Unifyca Audit Connector

Description

Unifyca Audit Connector is a WordPress audit and monitoring plugin that can optionally connect to Unifyca, a WordPress Website Management and Website Documentation platform for agencies and freelancers.

Works locally.
No account required.
Connect to Unifyca only if you want centralized WordPress management and website documentation.

The plugin is designed for:

• Freelancers who maintain WordPress sites for clients and want a fast, repeatable way to review them.
• Agencies who need a consistent maintenance and reporting workflow across many WordPress installations.
• Site owners who want a clearer picture of the operational health of their site without learning the WordPress internals.

The audit logic runs entirely on your own server. No site data leaves WordPress unless you explicitly connect the site to the Unifyca SaaS (described below). You can use the plugin for free, locally, without creating an account.

Full documentation and screenshots:
https://unifyca.com/en/docs/

What the local audit checks

Security

• WordPress debug mode (WP_DEBUG) running on production
• WordPress file editor enabled
• XML-RPC endpoint enabled
• HTTPS not enabled for the site URL
• Directory listing on the site root
• PHP execution allowed inside the uploads folder
• Sensitive files publicly accessible (e.g. wp-config.php, .env, .git/)
• Default admin username with administrator role
• New administrator users detected since the last audit
• debug.log file present in wp-content/

Maintenance

• WordPress core version outdated
• Plugin updates pending
• Active theme update pending
• Inactive plugins / inactive themes accumulating on disk
• PHP runtime older than the version WordPress currently recommends
• No backup plugin detected
• No caching plugin detected
• Maintenance mode currently active
• Expired transients accumulated in wp_options

SEO

• Search engines discouraged (Settings → Reading)
• Homepage with no H1, multiple H1s or an empty H1

Privacy & compliance

• Detection of files in the uploads directory that may carry identifying metadata (EXIF / GPS in images, author or device data in PDFs) and publicly-accessible backup files. This check is intentionally separate from the standard audit because it can be slower on large installations.

What you get for free, locally

• On-demand local audit with one click from wp-admin
• Overall website health score plus per-category scores (Security / Maintenance / SEO / Privacy)
• Severity-aware issue cards with a human explanation, why it matters and the recommended action
• Counters by severity (Critical / High / Warning / Info)
• Clean, agency-friendly dashboard styling
• No account required to use the plugin locally

What is Unifyca?

Unifyca is a WordPress Website Management platform.

It centralizes:

• WordPress maintenance
• Website monitoring
• Backups
• Website documentation
• Hosting & domains
• Credentials
• Client reports

Everything around your websites in one place.

What Unifyca SaaS adds (optional)

Manage multiple WordPress websites from one dashboard.

You can connect the site to the Unifyca SaaS at unifyca.com for centralised WordPress maintenance:

• Apply safe fixes automatically from one dashboard
• Manage every WordPress site you operate from a single screen
• Schedule Autopilot fixes inside a configurable maintenance window
• Receive uptime alerts when a site goes down
• Generate white-label maintenance reports for clients
• Keep a complete history of every audit and fix that has been applied
• Keep hosting, domains, SSL certificates and credentials documented next to each website

Connecting is fully optional. The plugin will continue running local audits even if you never create a Unifyca account.

What this plugin is not

• It is not a “set it and forget it” security shield. It detects and explains issues; it does not patch your site automatically without your action.
• It does not guarantee security, GDPR compliance, or freedom from vulnerabilities. The local audit helps you spot common problems and review them — it does not certify any outcome.
• It does not send telemetry. There is no anonymous usage tracking and no analytics.

External services

This plugin can optionally connect to Unifyca, a Software-as-a-Service (SaaS) platform for WordPress website management and documentation. The connection is never automatic: it requires an explicit administrator action (pasting the connection token generated by the plugin into the Unifyca dashboard). Until you do that, the plugin runs entirely locally and contacts no external service.

Service and domains

When the site is connected, the plugin communicates with the Unifyca SaaS over these domains:

• https://unifyca.com — Unifyca website, documentation and account area.
• https://app.unifyca.com — Unifyca application/API, including the optional disconnect-feedback endpoint described below.

