4: Visit your domain — your WordPress site should be live and ready to go.
In summary, the primary function of these open-source tools is to simplify website setup and management — abstracting away the technical details and making them accessible to beginners. They automate:
✅ Nginx/Apache server installation and configuration
✅ Multi-version PHP switching
✅ MariaDB/MySQL database installation and setup
✅ One-click CMS installation (WordPress, etc.)
✅ Automatic SSL certificate issuance and renewal
✅ Cache system configuration and optimization
6.2 The Value Proposition
Using these tools saves an enormous amount of manual deployment and configuration time, dramatically accelerating your site-building workflow and letting developers focus on features and content. For operations work, they cut down routine maintenance and boost efficiency.
“Use the right tools — do the right things.”
Don’t waste time reinventing the wheel. Stand on the shoulders of the open-source community and invest your energy where it truly creates value. Pick the deployment automation tool that fits your needs, and let the technology work for you — instead of the other way around.
TT5 Dark Mode is a Gutenberg-native plugin that adds dark/light mode switching, focus fixes, shadow presets, and link hover customization to WordPress’s default theme.
Twenty Twenty-Five is one of the most refined default themes WordPress has ever shipped. Its style variation system, fluid typography, and minimal footprint make it an excellent foundation for a wide range of websites.
But after building several production sites on TT5, I kept running into the same four friction points — issues that couldn’t be solved with Additional CSS alone and that no existing plugin addressed as a cohesive package.
TT5 Dark Mode was born from that frustration. It’s a single, focused plugin that fills the gaps TT5 left behind.
🔍 The Four Problems This Plugin Solves
Before diving into features, let’s be specific about what’s actually missing in Twenty Twenty-Five and why each gap matters.
Problem 1 — No dark mode toggle for visitors.
TT5 includes gorgeous dark palettes (Evening, Twilight, Midnight, Sunrise) as style variations, but these are design-time choices made by the site owner. Visitors have no way to switch between dark and light mode on the frontend. In 2025, dark mode isn’t a luxury — it’s a baseline accessibility and comfort expectation.
Problem 2 — Crude focus outlines.
TT5 applies a global :focus rule to all interactive elements with no color customization, no outline offset, and — critically — no :focus-visible distinction. This means every mouse click on a button or link triggers a visible outline ring, which is visually distracting for mouse users and violates the modern UX standard where outlines should only appear during keyboard navigation.
Problem 3 — Broken shadow reference in the Noon variation.
TT5’s “Noon” style variation references var:preset|shadow|natural in its theme.json, but never actually defines the preset. The result: any block that relies on this shadow token (buttons, cards) renders with no shadow at all. This is a confirmed upstream bug.
Problem 4 — Minimal link hover feedback.
When a visitor hovers over a link in TT5, the only visual change is the underline switching from solid to dotted. There’s no color shift, no transition animation, and no way to customize this behavior through the Site Editor. For sites that depend on clear visual affordances, this is insufficient.
TT5 Dark Mode solves all four problems through a single tabbed settings panel and two Gutenberg blocks, with zero external dependencies and under 8 KB of total code.
⚡ Quick Start — Up and Running in 3 Minutes
Getting the plugin working requires exactly four steps. No build tools, no configuration files, no terminal commands.
Step 1 — Install the plugin.
Upload tt5-dark-mode.zip via Plugins → Add New → Upload Plugin, or extract the tt5-dark-mode folder into /wp-content/plugins/ manually.
Step 2 — Activate.
Go to Plugins → Installed Plugins and click Activate next to “TT5 Dark Mode.”
💡 If your active theme is not Twenty Twenty-Five (or a child theme of TT5), the plugin will display a notice and gracefully disable all its frontend features. It will not break your site.
Step 3 — Configure settings.
Navigate to Settings → TT5 Dark Mode. The settings page is organized into five tabs:
For most sites, the default settings work immediately — you only need to choose a dark palette and optionally enable Auto mode. Everything else is fine-tuning.
Step 4 — Place the toggle block.
