Title: Unifyca Audit Connector Author: unifyca Published: June 26, 2026 Last modified: June 26, 2026 --- Search plugins ![](https://ps.w.org/unifyca-audit-connector/assets/icon-256x256.png?rev=3587073) # Unifyca Audit Connector By [unifyca](https://profiles.wordpress.org/unifyca/) [Download](https://downloads.wordpress.org/plugin/unifyca-audit-connector.2.0.4.zip) * [Details](https://wordpress.org/plugins/unifyca-audit-connector/#description) * [Reviews](https://wordpress.org/plugins/unifyca-audit-connector/#reviews) * [Installation](https://wordpress.org/plugins/unifyca-audit-connector/#installation) * [Development](https://wordpress.org/plugins/unifyca-audit-connector/#developers) [Support](https://wordpress.org/support/plugin/unifyca-audit-connector/) ## Description **Unifyca Audit Connector** is a WordPress audit and monitoring plugin that can optionally connect to Unifyca, a WordPress Website Management and Website Documentation platform for agencies and freelancers. Works locally. No account required. Connect to Unifyca only if you want centralized WordPress management and website documentation. The plugin is designed for: * **Freelancers** who maintain WordPress sites for clients and want a fast, repeatable way to review them. * **Agencies** who need a consistent maintenance and reporting workflow across many WordPress installations. * **Site owners** who want a clearer picture of the operational health of their site without learning the WordPress internals. The audit logic runs entirely on your own server. No site data leaves WordPress unless you explicitly connect the site to the Unifyca SaaS (described below). You can use the plugin for free, locally, without creating an account. Full documentation and screenshots: https://unifyca.com/en/docs/ #### What the local audit checks **Security** * WordPress debug mode (`WP_DEBUG`) running on production * WordPress file editor enabled * XML-RPC endpoint enabled * HTTPS not enabled for the site URL * Directory listing on the site root * PHP execution allowed inside the uploads folder * Sensitive files publicly accessible (e.g. `wp-config.php`, `.env`, `.git/`) * Default `admin` username with administrator role * New administrator users detected since the last audit * `debug.log` file present in `wp-content/` **Maintenance** * WordPress core version outdated * Plugin updates pending * Active theme update pending * Inactive plugins / inactive themes accumulating on disk * PHP runtime older than the version WordPress currently recommends * No backup plugin detected * No caching plugin detected * Maintenance mode currently active * Expired transients accumulated in `wp_options` **SEO** * Search engines discouraged (Settings Reading) * Homepage with no H1, multiple H1s or an empty H1 **Privacy & compliance** * Detection of files in the uploads directory that may carry identifying metadata( EXIF / GPS in images, author or device data in PDFs) and publicly-accessible backup files. This check is intentionally separate from the standard audit because it can be slower on large installations. #### What you get for free, locally * On-demand local audit with one click from wp-admin * Overall website health score plus per-category scores (Security / Maintenance/ SEO / Privacy) * Severity-aware issue cards with a human explanation, why it matters and the recommended action * Counters by severity (Critical / High / Warning / Info) * Clean, agency-friendly dashboard styling * No account required to use the plugin locally #### What is Unifyca? Unifyca is a WordPress Website Management platform. It centralizes: • WordPress maintenance • Website monitoring • Backups • Website documentation • Hosting & domains • Credentials • Client reports Everything around your websites in one place. #### What Unifyca SaaS adds (optional) Manage multiple WordPress websites from one dashboard. You can connect the site to the Unifyca SaaS at [unifyca.com](https://unifyca.com) for centralised WordPress maintenance: * Apply safe fixes automatically from one dashboard * Manage every WordPress site you operate from a single screen * Schedule Autopilot fixes inside a configurable maintenance window * Receive uptime alerts when a site goes down * Generate white-label maintenance reports for clients * Keep a complete history of every audit and fix that has been applied * Keep hosting, domains, SSL certificates and credentials documented next to each website Connecting is fully optional. The plugin will continue running local audits even if you never create a Unifyca account. #### What this plugin is not * It is not a “set it and forget it” security shield. It detects and explains issues; it does not patch your site automatically without your action. * It does not guarantee security, GDPR compliance, or freedom from vulnerabilities. The local audit helps you spot common problems and review them — it does not certify any outcome. * It does not send telemetry. There is no anonymous usage tracking and no analytics. ### External services This plugin can optionally connect to **Unifyca**, a Software-as-a-Service (SaaS) platform for WordPress website management and documentation. The connection is ** never automatic**: it requires an explicit administrator action (pasting the connection token generated by the plugin into the Unifyca dashboard). Until you do that, the plugin runs entirely locally and contacts no external service. #### Service and domains When the site is connected, the plugin communicates with the Unifyca SaaS over these domains: * `https://unifyca.com` — Unifyca website, documentation and account area. * `https://app.unifyca.com` — Unifyca application/API, including the optional disconnect- feedback endpoint described below. #### What the service does Unifyca lets agencies and freelancers manage many WordPress sites from one place: it runs remote audits, applies administrator-approved fixes, runs and stores backups, monitors uptime, and keeps maintenance history and documentation. The connector exposes a set of HMAC-authenticated REST endpoints that the Unifyca SaaS calls to provide these features. #### What data is sent, and when * **Local audits do not transmit any data externally.** Running an audit from wp- admin keeps all results on your server. * Data is sent to Unifyca **only after the site is explicitly connected**, and only when the SaaS initiates an authenticated (HMAC-SHA256 signed) request — there is no scheduled or background “phone home”. * When connected, the data sent is the standard audit payload: WordPress core version, site URL, locale, timezone and multisite flag; installed plugins/themes metadata( name, slug, version, status, on-disk size — never code); server metadata (PHP version, memory limit, HTTPS state, `WP_DEBUG` and XML-RPC state, locally-resolved server IP); administrator account metadata (ID, login, email, display name, registration date and a one-way SHA-256 fingerprint of the password hash — never the hash itself); pending comment counts; and audit findings. Administrator login metadata( timestamp and IP of the last login) may be transmitted only when required for the security-monitoring features. * The plugin never sends database contents, post or page content, user passwords, or hosting/FTP/SSH/database credentials. #### Optional disconnect feedback When you disconnect the site, the confirmation dialog offers an **optional** “what made you disconnect?” reason and comment. Only if you fill one of those fields in and submit, the plugin sends a single non-blocking HTTPS POST to `https://app.unifyca. com/ajax/wp-disconnect-feedback.php` containing the selected reason code, the optional comment (max 500 characters), the site URL, the connection token (so Unifyca can match the entry to the correct account) and the plugin version. Submitting feedback is never required to disconnect, and nothing is sent if you leave the fields empty. #### Terms and privacy * Terms of Service: https://unifyca.com/en/terms/ * Privacy Policy: https://unifyca.com/en/privacy/ ### Privacy This plugin performs a local WordPress audit. Connecting the site to the Unifyca SaaS at unifyca.com is entirely optional and requires explicit administrator action. Local audits do not contact any external service; external communication only occurs after the administrator explicitly connects the site to Unifyca. #### Data the plugin stores locally The plugin writes a small set of options and user metas inside your WordPress database: * `unifyca_connection_token`, `unifyca_token_status`, `unifyca_shared_secret`, ` unifyca_connection_status`, `unifyca_connected_at` — connection state, only populated when the site is connected to Unifyca. * `unifyca_prev_admin_ids` — list of administrator user IDs at the time of the last audit; used internally to detect newly added administrators between audits. * `unifyca_disable_xmlrpc` — set to 1 when an administrator chose to disable XML- RPC through a connector fix action. * `unifyca_last_local_audit_at` — ISO timestamp of the last local audit. * `unifyca_last_privacy_lite_scan` — structured result of the last lightweight privacy review (counts and a few sample relative paths, never metadata values). * `unifyca_last_privacy_lite_scan_at` — ISO timestamp of the last lightweight privacy review. * `unifyca_disconnect_feedback_log` — rolling local log of the last 20 disconnect feedback submissions (reason code, optional comment, site URL, connection token at the time, plugin version, ISO timestamp). Only written when the administrator submits the optional disconnect feedback form. Always available for inspection via WP-CLI: `wp option get unifyca_disconnect_feedback_log --format=json`. * `_unifyca_last_login_at`, `_unifyca_last_login_ip` (user metadata) — timestamp and IP of the most recent successful login for administrator users only. Used to flag suspicious administrator activity. When the site is connected to Unifyca, this information may be transmitted to the Unifyca service to generate security alerts related to administrator account activity. The information is not used for advertising or profiling purposes. All of the above are removed on plugin uninstall. #### Data sent to Unifyca