{"id":291225,"date":"2026-04-02T19:33:16","date_gmt":"2026-04-02T19:33:16","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/auraworker\/"},"modified":"2026-06-12T00:02:20","modified_gmt":"2026-06-12T00:02:20","slug":"digitizer-site-worker","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/digitizer-site-worker\/","author":9810718,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"2.0.1","stable_tag":"2.0.1","tested":"7.0","requires":"6.2","requires_php":"7.4","requires_plugins":null,"header_name":"SiteAgent for Aura","header_author":"Digitizer","header_description":"Remote site management agent for Aura dashboard. Enables secure updates, health monitoring, and maintenance operations via REST API.","assets_banners_color":"204d7c","last_updated":"2026-06-12 00:02:20","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/my-aura.app\/siteagent","header_author_uri":"https:\/\/www.digitizer.studio","rating":0,"author_block_rating":0,"active_installs":0,"downloads":285,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.3.3":{"tag":"1.3.3","author":"benkalsky","date":"2026-04-02 19:31:17"},"1.3.4":{"tag":"1.3.4","author":"benkalsky","date":"2026-04-02 23:11:06"},"1.3.5":{"tag":"1.3.5","author":"benkalsky","date":"2026-04-02 23:14:32"},"2.0.0":{"tag":"2.0.0","author":"benkalsky","date":"2026-06-11 23:19:26"},"2.0.0-beta.1":{"tag":"2.0.0-beta.1","author":"benkalsky","date":"2026-04-13 23:55:56"},"2.0.0-beta.2":{"tag":"2.0.0-beta.2","author":"benkalsky","date":"2026-04-15 18:50:29"},"2.0.1":{"tag":"2.0.1","author":"benkalsky","date":"2026-06-12 00:02:20"}},"upgrade_notice":{"2.0.1":"<p>Documentation update \u2014 corrected feature list, security description, endpoint reference, and admin menu location. No code changes.<\/p>","2.0.0":"<p>Major update: plugin rollback\/backup, site health checks, magic-link admin access, and MCP tools. Tested with WordPress 7.0. Recommended for all users.<\/p>","1.3.5":"<p>Enhanced security with timing-safe comparison and IP whitelisting. Recommended for all users.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3497877,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3497877,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3497876,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3497876,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.3.3","1.3.4","1.3.5","2.0.0","2.0.0-beta.1","2.0.0-beta.2","2.0.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3497775,"resolution":"1","location":"assets","locale":"","width":3454,"height":1886},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3497775,"resolution":"2","location":"assets","locale":"","width":3452,"height":1922},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3497775,"resolution":"3","location":"assets","locale":"","width":3452,"height":1922},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3497775,"resolution":"4","location":"assets","locale":"","width":3454,"height":1924}},"screenshots":{"1":"The SiteAgent settings page in WordPress admin (Settings \u2192 SiteAgent) showing the Site Token and connection status.","2":"The Aura dashboard showing connected WordPress sites with health status, WordPress version, PHP version, and available updates.","3":"Remote plugin update in progress from the Aura dashboard \u2014 select a plugin and update it with a single click."