WordPress plugin
Pairing & security
How the connector registers with your workspace and how requests are signed.
Pairing links the connector to your workspace and establishes the shared secret that secures every subsequent request.
The pairing flow
- In FleetWP, Add site generates a one-time connection key.
- In wp-admin, open FleetWP and paste the key.
- The connector calls the app's registration endpoint with the key. The app verifies it, provisions a per-site secret, and returns it to the plugin.
- The connection key is now spent. From here on, both sides sign requests with the per-site secret.
Request signing
Every request in both directions carries an HMAC-SHA256 signature over a canonical string of the form:
HMAC-SHA256(secret, "{ms}.{METHOD}.{path}.{sha256(body)}"){ms}is the request timestamp in milliseconds. Requests must land inside a 5-minute window, which blocks replay.- Signatures are compared in constant time.
Because the secret never travels on the wire after pairing and requests are time-boxed and signed, the connector can safely accept commands (backup, restore, update, one-click login) over the public REST API.
Directions
- Site → server — the connector posts a signed heartbeat (metrics, update
inventory, PHP errors) and backup-status callbacks to
/api/connector/*. - Server → site — FleetWP sends signed commands to the plugin's
/wp-json/fleetwp/v1/*routes.
Disconnecting
Disconnecting a site clears the pushed configuration (including any white-label branding) and the site stops accepting signed commands.