For multi-property orgs

Eighty sites. One baseline. No surprises.

WPShake runs a single baseline policy across every property in your fleet, on any host. Sites that drift below the floor are surfaced with a per-site recommendation. Your team approves, the agent executes, the audit log captures it. The compliance team gets the file, not a screenshot.

Fleet baseline

One policy. Every site. The agent checks every property against your floor and tells you what's safe to bump and in what order.

  • Minimum WP and PHP version
  • Required plugins (backup, security, monitoring)
  • Forbidden plugins (known-vulnerable, end-of-life)
  • TLS and HTTPS rules

Per-site recommendation

The "right" PHP version depends on the host, the plugin stack, the PHP support window, and the rest of your fleet. The agent thinks about all of it.

  • Reasoning, not just a version number
  • Host capability ceiling respected
  • Upstream PHP end-of-life dates tracked
  • Fleet majority consolidation when a real majority exists

SSO and RBAC

Real identity. SAML 2.0 and OIDC. Custom roles per tenant. Permissions scoped per site, per environment, per playbook.

  • Okta, Microsoft Entra, Google Workspace, OneLogin
  • SCIM provisioning Planned
  • Owner, admin, operator, auditor, viewer (and custom)
  • Per-property and per-environment access

Change approval

Multi-reviewer sign-off before production. The agent requests, waits, executes, captures everything. Your change board lives inside the dashboard, not a separate ticketing tool.

  • Reviewer chains by environment and risk class
  • Time-windowed approval (executes inside the window only)
  • Dry-run on staging before any production action
  • Full diff captured in the audit log

Audit export

Every agent decision, every action, every approval. Pulled into your SIEM as NDJSON or CSV. The compliance team gets the file, not a screenshot.

  • CSV, JSON, NDJSON
  • Datadog, Splunk, Sumo Logic, New Relic
  • PagerDuty Events v2 for incidents
  • Retention configurable per tenant

White-label and sub-tenants Planned

HQ tenant with regional sub-tenants. Branded dashboard. A franchise group, a multinational, a media holding can run their structure inside one WPShake instance.

  • Subdomain, logo, accent colour per tenant
  • Parent policy inherited by sub-tenants
  • Per-sub-tenant billing roll-up
  • Per-sub-tenant access boundary

WordPress multisite

A network and its subsites show up as one connected entity. The agent enumerates subsites, runs the inventory pull on each, and rolls up the network-level view alongside the per-subsite detail.

  • Network connector plugin (network-activated)
  • Per-subsite plugin, theme, PHP error, backup, activity, malware, broken-link state
  • Per-subsite recommendations and health score
  • Network-level baseline policy applies across every subsite
// Engine, not just dashboard

Bring your own surface.

Every signal the WPShake dashboard shows is available over a public REST API and an MCP server. Pipe it into your own ops dashboard or build a client portal. Or let an external agent query the fleet on your behalf. 

$ curl https://wpshake.com/api/v1/sites \
    -H "Authorization: Bearer wps_..."

{
  "sites": [
    { "id": "s_...", "name": "Brand HQ EU",
      "url": "https://eu.brand.com",
      "versions": { "wp": "6.9.4", "php": "8.2.31" } },
    ...
  ]
}

Live API catalogue →

SOC 2

In progress with Drata. Letter of attestation available on request.

DPA

GDPR-aligned data processing agreement. Standard contract or your paper.

Subprocessors

Published list of every vendor in the data path. Updated on change.

SSO mandatory

On the enterprise tier. No shared passwords, no exceptions.

EU residency

Data stored in the EU region. No US replication unless you opt in.

Penetration test

Annual third-party test. Summary report available under NDA.

Talk to us about the enterprise tier.

Procurement-ready from day one. SOC 2 in progress, DPA, subprocessor list, EU residency.

Email the team