Open the Site Editor (Appearance → Editor), navigate to your header template, and insert the Dark Mode Toggle block. Choose your preferred variant — pill, icon-only, or switch — and save.
That’s it. Your visitors can now switch between dark and light mode, and their preference persists via a cookie.
🌙 Feature Deep Dive: Dark / Light Mode Switching
This is the plugin’s flagship feature, and it’s designed to handle every edge case correctly.
How the toggle works
The toggle button cycles between states:
Default (two-state): Dark ↔ Light
With Auto enabled (three-state): Auto → Dark → Light → Auto
In Auto mode, the plugin respects the visitor’s operating system preference via the prefers-color-scheme media query. If the visitor’s OS switches from light to dark (e.g., at sunset with scheduled dark mode), the site updates in real time — no page reload required.
How palettes are applied
Under the hood, the plugin doesn’t repaint the page or swap stylesheets. Instead, it overrides TT5’s CSS custom properties:
Because every TT5 block references these variables, the entire page — headers, footers, buttons, text, backgrounds — adapts automatically when the mode changes. No per-block styling is needed.
The four available dark palettes
All palettes are sourced directly from TT5’s official style variations, ensuring visual consistency:
Palette
Base
Contrast
Character
🌆 Evening
#1B1B1B
#F0F0F0
Warm, muted — the safe default
🌃 Twilight
#131313
#FFFFFF
High contrast with blue/coral accents
🌌 Midnight
#4433A6
#79F3B1
Bold purple with neon green — distinctive
🌅 Sunrise
#330616
#FFFFFF
Deep burgundy with warm yellow tones
Smart inversion for dark-based style variations
Here’s a nuance most dark mode plugins get wrong: what happens when the site’s default style is already dark?
TT5 Dark Mode detects the base color luminance of the active style variation using the WCAG 2.1 relative luminance formula. If the base color is dark (luminance < 0.4), the plugin automatically inverts its entire logic:
The toggle button label changes from “Dark mode” to “Light mode”
The “alternate” palette becomes the default TT5 light palette
Cookie values and CSS classes still work identically
This means if you’re using TT5’s “Evening” style variation as your default, the plugin gives your visitors a light mode switch — not a redundant dark mode one.
📌 This detection happens server-side and is cached with a static variable, so there’s zero performance overhead.
Zero FOUC (Flash of Unstyled Content)
The most common complaint with JavaScript-based dark mode solutions is the “flash” — the page briefly renders in light mode before JavaScript kicks in and switches to dark.
TT5 Dark Mode eliminates this entirely with a synchronous inline script injected at wp_head priority 1 (before any stylesheets load):
The script reads the tt5dm_pref cookie
It checks prefers-color-scheme if needed
It adds tt5-dark-mode or tt5-light-mode to <html> immediately
The CSS that overrides the palette variables is scoped to these classes
Because the class is set before the browser’s first paint, there is literally no frame where the wrong palette is visible.
🧱 Feature Deep Dive: Gutenberg Blocks
The plugin registers two blocks, both fully Gutenberg-native — no shortcodes, no widgets, no legacy code.
Dark Mode Toggle Block
Where to use it: Header template, sidebar, footer, or any page/post content.
Three variants:
Variant
Appearance
Best for
🔘 Pill
Rounded capsule button with text label
Headers with space for text
🎯 Icon-only
Circular button with sun/moon icon
Compact headers, mobile-first layouts
🎚️ Switch
iOS-style toggle with sliding thumb
Settings panels, preference sections
All three variants support full block styling: custom colors, spacing, typography, border radius, and alignment. The block integrates with WordPress’s native block controls — no custom sidebar panels.
What the block renders on the frontend:
A single <button> element with:
role="switch" and aria-checked for screen reader compatibility
aria-label that dynamically reflects the current state
SVG icons embedded inline (no icon font dependency)
The button is the block root — no wrapper <div>, which means useBlockProps alignment works natively
Mode-Aware Content Block
This is the less obvious but equally powerful block. It’s a container that conditionally shows its children based on the current mode.
