Official WordPress agent for Aura
SiteAgent is the official remote management agent for the Aura Infrastructure Hub. It connects your WordPress sites to your Aura dashboard for seamless remote management, monitoring, and updates from a single centralized interface.
| Capability | Description |
|---|---|
| Site Health | Real-time monitoring of WordPress & PHP versions, plugins, themes, and server health. |
| One-Click Updates | Update WordPress core, plugins, and themes remotely from the Aura dashboard. |
| Safe Update Engine | Chunked batch updates with health checks and automatic rollback on failure. |
| Per-Plugin Rollback | Zip backups in wp-content/aura-backups/ with one-shot restore. |
| MCP Tools Layer | /aura/mcp/ REST namespace exposing AI-agent-friendly tools with JSON schemas. |
| Magic Link Onboarding | One-click connection from wp-admin to the Aura dashboard — HMAC-signed, no token copy/paste. |
| Maintenance | Run database upgrades and translation updates across all sites. |
| Hardened Security | Hashed site tokens, brute-force throttling, signed magic-link connect, and optional IP/domain allowlists. |
| Developer API | Fully exposed via secure REST API endpoints. |
SiteAgent is built for performance. It only registers REST API routes and has zero impact on your site's frontend performance — no extra scripts, styles, or queries on page load.
- Go to Plugins > Add New in your WordPress admin.
- Search for SiteAgent.
- Click Install Now and then Activate.
wp plugin install digitizer-site-worker --activateDownload the zip from the latest release and upload via Plugins → Add New → Upload Plugin.
The display name is SiteAgent for Aura; the WordPress.org slug remains
digitizer-site-worker.
Layered authentication protects every request:
- WordPress Auth: Application Password with capability checks (
manage_options/update_*). - Site Token: Per-site token in the
X-Aura-Tokenheader, stored as a SHA-256 hash (never plaintext) and compared timing-safely. Legacy plaintext tokens migrate automatically on first use. - Brute-force throttle: Per-IP failed-attempt limit returns HTTP 429.
- IP / Domain allowlist: Optional restriction to your Aura instance.
Onboarding via magic link is HMAC-signed: the /connect callback carries a signature derived from a one-time secret the site issued, plus a timestamp replay window — so the token exchange can't be hijacked or replayed. Rotate the token anytime from Settings → SiteAgent → Regenerate Token.
| Method | Endpoint | Description |
|---|---|---|
GET |
/status |
Full site health report |
GET |
/updates |
Check available core, plugin, and theme updates |
POST |
/update/core |
Upgrade WordPress core |
POST |
/update/plugin |
Update a specific plugin |
POST |
/update/theme |
Update a specific theme |
POST |
/update/translations |
Bulk update translation packs |
POST |
/update/database |
Run WordPress database upgrades |
POST |
/connect |
Magic-link token exchange (public, HMAC-signed, 10-min expiring) |
| Method | Endpoint | Description |
|---|---|---|
GET |
/health |
HTTP, PHP fatals, white-screen, and DB connectivity checks |
POST |
/update/batch |
Chunked batch updates with auto-rollback on health failure |
POST |
/rollback/{plugin} |
Restore a plugin from its most recent zip backup |
| Method | Endpoint | Description |
|---|---|---|
POST |
/tools/list |
Enumerate available tools with JSON schemas |
POST |
/tools/execute |
Execute a tool with validated parameters |
GET |
/context |
Full site context for AI decision-making |
Built-in MCP tools: get_site_context, update_plugin_safely, cleanup_orphaned_assets, check_vulnerabilities.
- v2 Update Engine: health checks, per-plugin rollback, chunked batch updates, auto-rollback on failure.
- MCP Tools Layer:
/aura/mcp/namespace withtools/list,tools/execute,context, plus four built-in tools. - Magic Link Onboarding: one-click, HMAC-signed connection from wp-admin to the Aura dashboard.
- Security hardening: SHA-256 hashed site token (auto-migrates legacy tokens), per-IP brute-force throttle, Regenerate Token UI, timestamp replay protection on
/connect. - Reliability: core database upgrade now reports real failures instead of always succeeding.
- Compliance: WordPress.org Plugin Check fixes —
WP_Filesystem,wp_json_encode(),gmdate(),wp_delete_file(). Tested up to WordPress 7.0.
- Security: timing-safe token comparison, optional IP whitelisting, Cloudflare/reverse-proxy header support.
- Branding Update: New official icons and banners for WordPress.org.
- Improved UX: Updated documentation and installation guides.
- Official WordPress.org Launch: Now available in the official plugin repository.
- GitHub Release: v1.3.3
- Rebranded from "AuraWorker" to "Digitizer Site Worker for Aura"
- New slug:
digitizer-site-worker