Remote Management API
REST API endpoints for remote site management: bulk updates and individual plugin actions.
Overview
The Remote Management API allows the RakuWP panel to perform actions on connected WordPress sites. These endpoints are registered on the WordPress site by the RakuWP plugin and are called by the panel, not by the user directly.
Authentication
All Remote endpoints use the license key for authentication via the X-RakuWP-Key HTTP header. The panel looks up the license key from the license_activations table and sends it with each request. The plugin verifies it against the stored rakuwp_license_key option using hash_equals().
Additionally, the Remote service must be enabled on the site (rakuwp_enabled_services must include the Remote service). Requests to sites without the Remote service enabled will be rejected.
Endpoints
Bulk Update
POST /wp-json/rakuwp/v1/remote/update
Runs all pending plugin, theme, and WordPress core updates on the site.
Process
- Loads WordPress upgrader classes
- Iterates
update_pluginstransient and upgrades each plugin - Iterates
update_themestransient and upgrades each theme - Checks
update_coretransient and upgrades core if available - Clears all update transients and refreshes checks
- Re-syncs site data with the panel via
verify_site()
Response
{
"success": true,
"results": {
"plugins": [
{ "slug": "akismet/akismet.php", "new_version": "5.3", "success": true }
],
"themes": [
{ "slug": "flavor", "new_version": "2.1", "success": true }
],
"core": { "new_version": "6.5", "success": true }
},
"errors": []
}Each item in plugins and themes includes a success boolean and optionally an error string. The core field is null when WordPress is already up to date.
Plugin Action
POST /wp-json/rakuwp/v1/remote/plugin-action
Performs a single action on a specific plugin.
Request Body
{
"action": "update",
"plugin": "akismet/akismet.php"
}Available Actions
| Action | Description |
|---|---|
update | Update the plugin to the latest version |
activate | Activate the plugin |
deactivate | Deactivate the plugin |
delete | Deactivate (if active) and delete the plugin files |
Safety
Actions on the RakuWP plugin itself are blocked and will return an HTTP 403 error. This prevents accidentally disabling or deleting the management plugin.
Response
{
"success": true,
"action": "update",
"plugin": "akismet/akismet.php"
}Panel Endpoints
The panel exposes its own endpoints that the frontend calls via AJAX. These require session authentication and CSRF token validation via the X-CSRF-TOKEN header.
Bulk Update (Panel)
POST /remote/update
Request Body
{
"site_ids": [1, 2, 3]
}Triggers bulk updates on the selected sites. For each site, the panel looks up the license key and sends a request to the site's /wp-json/rakuwp/v1/remote/update endpoint.
Plugin Action (Panel)
POST /remote/plugin-action
Request Body
{
"site_id": 1,
"action": "update",
"plugin": "akismet/akismet.php"
}Performs a single plugin action on the specified site. The panel verifies user access, looks up the license key, and forwards the request to the site.
Error Handling
| Code | Cause |
|---|---|
| 401 | Missing or invalid X-RakuWP-Key header |
| 403 | Remote service not enabled, or action on RakuWP plugin blocked |
| 400 | Missing required parameters (action, plugin) |
| 404 | Plugin not found on the site |
Audit Logging
All remote actions are recorded in the audit log:
| Action | Entity Type | Context |
|---|---|---|
update | remote_update | Bulk update per site with plugin/theme/core counts |
update | remote_plugin | Single plugin update |
activate | remote_plugin | Plugin activation |
deactivate | remote_plugin | Plugin deactivation |
delete | remote_plugin | Plugin deletion |