What the service does

Unifyca lets agencies and freelancers manage many WordPress sites from one place: it runs remote audits, applies administrator-approved fixes, runs and stores backups, monitors uptime, and keeps maintenance history and documentation. The connector exposes a set of HMAC-authenticated REST endpoints that the Unifyca SaaS calls to provide these features.

What data is sent, and when

• Local audits do not transmit any data externally. Running an audit from wp-admin keeps all results on your server.
• Data is sent to Unifyca only after the site is explicitly connected, and only when the SaaS initiates an authenticated (HMAC-SHA256 signed) request — there is no scheduled or background “phone home”.
• When connected, the data sent is the standard audit payload: WordPress core version, site URL, locale, timezone and multisite flag; installed plugins/themes metadata (name, slug, version, status, on-disk size — never code); server metadata (PHP version, memory limit, HTTPS state, WP_DEBUG and XML-RPC state, locally-resolved server IP); administrator account metadata (ID, login, email, display name, registration date and a one-way SHA-256 fingerprint of the password hash — never the hash itself); pending comment counts; and audit findings. Administrator login metadata (timestamp and IP of the last login) may be transmitted only when required for the security-monitoring features.
• The plugin never sends database contents, post or page content, user passwords, or hosting/FTP/SSH/database credentials.

Optional disconnect feedback

When you disconnect the site, the confirmation dialog offers an optional “what made you disconnect?” reason and comment. Only if you fill one of those fields in and submit, the plugin sends a single non-blocking HTTPS POST to https://app.unifyca.com/ajax/wp-disconnect-feedback.php containing the selected reason code, the optional comment (max 500 characters), the site URL, the connection token (so Unifyca can match the entry to the correct account) and the plugin version. Submitting feedback is never required to disconnect, and nothing is sent if you leave the fields empty.

Terms and privacy

• Terms of Service: https://unifyca.com/en/terms/
• Privacy Policy: https://unifyca.com/en/privacy/

Privacy

This plugin performs a local WordPress audit. Connecting the site to the Unifyca SaaS at unifyca.com is entirely optional and requires explicit administrator action. Local audits do not contact any external service; external communication only occurs after the administrator explicitly connects the site to Unifyca.

Data the plugin stores locally

The plugin writes a small set of options and user metas inside your WordPress database:

• unifyca_connection_token, unifyca_token_status, unifyca_shared_secret, unifyca_connection_status, unifyca_connected_at — connection state, only populated when the site is connected to Unifyca.
• unifyca_prev_admin_ids — list of administrator user IDs at the time of the last audit; used internally to detect newly added administrators between audits.
• unifyca_disable_xmlrpc — set to 1 when an administrator chose to disable XML-RPC through a connector fix action.
• unifyca_last_local_audit_at — ISO timestamp of the last local audit.
• unifyca_last_privacy_lite_scan — structured result of the last lightweight privacy review (counts and a few sample relative paths, never metadata values).
• unifyca_last_privacy_lite_scan_at — ISO timestamp of the last lightweight privacy review.
• unifyca_disconnect_feedback_log — rolling local log of the last 20 disconnect feedback submissions (reason code, optional comment, site URL, connection token at the time, plugin version, ISO timestamp). Only written when the administrator submits the optional disconnect feedback form. Always available for inspection via WP-CLI: wp option get unifyca_disconnect_feedback_log --format=json.
• _unifyca_last_login_at, _unifyca_last_login_ip (user metadata) — timestamp and IP of the most recent successful login for administrator users only. Used to flag suspicious administrator activity.

When the site is connected to Unifyca, this information may be transmitted to the Unifyca service to generate security alerts related to administrator account activity. The information is not used for advertising or profiling purposes.

All of the above are removed on plugin uninstall.

Data sent to Unifyca

The plugin does not transmit any data to Unifyca unless an administrator explicitly connects the site.

When connected, the plugin sends audit results and connection metadata required for the Unifyca service to operate.

The plugin does not send:

• WordPress user passwords.
• Hosting, FTP or SSH passwords.
• Database passwords.
• WordPress post or page contents.
• Uploaded media files.
• Backup archives unless the administrator explicitly configures an external backup destination or uses a Unifyca backup feature that requires file transfer.