Use cases:
🖼️ Show a dark-background hero image in dark mode and a light-background one in light mode
📝 Display different welcome messages per mode
🎨 Swap logos (dark logo on light backgrounds, light logo on dark backgrounds)
How it works:
The visibility is controlled entirely with CSS — no JavaScript on the frontend. The block renders a <div> with a data-mode="dark" or data-mode="light" attribute, and the stylesheet uses these rules:
This means mode-aware content works instantly on page load (no JS delay) and is fully compatible with caching plugins.
Block Patterns
The plugin includes three ready-to-use patterns to get you started:
📐 Header with Toggle — A navigation row with the toggle placed in the right column
🎨 Mode-Aware Hero Section — Two stacked hero sections, one visible per mode
🖼️ Mode-Aware Logo — A pair of image blocks for light/dark logo variants
Access these via the Block Inserter → Patterns → TT5 Dark Mode category in the Site Editor.
🎯 Feature Deep Dive: Focus & Outline System
This feature alone justifies installing the plugin, even if you don’t need dark mode.
What’s wrong with TT5’s default focus
TT5 applies this rule globally:
:where(.wp-site-blocks) *:focus {
outline: ...;
}
The problems:
❌ Uses :focus instead of :focus-visible, so mouse clicks trigger outlines
❌ No customizable outline color (defaults to browser UA style)
❌ No outline offset (the ring hugs the element edge)
❌ Same behavior for all element types (buttons, inputs, nav links)
❌ No dark/light mode differentiation
What TT5 Dark Mode provides
The plugin replaces this with a layered focus system:
Global level — Applies to all interactive elements within .wp-site-blocks:
Setting
Options
Default
Focus Mode
:focus-visible / :focus / disabled
:focus-visible
Outline Color
Any CSS color
Theme accent-4
Outline Width
1–5 px
2px
Outline Style
solid / dashed / dotted
solid
Outline Offset
0–10 px
2px
Element level — Override the global settings for specific element types:
🔘 Buttons — Custom outline color and offset
📝 Form inputs — Custom outline color + optional box-shadow ring (the common “glow” pattern used by most design systems)
🧭 Navigation links — Custom outline offset (TT5 uses different offsets for parent items vs. submenus)
Dark mode level — Use a different outline color when dark mode is active. This is critical because a dark blue outline that’s visible on white backgrounds becomes invisible on dark backgrounds.
💡 Tip: When using the :focus-visible mode (recommended), the plugin also adds :focus:not(:focus-visible) { outline: none !important; } to ensure mouse clicks produce absolutely no outline artifact. This is the behavior that Chrome, Firefox, and Safari all default to in their native UI.
🎨 Feature Deep Dive: Box Shadow Presets
The Noon variation bug
TT5’s “Noon” style variation includes this in its theme.json:
"shadow": "var:preset|shadow|natural"
But the natural shadow preset is never defined anywhere in TT5’s theme files. The result: buttons and blocks that reference this token render with box-shadow: none.
How the plugin fixes it
TT5 Dark Mode injects three shadow presets into the theme.json data using WordPress’s wp_theme_json_data_theme filter:
All three values are editable in the settings panel with a live preview box that updates as you type. They also appear in the Gutenberg Shadow picker for any block that supports box-shadow.
Dark mode shadow adjustment
Standard shadows — dark shapes on a dark background — are nearly invisible. The plugin provides three strategies:
Inherit — Same shadows in both modes (default)
Darken — Increases shadow opacity for better definition on dark backgrounds
Glow — Replaces dark shadows with subtle white light halos
🔗 Feature Deep Dive: Link & Hover Customization
TT5’s default link hover behavior is a single CSS change: the underline style switches from solid to dotted. There’s no color shift and no animation.