The plugin does not transmit any data to Unifyca unless an administrator explicitly connects the site. When connected, the plugin sends audit results and connection metadata required for the Unifyca service to operate. The plugin does not send: * WordPress user passwords. * Hosting, FTP or SSH passwords. * Database passwords. * WordPress post or page contents. * Uploaded media files. * Backup archives unless the administrator explicitly configures an external backup destination or uses a Unifyca backup feature that requires file transfer. Disconnecting the site stops future transmissions. Uninstalling the plugin removes all locally stored data listed above. #### Third-party services used by the plugin The local audit does not contact any third-party service. The plugin no longer performs an external public-IP lookup: the server IP reported in the audit is resolved locally from the web server environment only (`SERVER_ADDR` / hostname). When public IP detection is needed, it is handled server-side by Unifyca after the site has been connected. The only external service the plugin can communicate with is the **Unifyca SaaS**(` https://unifyca.com`, `https://app.unifyca.com`), and only after the administrator explicitly connects the site. See the _External services_ section above for full details, domains, Terms of Service and Privacy Policy. #### Optional disconnect feedback When you disconnect the site from Unifyca through the **Connect to Unifyca** tab, the confirmation modal exposes an _optional_ “what made you disconnect?” reason selector with a short comment field. Submitting it is never required to disconnect. **No personal user data is sent automatically.** The connected site URL and the optional feedback reason/comment may be shared with Unifyca **only** when you explicitly submit the disconnect feedback form. The site URL is included because, in some setups, it can identify a business or organisation; we are upfront about this so you can decide whether to submit feedback at all. If — and only if — you fill in one of those fields, the plugin sends a single non- blocking HTTPS POST to `https://app.unifyca.com/ajax/wp-disconnect-feedback.php` containing: the selected reason code, the optional comment (up to 500 characters), the site URL, the connection token (so Unifyca can match the entry to the correct tenant), and the plugin version. On the Unifyca side, the token is hashed with SHA- 256 before storage; the raw token is never persisted. The connection token is the only stable identifier the plugin holds for the connected tenant — the handshake does not store a separate Unifyca tenant/project/site ID. The shared secret is deliberately never included in this payload. The request is fire-and-forget: if it fails, the disconnect still completes normally. Nothing else is transmitted at this step. #### Data sent to the Unifyca SaaS (only when the site is connected) If the administrator pastes the connection token into Unifyca, the SaaS gains the ability to call the connector’s REST endpoints. From that moment on, the standard audit payload is transmitted to Unifyca when the SaaS triggers a sync. The payload contains: * WordPress core version, configured site URL, locale, timezone, multisite flag. * Installed plugins / themes (name, slug, version, status, on-disk size — never code). * Server metadata (PHP version, memory limit, HTTPS state, `WP_DEBUG`, XML-RPC enabled state, locally-resolved server IP — no external IP lookup is performed). * Administrator accounts: ID, login, email, display name, registration date and a SHA-256 fingerprint of the WordPress password hash. The raw password hash is NEVER transmitted — the fingerprint is one-way and exists only to detect password changes between syncs. * Pending comment counts (counts only; no comment content unless the SaaS specifically requests the moderation queue, which carries plain-text excerpts only). * Audit findings (counts, severity, alert metadata, paths to inactive plugins/themes when relevant). The plugin never sends database contents, post content, page content, user passwords, or commercial data to any third party. If the administrator disconnects the site (from the **Connect to Unifyca** tab), the shared secret is wiped and no further data can be sent to the SaaS until a new pairing is performed. #### Telemetry and automatic data collection None. The plugin does not run analytics, fingerprinting, scheduled “phone home” calls or any background data collection. Local audits make no outbound requests to external services. Every outgoing request to Unifyca falls into one of two explicit categories: * part of the documented SaaS sync, which only happens after the administrator has paired this site with Unifyca and is authenticated by HMAC, * the optional disconnect feedback POST described above, which is sent **only** when the administrator explicitly submits the form. No personal user data, post content, page content, comment bodies or user passwords are ever transmitted in any of these cases. ### Documentation Complete documentation is available online: * English: https://unifyca.com/en/docs/ * Español: https://unifyca.com/es/docs/ * Català: https://unifyca.com/ca/docs/ The documentation includes setup guides, audit explanations, backup features, privacy details and troubleshooting information. ### Source code This plugin is distributed under the GPL v2 or later. All assets (CSS, JavaScript, SVG) included in the plugin ZIP are the unminified, human-readable source. ## Installation 1. Install **Unifyca Audit Connector** through Plugins Add New, or upload the plugin folder to `wp-content/plugins/`. 