Disconnecting the site stops future transmissions. Uninstalling the plugin removes all locally stored data listed above.

Third-party services used by the plugin

The local audit does not contact any third-party service. The plugin no longer performs an external public-IP lookup: the server IP reported in the audit is resolved locally from the web server environment only (SERVER_ADDR / hostname). When public IP detection is needed, it is handled server-side by Unifyca after the site has been connected.

The only external service the plugin can communicate with is the Unifyca SaaS (https://unifyca.com, https://app.unifyca.com), and only after the administrator explicitly connects the site. See the External services section above for full details, domains, Terms of Service and Privacy Policy.

Optional disconnect feedback

When you disconnect the site from Unifyca through the Connect to Unifyca tab, the confirmation modal exposes an optional “what made you disconnect?” reason selector with a short comment field. Submitting it is never required to disconnect.

No personal user data is sent automatically. The connected site URL and the optional feedback reason/comment may be shared with Unifyca only when you explicitly submit the disconnect feedback form. The site URL is included because, in some setups, it can identify a business or organisation; we are upfront about this so you can decide whether to submit feedback at all.

If — and only if — you fill in one of those fields, the plugin sends a single non-blocking HTTPS POST to https://app.unifyca.com/ajax/wp-disconnect-feedback.php containing: the selected reason code, the optional comment (up to 500 characters), the site URL, the connection token (so Unifyca can match the entry to the correct tenant), and the plugin version. On the Unifyca side, the token is hashed with SHA-256 before storage; the raw token is never persisted.

The connection token is the only stable identifier the plugin holds for the connected tenant — the handshake does not store a separate Unifyca tenant/project/site ID. The shared secret is deliberately never included in this payload.

The request is fire-and-forget: if it fails, the disconnect still completes normally. Nothing else is transmitted at this step.

Data sent to the Unifyca SaaS (only when the site is connected)

If the administrator pastes the connection token into Unifyca, the SaaS gains the ability to call the connector’s REST endpoints. From that moment on, the standard audit payload is transmitted to Unifyca when the SaaS triggers a sync. The payload contains:

• WordPress core version, configured site URL, locale, timezone, multisite flag.
• Installed plugins / themes (name, slug, version, status, on-disk size — never code).
• Server metadata (PHP version, memory limit, HTTPS state, WP_DEBUG, XML-RPC enabled state, locally-resolved server IP — no external IP lookup is performed).
• Administrator accounts: ID, login, email, display name, registration date and a SHA-256 fingerprint of the WordPress password hash. The raw password hash is NEVER transmitted — the fingerprint is one-way and exists only to detect password changes between syncs.
• Pending comment counts (counts only; no comment content unless the SaaS specifically requests the moderation queue, which carries plain-text excerpts only).
• Audit findings (counts, severity, alert metadata, paths to inactive plugins/themes when relevant).

The plugin never sends database contents, post content, page content, user passwords, or commercial data to any third party.

If the administrator disconnects the site (from the Connect to Unifyca tab), the shared secret is wiped and no further data can be sent to the SaaS until a new pairing is performed.

Telemetry and automatic data collection

None. The plugin does not run analytics, fingerprinting, scheduled “phone home” calls or any background data collection. Local audits make no outbound requests to external services. Every outgoing request to Unifyca falls into one of two explicit categories:

• part of the documented SaaS sync, which only happens after the administrator has paired this site with Unifyca and is authenticated by HMAC,
• the optional disconnect feedback POST described above, which is sent only when the administrator explicitly submits the form.

No personal user data, post content, page content, comment bodies or user passwords are ever transmitted in any of these cases.

Documentation

Complete documentation is available online:

• English: https://unifyca.com/en/docs/
• Español: https://unifyca.com/es/docs/
• Català: https://unifyca.com/ca/docs/

The documentation includes setup guides, audit explanations, backup features, privacy details and troubleshooting information.

Source code

This plugin is distributed under the GPL v2 or later. All assets (CSS, JavaScript, SVG) included in the plugin ZIP are the unminified, human-readable source.