}},"plugin_section":[],"plugin_tags":[434,732,266742,149012,41933],"plugin_category":[52],"plugin_contributors":[260321],"plugin_business_model":[],"class_list":["post-291225","plugin","type-plugin","status-publish","hentry","plugin_tags-dashboard","plugin_tags-maintenance","plugin_tags-remote-updates","plugin_tags-site-monitoring","plugin_tags-wordpress-management","plugin_category-performance","plugin_contributors-benkalsky","plugin_committers-benkalsky"],"banners":{"banner":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/banner-772x250.png?rev=3497876","banner_2x":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/banner-1544x500.png?rev=3497876","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/icon-128x128.png?rev=3497877","icon_2x":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/icon-256x256.png?rev=3497877","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/screenshot-1.png?rev=3497775","caption":"The SiteAgent settings page in WordPress admin (Settings \u2192 SiteAgent) showing the Site Token and connection status."},{"src":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/screenshot-2.png?rev=3497775","caption":"The Aura dashboard showing connected WordPress sites with health status, WordPress version, PHP version, and available updates."},{"src":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/screenshot-3.png?rev=3497775","caption":"Remote plugin update in progress from the Aura dashboard \u2014 select a plugin and update it with a single click."},{"src":"https:\/\/ps.w.org\/digitizer-site-worker\/assets\/screenshot-4.png?rev=3497775","caption":""}],"raw_content":"<!--section=description-->\n<p><strong>SiteAgent<\/strong> is the bridge between your WordPress sites and the <a href=\"https:\/\/my-aura.app\">Aura infrastructure dashboard<\/a> \u2014 a unified control center for teams managing multiple WordPress sites alongside servers, CDN, and DNS.<\/p>\n\n<p>Install this plugin on any WordPress site to unlock remote management capabilities directly from Aura \u2014 no SSH, no wp-admin juggling, no manual logins.<\/p>\n\n<h4>What You Can Do<\/h4>\n\n<ul>\n<li><strong>Monitor site health<\/strong> \u2014 See WordPress version, PHP version, installed plugins &amp; themes, database info, and disk usage in real time.<\/li>\n<li><strong>Update plugins, themes &amp; core remotely<\/strong> \u2014 Push updates to any connected site from the Aura dashboard, no wp-admin login.<\/li>\n<li><strong>Safe batch updates with auto-rollback<\/strong> \u2014 Run chunked updates with health checks; if an update breaks the site, the plugin restores the previous version automatically.<\/li>\n<li><strong>Per-plugin rollback<\/strong> \u2014 Every update is zip-snapshotted first; restore any plugin to its last good state on demand.<\/li>\n<li><strong>Bulk translation &amp; database upgrades<\/strong> \u2014 Update all language packs and run WordPress database migrations remotely.<\/li>\n<li><strong>One-click connect (magic link)<\/strong> \u2014 Connect a site to Aura straight from wp-admin \u2014 no manual token copy\/paste.<\/li>\n<li><strong>AI-agent ready (MCP tools)<\/strong> \u2014 Exposes machine-readable tools (site context, safe plugin update, asset cleanup, vulnerability checks) for AI-driven management.<\/li>\n<li><strong>Zero frontend impact<\/strong> \u2014 The plugin only registers REST API endpoints. No scripts, no styles, no database queries on visitor-facing page loads.<\/li>\n<\/ul>\n\n<h4>How It Works<\/h4>\n\n<p>After activation, click <strong>Connect to Aura<\/strong> on the <strong>Settings \u2192 SiteAgent<\/strong> page for a one-click magic-link connection, or copy the Site Token shown once and paste it into your Aura dashboard manually. From that point, Aura communicates with your site over a signed, authenticated REST API to pull health data and push updates.<\/p>\n\n<h4>Security<\/h4>\n\n<p>Defence-in-depth protects every request:<\/p>\n\n<ol>\n<li><strong>WordPress Application Password<\/strong> \u2014 Standard WordPress auth with capability checks (<code>manage_options<\/code> \/ <code>update_*<\/code>). Only authorized administrators can trigger actions.<\/li>\n<li><strong>Hashed Site Token<\/strong> \u2014 A per-site token sent via the <code>X-Aura-Token<\/code> header. Only a SHA-256 <strong>hash<\/strong> is stored (never the raw token), compared timing-safely. Tokens from older versions migrate to a hash automatically.