2. Activate the plugin. 3. Go to **Unifyca Audit** in the wp-admin sidebar. 4. Click **Run audit** to perform the first local audit. Results appear inline. 5. (Optional) To connect this site to the Unifyca SaaS, open the **Connect to Unifyca** tab, copy the connection token and paste it into the corresponding Unifyca dashboard. #### Requirements * WordPress 5.8 or newer * PHP 7.1 or newer * PHP `curl` extension recommended (used to read the homepage HTML when checking SEO heading structure) * PHP ZipArchive extension required for backups. ## FAQ ### What is WordPress Website Management? WordPress Website Management is the practice of centralizing updates, audits, monitoring, backups and the infrastructure around websites. Unifyca combines: * Security audits * Monitoring and uptime * Backups * Website documentation * Hosting and domains * Credentials * Client reports Everything around your websites in one place. ### Does the plugin modify my site automatically? No. Local audits are read-only. No changes are made unless an administrator explicitly performs an action. ### Does this plugin send my data anywhere? No, not unless you explicitly connect the site to the Unifyca SaaS through the ** Connect to Unifyca** tab. When **not connected**, the local audit performs no outbound requests to any external service. The only network requests it can make are HTTPS loopback requests to your own site URL (to read the homepage HTML and to check whether files like `wp-config. php` respond publicly). No site contents, no posts, no users, no credentials and no audit results are transmitted anywhere unless the site is explicitly connected. See the _External services_ section below for what happens once you connect. ### How is the audit triggered? Only on explicit action: * The wp-admin user clicks **Run audit** in the dashboard. * The Unifyca SaaS sends an HMAC-authenticated REST request to `/wp-json/unifyca/ v1/audit` (this happens only when the site is connected). There is no scheduled or background audit. There is no telemetry. ### Can I keep using the plugin without creating a Unifyca account? Yes. The local audit dashboard works fully without a Unifyca account. The **Connect to Unifyca** tab is purely optional. ### What user role can run the audit? Only users with the `manage_options` capability (typically administrators). All admin actions and the AJAX endpoint validate this capability and a WordPress nonce on every request. ### Why does the audit take a few seconds? The audit performs HTTP checks against your own site URL (homepage, sensitive paths) and synchronously calculates Site Health values. These checks are intentionally local and can take a few seconds on larger installations. Run the audit when you want fresh results — the dashboard does not auto-refresh. ### Why is the score for one of my sites not 100? The plugin penalises each detected issue based on severity (Critical, High, Warning, Info) and shows you exactly which checks contributed. When the site is **not connected** to Unifyca, the dashboard exposes per-category tabs (Security, Maintenance, SEO, Privacy) with the full local list of findings and explanations. When the site **is connected** to Unifyca, the wp-admin dashboard becomes a lightweight companion view and the detailed breakdown, fix history and automation live in the Unifyca dashboard. ### Can I uninstall the plugin without leaving residual data? Yes. When you delete the plugin from wp-admin Plugins, the `uninstall.php` script runs and removes every option and user meta value the plugin has stored. No data remains. ### Does this plugin guarantee my site is secure? No. The audit helps detect and explain a number of common operational and security issues, but it cannot guarantee that a site is secure. Treat the findings as a checklist to review and improve — not as a certification. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Unifyca Audit Connector” is open source software. The following people have contributed to this plugin. Contributors * [ unifyca ](https://profiles.wordpress.org/unifyca/) [Translate “Unifyca Audit Connector” into your language.](https://translate.wordpress.org/projects/wp-plugins/unifyca-audit-connector) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/unifyca-audit-connector/), check out the [SVN repository](https://plugins.svn.wordpress.org/unifyca-audit-connector/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/unifyca-audit-connector/) by [RSS](https://plugins.trac.wordpress.org/log/unifyca-audit-connector/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 2.0.4 * Compliance pass following the WordPress.org manual review. * Determine file/directory locations through the WordPress API instead of internal constants: the audit payload now reports the public content URL via `content_url()`, and other plugins’ on-disk size is measured by deriving the plugins root from` plugin_dir_path()` on the main file rather than `WP_PLUGIN_DIR`. * Disk-free-space probing no longer falls back to an absolute server path: if ` wp_upload_dir()` cannot be resolved the probe is skipped. * Database backups are now stored as a protected ZIP archive (`database.zip`) only. The raw SQL is streamed to a temporary file (`wp_tempnam()`), added to the ZIP, and deleted immediately in both success and failure paths — a loose `database. sql` is never left on disk. ZIP support is required; there is no loose-SQL fallback. * Removed the literal `ABSPATH` token from user-facing error messages. #### 2.0.3 * Restored the automatic “disable file editor” fix using a runtime-only define. When enabled, DISALLOW_FILE_EDIT is set with `define()` on every request from the plugin bootstrap — wp-config.php is never modified, no file is written to disk and an existing definition is never overridden. * WP_DEBUG remains detection-only with a manual recommendation; it is never changed automatically. #### 2.0.2 * Compliance pass following the WordPress.org manual review. * Replaced all plugin cURL calls with the WordPress HTTP API (`wp_remote_get`). * The plugin no longer edits wp-config.php automatically. The WP_DEBUG and file- editor fixes now return a manual recommendation telling the administrator exactly which line to add; the audit still detects the issue. * Pre-modify file backups (e.g. .htaccess, robots.txt) are now stored inside ZIP archives in the protected uploads backup directory — no loose `.bak` or config files are ever written. * Stopped exposing absolute server paths (ABSPATH, WP_CONTENT_DIR, document root) in the audit payload and error messages. * Added the `UNIFYCA_PLUGIN_URL` constant and tidied file/directory location handling; writable storage always uses `wp_upload_dir()`. #### 2.0.1 * WordPress.org compliance pass following directory pre-review. * Removed the external public-IP lookup (`api.ipify.org`). Local audits now make no outbound requests to any external service; the server IP is resolved locally only. * Removed the connector self-update mechanism. The plugin now relies exclusively on the WordPress.org update infrastructure and no longer writes the `update_plugins` site transient. * Hardened backup storage: backups are stored under `wp-content/uploads/unifyca- backups/` (via `wp_upload_dir()`), always protected with an `index.php` and a deny-all `.htaccess`. Core backups are written as a single ZIP archive — the plugin never leaves loose, web-accessible PHP files (e.g. `wp-config.php`, `wp- settings.php`) in the backup directory. * Replaced every `__return_true` REST permission callback with dedicated callbacks that verify the connection state, the HMAC signature (timestamp freshness + shared- secret), and, for backup downloads, the short-lived signed token. * Documented all external services and updated the Privacy section. #### 2.0.0 * New wp-admin dashboard. Replaces the previous connector-only settings page with a full website-health audit experience. * Local audits run without a Unifyca account. The plugin can be used standalone. * New score system (overall + per-category) with consistent severity colours. * Issue cards include human explanations, “why it matters” and recommended actions. * New `Unifyca_Audit_Engine` class. Single source of truth for all audit checks. * New `Unifyca_Alert_Catalog` class. Translates raw audit data into UI-friendly issue cards. * New `Unifyca_Score` class. Pure score-calculation layer. * AJAX-driven “Run audit” button. No page reload. Nonce + `manage_options` enforced. * `uninstall.php` removes every option and user meta the plugin created. * WordPress.org-compliance pass: connector self-update gated behind `UNIFYCA_ALLOW_CONNECTOR_SELF_UPDATE`( off by default). #### 1.0.17 * Connector-only release. Token pairing, HMAC validation and SaaS sync. ## Meta * Version **2.0.4** * Last updated **23 hours ago** * Active installations **Fewer than 10** * WordPress version ** 5.8 or higher ** * Tested up to **7.0** * PHP version ** 7.1 or higher ** * Tags * [security audit](https://wordpress.org/plugins/tags/security-audit/)[wordpress backup](https://wordpress.org/plugins/tags/wordpress-backup/) [WordPress Management](https://wordpress.org/plugins/tags/wordpress-management/) [wordpress monitoring](https://wordpress.org/plugins/tags/wordpress-monitoring/) * [Advanced View](https://wordpress.org/plugins/unifyca-audit-connector/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/unifyca-audit-connector/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/unifyca-audit-connector/reviews/) ## Contributors * [ unifyca ](https://profiles.wordpress.org/unifyca/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/unifyca-audit-connector/)