Complete documentation for the lazywp Go CLI tool for bulk downloading WordPress plugins/themes with vulnerability scanning.
Start here for an overview of the project and its capabilities.
- Project Overview & PDR — What lazywp does, features, requirements, and tech stack. Best for understanding project scope and making architectural decisions.
Learn how the codebase is organized and how to contribute.
-
System Architecture — Package structure, component responsibilities, data flow, concurrency patterns, and design decisions. Best for understanding how the system works.
-
Code Standards — Go conventions, naming rules, error handling patterns, testing strategies, and code review checklist. Best for writing code that fits the project.
-
Codebase Summary — Complete package-by-package breakdown with file names, LOC counts, key types, and data structures. Best for locating code and understanding implementation details.
- Start with Project Overview & PDR to understand features
- See README.md in the project root for CLI command reference
- Use
lazywp --helpfor command-line help
- Read Project Overview & PDR (5 min) — understand the goal
- Read System Architecture (10 min) — understand the design
- Read Code Standards (10 min) — understand the conventions
- Use Codebase Summary (reference) — locate code quickly
- System Architecture — data flow, concurrency, extensibility
- Project Overview & PDR — requirements, constraints, success metrics
- Code Standards — enforce consistency
- Codebase Summary — locate the relevant package
- System Architecture — understand interactions
- Code Standards — follow existing patterns
CLI Layer (internal/cli/)
↓
Service Layer (downloader, vuln aggregator, storage)
↓
HTTP Client Layer (internal/http/) with rate limiting
↓
External APIs (WordPress.org, WPScan, NVD, Wordfence)
| Component | Purpose | Files |
|---|---|---|
| CLI | Command handling and output formatting | internal/cli/ (23 files) |
| Download Engine | Orchestrate parallel downloads | internal/downloader/ (3 files) |
| HTTP Client | Rate limiting + key rotation + proxies | internal/http/ (4 files) |
| Vulnerability Aggregator | Cross-reference CVE databases | internal/vuln/ (2 files) |
| Storage Manager | File and metadata persistence | internal/storage/ (3 files) |
| API Clients | External service integrations | internal/client/ (5 files) |
| Config Manager | Configuration file handling | internal/config/ (1 file) |
| Exploit Integration | Exploit database integration | internal/exploit/ |
| Extractor | Content extraction utilities | internal/extractor/ |
| Scanner | Scanning orchestration | internal/scanner/ |
| Watch Manager | File watching and monitoring | internal/watch/ |
downloads/
├── plugins/{slug}/{version}/
│ ├── {slug}.zip
│ └── metadata.json
├── themes/{slug}/{version}/
├── index.json
└── errors.json
Default location: ./config.yaml
Format: YAML
Key settings:
- wpscan_keys: API keys for WPScan vulnerability database
- wordfence_keys: API keys for Wordfence threat intelligence
- nvd_keys: API keys for National Vulnerability Database
- projectdiscovery_api_keys: API keys for ProjectDiscovery services
- concurrency: Number of parallel downloads (default: 5)
- cache_ttl: Vulnerability data cache duration (default: 24h)
- rate_limits: Per-domain request throttling
- Download concurrency: 5 (configurable)
- Rate limiting: Per-domain token bucket
- Cache TTL: 24 hours (configurable)
- Retry strategy: Exponential backoff, max 3 attempts
- Buffer size: 32KB for streaming downloads
- API keys stored in config file (user responsible for permissions)
- SHA256 verification for all downloads
- TLS for all external API communication
- Proxy support for privacy-sensitive environments
- Create file in internal/cli/newcommand.go
- Define command struct with cobra.Command
- Implement handler function
- Register in root.go
- Add output formatting via Formatter
- Follow patterns in code-standards.md
- Implement VulnSource interface in internal/client/
- Add to aggregator initialization in internal/cli/deps.go
- Follow client patterns in code-standards.md
- Add tests following table-driven test pattern
- Update Config struct in internal/config/config.go
- Add parsing logic if non-string type
- Update DefaultConfig() with sensible default
- Update documentation
- Cobra v1.10.2 — CLI framework
- progressbar v3.19.0 — Progress visualization
- golang.org/x/time v0.15.0 — Rate limiting
- yaml.v3 v3.0.1 — YAML parsing and serialization
- Test files:
*_test.goin same package - Pattern: Table-driven tests
- Coverage target: 70% for business logic
- Run:
go test ./...
Before committing:
go fmt ./...
go vet ./...
go test ./...go install github.com/hieuha/lazywp/cmd/lazywp@latestOr from source:
git clone https://github.com/hieuha/lazywp.git
cd lazywp
make build
make install- WordPress.org — Plugin/theme info and downloads
- WPScan — Vulnerability database (API key required)
- NVD (NIST) — National Vulnerability Database (API key required)
- Wordfence — Threat intelligence (free tier available)
Rate limits enforced to prevent throttling.
Refer to the specific documentation file for your question:
- What does this feature do? → Project Overview & PDR
- How does component X work? → System Architecture
- How do I write code that fits? → Code Standards
- Where is feature X implemented? → Codebase Summary
- How do I run tests? → Code Standards → Testing Standards
Last Updated: 2026-03-27 Version: 1.0 Go Version: 1.25.0