<\/li>\n<li><strong>Brute-force throttling<\/strong> \u2014 Repeated bad-token attempts from an IP are blocked.<\/li>\n<li><strong>Signed magic-link connect<\/strong> \u2014 The onboarding callback is HMAC-signed with a one-time secret and timestamp, so the token exchange can't be hijacked or replayed.<\/li>\n<li><strong>IP \/ Domain allowlist<\/strong> (optional) \u2014 Restrict API access to your Aura instance, with Cloudflare and reverse-proxy header support.<\/li>\n<\/ol>\n\n<p>You can rotate the token anytime from <strong>Settings \u2192 SiteAgent \u2192 Regenerate Token<\/strong>.<\/p>\n\n<h4>REST API Endpoints<\/h4>\n\n<p>Core endpoints under <code>\/wp-json\/aura\/v1\/<\/code>:<\/p>\n\n<ul>\n<li><code>GET \/status<\/code> \u2014 Full site health report<\/li>\n<li><code>GET \/updates<\/code> \u2014 Check available updates (core, plugins, themes, translations)<\/li>\n<li><code>POST \/update\/core<\/code> \/ <code>\/update\/plugin<\/code> \/ <code>\/update\/theme<\/code> \/ <code>\/update\/translations<\/code> \u2014 Apply updates<\/li>\n<li><code>POST \/update\/database<\/code> \u2014 Run WordPress database upgrades<\/li>\n<li><code>POST \/connect<\/code> \u2014 Magic-link token exchange (public, HMAC-signed, 10-minute expiry)<\/li>\n<\/ul>\n\n<p>Version 2 endpoints under <code>\/wp-json\/aura\/v2\/<\/code>:<\/p>\n\n<ul>\n<li><code>GET \/health<\/code> \u2014 HTTP, PHP fatal, white-screen and DB connectivity checks<\/li>\n<li><code>POST \/update\/batch<\/code> \u2014 Chunked batch updates with auto-rollback on health failure<\/li>\n<li><code>POST \/rollback\/{plugin}<\/code> \u2014 Restore a plugin from its most recent backup<\/li>\n<\/ul>\n\n<p>MCP tools under <code>\/wp-json\/aura\/mcp\/<\/code>:<\/p>\n\n<ul>\n<li><code>POST \/tools\/list<\/code> \/ <code>POST \/tools\/execute<\/code> \u2014 Enumerate and run AI-agent tools<\/li>\n<li><code>GET \/context<\/code> \u2014 Full site context for AI decision-making<\/li>\n<\/ul>\n\n<h4>About Aura<\/h4>\n\n<p>Aura is a full-stack operations dashboard by <a href=\"https:\/\/digitizer.studio\">Digitizer<\/a> that brings servers, applications, DNS zones, and CDN pull zones from Cloudways, Hostinger VPS, Cloudflare, and Bunny.net into a single unified interface.<\/p>\n\n<p>SiteAgent extends that reach into every WordPress installation \u2014 so you can manage your entire infrastructure, including WordPress sites, from one place.<\/p>\n\n<h4>Free to Use<\/h4>\n\n<p>The plugin is completely free and open source (GPLv2+). You need a free or paid Aura account to connect your sites. <a href=\"https:\/\/my-aura.app\">Sign up at my-aura.app<\/a>.<\/p>\n\n<h4>Links<\/h4>\n\n<ul>\n<li><a href=\"https:\/\/my-aura.app\">Aura Dashboard<\/a><\/li>\n<li><a href=\"https:\/\/my-aura.app\/siteagent\">Documentation<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Digitizers\/SiteAgent\">GitHub Repository<\/a><\/li>\n<li><a href=\"https:\/\/digitizer.studio\">Digitizer<\/a><\/li>\n<\/ul>\n\n<!--section=installation-->\n<h4>Via WordPress Admin (Recommended)<\/h4>\n\n<ol>\n<li>Go to <strong>Plugins \u2192 Add New<\/strong> in your WordPress admin.<\/li>\n<li>Search for <strong>SiteAgent<\/strong>.<\/li>\n<li>Click <strong>Install Now<\/strong>, then <strong>Activate<\/strong>.<\/li>\n<li>Navigate to <strong>Settings \u2192 SiteAgent<\/strong>.<\/li>\n<li>Click <strong>Connect to Aura<\/strong> for one-click magic-link onboarding \u2014 or copy the Site Token (shown once) and paste it into your Aura dashboard manually.<\/li>\n<\/ol>\n\n<h4>Via WP-CLI<\/h4>\n\n<pre><code>wp plugin install digitizer-site-worker --activate\n<\/code><\/pre>\n\n<h4>Manual Upload<\/h4>\n\n<ol>\n<li>Download the plugin ZIP from WordPress.org.<\/li>\n<li>Go to <strong>Plugins \u2192 Add New \u2192 Upload Plugin<\/strong>.