Monitoring a WordPress site seems simple enough: you install a plugin, a SaaS dashboard connects to it, and you get uptime and security metrics.
But as we highlighted in our recent Security Advisory on the SYSSY plugin, the architecture you choose dictates the attack surface you create. In this post, we’ll explore why traditional “Pull” architectures are inherently risky, how a “Push” architecture improves security, and why Vioro avoids plugins entirely.
The Flawed “Pull” Architecture
The most common approach for WordPress monitoring plugins is a “Pull” architecture.
- A plugin is installed on the client’s WordPress site.
- The plugin registers a custom REST API endpoint (e.g.,
wp-json/my-plugin/v1/metrics). - The central SaaS platform makes authenticated requests to this endpoint to pull data.
sequenceDiagram
participant SaaS as Monitoring SaaS
participant WP as WordPress Site (Plugin)
SaaS->>WP: GET /wp-json/plugin/v1/metrics (Token: API_KEY)
activate WP
Note over WP: Verifies Token<br>(High risk of implementation flaws)
WP-->>SaaS: 200 OK + Sensitive System Data
deactivate WP
Why this is dangerous:
- Inversion of Authority: By exposing a REST endpoint, the plugin acts as a server authenticating the SaaS, rather than a client authenticating to the SaaS. You are forcing every WordPress site to become an identity provider and authorization server - roles they were not built for.
- Mixing Concerns with Shared Secrets: Flawed implementations often reuse a single API key for conflicting purposes. For instance, in a recent vulnerability we analyzed, the exact same shared secret was used to both verify a JWT signature and act as the symmetric encryption key for the payload. A secret used for authentication should never double as an encryption key.
- Expanded Attack Surface: You’ve just opened a new door into your house. If there is a flaw in the lock (the authentication logic), anyone can walk in.
- Cryptography is Hard: Implementing robust authentication, like JWT verification, is prone to errors. Missing a single step can bypass the entire mechanism.
A Real-World Anti-Pattern
Consider this simplified snippet demonstrating the mixed-concerns anti-pattern:
// 1. The API key is used as the secret to verify the JWT signature
if ($this->verifyToken($jwt, $secret)) {
return true;
}
// ... later in the code ...
// 2. The EXACT SAME API key is hashed and used as the AES encryption key!
$key = hash('sha256', $secret, true);
$iv = openssl_random_pseudo_bytes(16);
$ciphertext = openssl_encrypt($plaintext, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
Using the same secret for both signing (authentication) and encryption is a severe cryptographic anti-pattern. If either mechanism is weakened or compromised, the other falls with it.
The Better Alternative: A “Push” Architecture
If you must build a plugin that handles sensitive system data, a “Push” architecture is significantly safer. Instead of exposing an endpoint that listens for inbound requests, the WordPress site initiates an outbound request to the SaaS.
sequenceDiagram
participant WP as WordPress Site (Plugin)
participant SaaS as Monitoring SaaS (Ingress API)
Note over WP: Triggered by WP-Cron or Action Hook
activate WP
WP->>SaaS: POST /ingress/v1/metrics (Token: SITE_KEY)
activate SaaS
Note over SaaS: Validates Token & Processes Data
SaaS-->>WP: 201 Created
deactivate SaaS
deactivate WP
Why this is safer:
- No Inbound Open Ports/Endpoints: Attackers scanning the internet cannot probe an endpoint that doesn’t exist.
- Simplified Authentication: The plugin only needs to securely store an API key to send data to the SaaS. The complex token verification logic happens on the SaaS side, which is centrally managed and patched by dedicated engineers, not reliant on the client updating a plugin.
- Reduced Impact of Compromise: If the client site is compromised, the attacker only gets the site’s own API key. They can send fake metrics to the SaaS, but they cannot use the SaaS to pull data from other sites.
The Vioro Approach: Outside-In (Zero Footprint)
While a push architecture is better, it still requires installing, configuring, and maintaining third-party code on your server. Every line of code is a liability.
That is why we built Vioro using an Outside-In approach. We don’t ask you to install plugins.
sequenceDiagram
participant Vioro as Vioro Scanners
participant WP as WordPress Site (No Plugins!)
Vioro->>WP: HTTP GET / (Public Interface)
activate WP
WP-->>Vioro: HTML, Headers, Static Assets
deactivate WP
Note over Vioro: Analyzes fingerprints, headers, TLS<br>Matches against NVD / Exploit DB
We monitor your websites exactly how attackers see them: from the outside. By mapping external fingerprints (like exposed versions, headers, and known vulnerabilities) to real-time CVE databases, we alert you to risks without adding new attack vectors to your WordPress installation.
The most secure code is the code you never write. Or in this case, the plugin you never install.