WordPress API Bridge (Remote Code Execution Secured)
Original price was: $149.00.$49.00Current price is: $49.00.
Out of stock
Launching Q2 2026. Waitlist members get early access + 25% off at launch.
No spam. Unsubscribe any time. One email at launch.
Description
Who this is for
- Studios & freelancers managing 5+ WordPress sites and tired of repeating the same fix across each one.
- Multi-site publishers where the same option needs to be updated across all properties.
- WordPress consultants who need to execute scoped fixes on client sites without always granting wp-admin access.
- Technical marketing ops at companies running WP for multiple brands.
The problem
WordPress gives you REST API, but the REST API doesn’t cover everything. You can’t update arbitrary options via REST. You can’t run a one-off fix on postmeta across 1000 posts. You can’t invoke a plugin’s internal function. Every serious agency ends up with a collection of “one-off PHP scripts I SCP to servers and run once” — fragile, undocumented, and a security liability.
This is the opposite. A scoped execution bridge: a mu-plugin on each managed site that accepts signed requests from a central n8n instance, executes whitelisted code patterns, logs every call, and refuses anything outside scope. You get the flexibility of SSH without the security posture of SSH.
What you’ll get
- A WordPress mu-plugin (PHP) — drops into `/wp-content/mu-plugins/`, no UI needed.
- An n8n workflow — signed request builder, response parser, batch runner across sites.
- Request signing library — HMAC-SHA256 with nonce + timestamp, prevents replay.
- Scope whitelist config — you define which code patterns the bridge will run, everything else is rejected.
- Audit log — every call logged to a WP DB table + optional Slack/email notification.
- Setup docs (~25 pages Markdown) covering install, key rotation, scope patterns.
Inside the pack
- mu-plugin: 350 lines of PHP, heavily commented, drop into any WordPress site.
- Request signer node: n8n subworkflow that signs any request payload.
- Batch runner: run one instruction across all sites in a list, with error handling.
- Common recipes library: 15 pre-built patterns (update option, set theme_mod, purge cache, patch postmeta, revoke user, run custom hook, etc.).
- Key rotation procedure: how to rotate the HMAC key across all managed sites without downtime.
- Monitoring dashboard: Grafana / Uptime Kuma integration for site health.
Real outcomes you can expect
- ~3 hours/week saved on multi-site fixes that used to require SSH.
- Zero-incident track record — scope whitelisting prevents the “oops I ran it on prod” moments.
- Audit trail for compliance — every automation action is logged, signed, and attributable.
- Faster client response — fix a bug across 8 sites in 2 minutes instead of 40.
- One tool, all sites — standardize your ops stack instead of site-specific scripts.
FAQ
Is this secure?
Yes by design — HMAC signing + timestamp + nonce + scope whitelist + audit log. Every call refused unless every check passes. Source code is auditable (350 lines).
Can I run arbitrary PHP?
No. The scope whitelist defines allowed operations (update_option with specific prefixes, wp_insert_post with specific post_types, etc.). Anything outside is rejected.
What happens if someone steals my HMAC key?
Key rotation is a 3-step process documented in the setup guide. With timestamp + nonce, even a stolen key has short replay window.
Does it work on WordPress Multisite?
Yes — the mu-plugin is network-activated compatible and the n8n node supports subsite targeting.
What if I’m not satisfied?
See our guarantee below.
Our guarantee
Run the bridge across at least 3 of your sites. If it doesn’t save you meaningful time on multi-site ops within the first 30 days, email [email protected] within 14 days of launch. Full refund, no forms.