<\/li>\n<li>Upload the ZIP and click <strong>Install Now<\/strong>, then <strong>Activate<\/strong>.<\/li>\n<li>Navigate to <strong>Settings \u2192 SiteAgent<\/strong> to connect or get your Site Token.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"do%20i%20need%20an%20aura%20account%3F\"><h3>Do I need an Aura account?<\/h3><\/dt>\n<dd><p>Yes, you need an Aura account to connect your WordPress sites. Aura offers a free tier that includes up to 3 WordPress sites. <a href=\"https:\/\/my-aura.app\">Sign up at my-aura.app<\/a>.<\/p><\/dd>\n<dt id=\"is%20this%20plugin%20safe%20to%20use%3F\"><h3>Is this plugin safe to use?<\/h3><\/dt>\n<dd><p>Yes. The plugin uses defence-in-depth: WordPress Application Passwords (the same standard mechanism used by the block editor), a per-site token stored only as a SHA-256 hash and verified timing-safely, per-IP brute-force throttling, an HMAC-signed onboarding handshake, and an optional IP\/domain allowlist. No data is transmitted unless a request is made by your Aura instance.<\/p><\/dd>\n<dt id=\"does%20it%20slow%20down%20my%20site%3F\"><h3>Does it slow down my site?<\/h3><\/dt>\n<dd><p>No. The plugin registers only REST API endpoints. It does not load any code, scripts, or database queries on frontend page loads. Your visitors experience zero impact.<\/p><\/dd>\n<dt id=\"what%20wordpress%20versions%20are%20supported%3F\"><h3>What WordPress versions are supported?<\/h3><\/dt>\n<dd><p>WordPress 6.2 or higher is required. This is needed for full Application Password support. The plugin has been tested up to WordPress 7.0.<\/p><\/dd>\n<dt id=\"what%20php%20versions%20are%20supported%3F\"><h3>What PHP versions are supported?<\/h3><\/dt>\n<dd><p>PHP 7.4 or higher. PHP 8.0+ is recommended.<\/p><\/dd>\n<dt id=\"can%20i%20restrict%20which%20ip%20addresses%20can%20access%20the%20api%3F\"><h3>Can I restrict which IP addresses can access the API?<\/h3><\/dt>\n<dd><p>Yes. The plugin supports an optional IP whitelist. If configured, only requests from the specified IP addresses will be accepted. Cloudflare and reverse proxy headers (<code>CF-Connecting-IP<\/code>, <code>X-Forwarded-For<\/code>, <code>X-Real-IP<\/code>) are fully supported for IP detection.<\/p><\/dd>\n<dt id=\"does%20this%20work%20with%20wordpress%20multisite%3F\"><h3>Does this work with WordPress multisite?<\/h3><\/dt>\n<dd><p>The plugin is designed for single WordPress installations. Multisite support is not currently available but is on the roadmap.<\/p><\/dd>\n<dt id=\"where%20is%20the%20site%20token%20stored%3F\"><h3>Where is the Site Token stored?<\/h3><\/dt>\n<dd><p>Only a SHA-256 <strong>hash<\/strong> of the Site Token is stored, in the WordPress option <code>aura_worker_site_token<\/code> \u2014 the raw token is never persisted. It is generated on first activation and shown once so you can copy it; the Aura dashboard keeps the only raw copy. Tokens created by older versions are upgraded to a hash automatically on first use.<\/p><\/dd>\n<dt id=\"can%20i%20regenerate%20the%20site%20token%3F\"><h3>Can I regenerate the Site Token?<\/h3><\/dt>\n<dd><p>Yes. Use <strong>Regenerate Token<\/strong> on the <strong>Settings \u2192 SiteAgent<\/strong> page. The new token is shown once. Regenerating invalidates the old token and disconnects the site from Aura until you reconnect with the new one.<\/p><\/dd>\n<dt id=\"how%20do%20i%20disconnect%20a%20site%20from%20aura%3F\"><h3>How do I disconnect a site from Aura?<\/h3><\/dt>\n<dd><p>Simply deactivate or delete the plugin, or remove the site from your Aura dashboard. If you deactivate the plugin, the REST API endpoints are unregistered and Aura can no longer communicate with the site.<\/p><\/dd>\n<dt id=\"does%20aura%20store%20my%20wp-admin%20credentials%3F\"><h3>Does Aura store my wp-admin credentials?