SiteAgent for Aura

SiteAgent is the bridge between your WordPress sites and the Aura infrastructure dashboard — a unified control center for teams managing multiple WordPress sites alongside servers, CDN, and DNS.

Install this plugin on any WordPress site to unlock remote management capabilities directly from Aura — no SSH, no wp-admin juggling, no manual logins.

What You Can Do

• Monitor site health — See WordPress version, PHP version, installed plugins & themes, database info, and disk usage in real time.
• Update plugins, themes & core remotely — Push updates to any connected site from the Aura dashboard, no wp-admin login.
• Safe batch updates with auto-rollback — Run chunked updates with health checks; if an update breaks the site, the plugin restores the previous version automatically.
• Per-plugin rollback — Every update is zip-snapshotted first; restore any plugin to its last good state on demand.
• Bulk translation & database upgrades — Update all language packs and run WordPress database migrations remotely.
• One-click connect (magic link) — Connect a site to Aura straight from wp-admin — no manual token copy/paste.
• AI-agent ready (18 MCP tools) — Exposes machine-readable, JSON-schema tools for AI-driven management, including SEO/accessibility/performance/broken-link auditors and on-site SEO-meta read/write (Rank Math, Yoast, SEOPress). Read tools run on demand; mutating tools are approval-gated through Aura, and every call is audited.
• Zero frontend impact — The plugin only registers REST API endpoints. No scripts, no styles, no database queries on visitor-facing page loads.

How It Works

After activation, click Connect to Aura on the Settings → SiteAgent page for a one-click magic-link connection, or copy the Site Token shown once and paste it into your Aura dashboard manually. From that point, Aura communicates with your site over a signed, authenticated REST API to pull health data and push updates.

Security

Defence-in-depth protects every request:

1. WordPress Application Password — Standard WordPress auth with capability checks (manage_options / update_*). Only authorized administrators can trigger actions.
2. Hashed Site Token — A per-site token sent via the X-Aura-Token header. Only a SHA-256 hash is stored (never the raw token), compared timing-safely. Tokens from older versions migrate to a hash automatically.
3. Brute-force throttling — Repeated bad-token attempts from an IP are blocked.
4. Signed magic-link connect — The onboarding callback is HMAC-signed with a one-time secret and timestamp, so the token exchange can’t be hijacked or replayed.
5. IP / Domain allowlist (optional) — Restrict API access to your Aura instance, with Cloudflare and reverse-proxy header support.

You can rotate the token anytime from Settings → SiteAgent → Regenerate Token.

REST API Endpoints

Core endpoints under /wp-json/aura/v1/:

• GET /status — Full site health report
• GET /updates — Check available updates (core, plugins, themes, translations)
• POST /update/core / /update/plugin / /update/theme / /update/translations — Apply updates
• POST /update/database — Run WordPress database upgrades
• POST /connect — Magic-link token exchange (public, HMAC-signed, 10-minute expiry)

Version 2 endpoints under /wp-json/aura/v2/:

• GET /health — HTTP, PHP fatal, white-screen and DB connectivity checks
• POST /update/batch — Chunked batch updates with auto-rollback on health failure
• POST /rollback/{plugin} — Restore a plugin from its most recent backup

MCP tools under /wp-json/aura/mcp/:

• POST /tools/list / POST /tools/execute — Enumerate and run AI-agent tools
• GET /context — Full site context for AI decision-making

AI Agent Tools (MCP)

SiteAgent ships 18 built-in tools for AI agents. Read tools return information and run on demand; write tools change the site and are queued for human approval through Aura — an agent can never silently mutate a production site.

Read tools:

• get_site_context — WordPress/PHP/theme/plugin/disk/performance snapshot with detected issues
• get_database_info — Database size, largest tables, autoloaded-options weight, expired transients
• scan_security — Scored security posture (file-edit lockdown, debug exposure, SSL, default admin/prefix, open registration, PHP version)
• scan_seo — SEO posture (search-engine visibility, permalinks, XML sitemap, site title) plus a sampled content audit (thin content, missing excerpts/featured images)
• scan_a11y — Accessibility audit over sampled content (images missing alt text, non-descriptive link text, heading structure, document language)
• perf_check — Performance posture (persistent object cache, OPcache, page-cache plugin, PHP version, autoload weight, active plugin count, memory limit)
• scan_broken_links — Link triage over a content sample with no outbound HTTP (empty/anchor-only links, dev/staging hosts, unresolved internal links)
• list_users — Users with roles and post counts, administrators flagged (never returns secrets)
• check_health — Live health gate: HTTP status, PHP fatals, white-screen, database connectivity
• scan_error_log — Tails and severity-groups the error log, surfacing recent fatals
• check_vulnerabilities — Plugins/themes checked against the WordPress.org vulnerability database
• get_seo_meta — Read a post/page’s SEO title, description, and focus keyword from the active SEO plugin (Rank Math, Yoast, or SEOPress)

Write tools (approval-gated):

• update_plugin_safely — Backup, update, health-check, auto-rollback on failure
• clear_caches — Flush object/opcode caches and detected page-cache plugins
• cleanup_transients — Remove expired transients to reduce autoload bloat
• cleanup_orphaned_assets — Find and remove unused media (dry-run by default)
• backup_plugins — Zip-snapshot one or all active plugins as a rollback safety net
• set_seo_meta — Write a post/page’s SEO title / description / focus keyword on the active SEO plugin (Rank Math, Yoast, or SEOPress) — on-site, so it works even when a WAF blocks the plugin’s own REST endpoint

Tools are classified by verb so the Aura Fleet gateway applies the right risk and approval policy automatically.

About Aura

Aura is a full-stack operations dashboard by Digitizer that brings servers, applications, DNS zones, and CDN pull zones from Cloudways, Hostinger VPS, Cloudflare, and Bunny.net into a single unified interface.

SiteAgent extends that reach into every WordPress installation — so you can manage your entire infrastructure, including WordPress sites, from one place.

Free to Use

The plugin is completely free and open source (GPLv2+). You need a free or paid Aura account to connect your sites. Sign up at my-aura.app.

Links

• Aura Dashboard
• Documentation
• GitHub Repository
• Digitizer