The plugin adds four controls:
Setting
What it does
Default
Hover Color
Changes link text color on hover
none (inherits)
Underline Style
solid / dashed / dotted / none on hover
theme default (dotted)
Transition Duration
Smooth animation between states (0–1000 ms)
0 ms
Button Hover Opacity
Controls color-mix() percentage for .wp-block-button__link:hover
85% (theme default)
💡 Recommended starting point: Set hover color to your accent color, underline to solid, and transition to 200ms. This provides clear, polished hover feedback without being distracting.
⚙️ Feature Deep Dive: Advanced Tab
Custom CSS
The Advanced tab includes a code editor for injecting arbitrary CSS. This CSS loads after all plugin-generated styles, so it can override anything.
The key selectors you’ll use most often:
/* Target dark mode only */
html.tt5-dark-mode .my-element {
background: #1a1a2e;
}
/* Target light mode only */
html.tt5-light-mode .my-element {
background: #fafafa;
}
/* Target the moment before JS initializes (edge case) */
html:not(.tt5-dark-mode):not(.tt5-light-mode) .my-element {
/* Shown only if cookie and JS both fail */
}
Legacy Toggle Focus (backward compatibility)
If you were using an earlier development version of this plugin, toggle-specific focus settings are preserved here. For new installations, the global Focus & Outline system (Tab 2) is the recommended approach.
🧩 For Theme Developers
Available filter
// Modify the dark palette before CSS is generated
add_filter( 'tt5dm_dark_palette', function( $palette, $key ) {
// $key is 'evening', 'twilight', 'midnight', or 'sunrise'
if ( 'evening' === $key ) {
$palette['colors']['accent-1'] = '#FF6600';
}
return $palette;
}, 10, 2 );
CSS custom properties
The plugin exposes two sets of custom properties:
Global focus properties — set by the Focus & Outline tab:
Both can be overridden in your child theme’s style.css or via the Additional CSS panel in the Customizer.
JavaScript API
The plugin exposes a global state manager on window.__tt5dm:
window.__tt5dm.getPref() // → 'auto' | 'dark' | 'light'
window.__tt5dm.isDark() // → boolean
window.__tt5dm.cycle() // Advance to next state
window.__tt5dm.apply('dark') // Force a specific state
// Listen for mode changes
document.addEventListener('tt5dm:change', (e) => {
console.log(e.detail.pref, e.detail.isDark);
});
❓ Frequently Asked Questions
Does this work with themes other than Twenty Twenty-Five?
No. The plugin checks wp_get_theme()->get_template() on every page load and disables all features if the template is not twentytwentyfive. It will not break other themes — it simply does nothing.
Is the cookie GDPR-compliant?
The plugin stores a single functional cookie (tt5dm_pref) that records the visitor’s display preference. Under GDPR and ePrivacy Directive guidance, functional cookies that serve accessibility or preference purposes are generally exempt from consent requirements. That said, if your privacy policy lists all cookies, you should include this one.
Does it work with caching plugins?
Yes. The dark/light mode switching is handled entirely on the client side (cookie + inline script + CSS classes). The server delivers the same HTML regardless of the visitor’s mode preference, so full-page caching works without any special configuration.
What happens if JavaScript is disabled?
The site renders in its default style (whatever the active style variation is). The toggle block renders as a <button> element but has no click handler. The inline <head> script also won’t run, so no CSS class is added to <html>. The page is fully functional — just without the ability to switch modes.
Can I use this with WooCommerce?
Yes, as long as WooCommerce is running on a TT5-based theme. WooCommerce blocks inherit TT5’s CSS custom properties, so they’ll adapt to dark/light mode automatically. Custom WooCommerce templates that hardcode colors may need additional CSS via the Advanced tab.
How lightweight is this plugin?
📦 Total file size: under 8 KB (all PHP, JS, and CSS combined)
🔌 Zero external dependencies (no jQuery, no frameworks)
📡 Zero extra HTTP requests for styles (all CSS is inline)
🧠 No database queries beyond a single get_option() call per page load
WordPress.org:(link to plugin page after approval)
License: GPLv2 or later
TT5 Dark Mode is free, open-source, and built for the community. If you find a bug or have a feature request, please open an issue on GitHub. Pull requests are welcome.