<\/h3><\/dt>\n<dd><p>No. Aura uses WordPress Application Passwords, not your main admin password. Application Passwords are scoped specifically for REST API access and can be revoked at any time from <strong>Users \u2192 Your Profile<\/strong> in wp-admin.<\/p><\/dd>\n<dt id=\"is%20the%20plugin%20open%20source%3F\"><h3>Is the plugin open source?<\/h3><\/dt>\n<dd><p>Yes. SiteAgent is open source under the GPLv2 or later license. The source code is available on <a href=\"https:\/\/github.com\/Digitizers\/SiteAgent\">GitHub<\/a>.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>2.0.1<\/h4>\n\n<ul>\n<li>Docs: readme rewritten for the 2.0 feature set (safe batch updates, rollback, magic-link, MCP), corrected security description, and added v2\/MCP endpoint reference.<\/li>\n<li>Docs: fixed admin menu location \u2014 the settings page lives under <strong>Settings \u2192 SiteAgent<\/strong>.<\/li>\n<\/ul>\n\n<h4>2.0.0<\/h4>\n\n<ul>\n<li>Feature: Site health checks \u2014 read recent error-log tail, surface PHP\/DB\/disk status in the health report.<\/li>\n<li>Feature: Plugin rollback &amp; backup \u2014 zip-snapshot a plugin before updating and restore on demand if an update breaks the site.<\/li>\n<li>Feature: Magic-link admin access \u2014 generate a short-lived one-time login link from Aura for support sessions.<\/li>\n<li>Feature: MCP tools \u2014 expose site context, safe plugin updates, asset cleanup, and vulnerability checks to AI agents.<\/li>\n<li>Security: Site token is now stored hashed (SHA-256) instead of plaintext; existing tokens migrate automatically on first use.<\/li>\n<li>Security: Brute-force throttling on token authentication (per-IP failure limit).<\/li>\n<li>Security: Signed magic-link connect \u2014 the dashboard callback is HMAC-verified with a one-time secret and replay-protected by timestamp.<\/li>\n<li>Feature: Regenerate Token button under Settings \u2192 SiteAgent.<\/li>\n<li>Fix: Core database upgrade now reports real failures instead of always returning success (verifies db_version reached the target).<\/li>\n<li>Improvement: Tested with WordPress 7.0.<\/li>\n<li>Compliance: WordPress.org Plugin Check fixes \u2014 WP_Filesystem usage (no direct file_put_contents), gmdate(), wp_delete_file().<\/li>\n<\/ul>\n\n<h4>1.3.5<\/h4>\n\n<ul>\n<li>Security: Enhanced authentication with timing-safe token comparison.<\/li>\n<li>Feature: Added optional IP whitelisting for restricted API access.<\/li>\n<li>Improvement: Support for Cloudflare and reverse proxy headers in IP detection.<\/li>\n<li>Fix: Improved compatibility with WordPress 6.7.<\/li>\n<\/ul>\n\n<h4>1.3.0<\/h4>\n\n<ul>\n<li>Performance: Optimized REST API endpoints for faster health reports.<\/li>\n<li>UI: Updated admin interface under Tools for better clarity.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<li>REST API endpoints for site health, available updates, core\/plugin\/theme\/translation\/database updates.<\/li>\n<li>Auto-generated Site Token.<\/li>\n<li>Admin page under Tools \u2192 SiteAgent.<\/li>\n<li>Zero frontend performance impact.<\/li>\n<\/ul>","raw_excerpt":"Connect your WordPress site to the Aura dashboard for remote monitoring, plugin &amp; theme updates, and maintenance \u2014 all from one place.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/291225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=291225"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/benkalsky"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=291225"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=291225"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=291225"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=291225"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=291225"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=291225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}