WP Vanguard Partner API - Security Scanning for Agencies and Hosting Companies
By WP Vanguard Team
If you manage 50, 500, or 5,000 WordPress sites, running security scans one at a time is not practical. You need an API that fits into your existing workflow, runs scans on your schedule, and reports results back to your platform automatically.
That is exactly what the WP Vanguard Partner API does.
What the Partner API Offers
The Partner API gives you programmatic access to the same scanning and cleanup tools available on our web dashboard. Everything runs through a simple REST API authenticated with an API key.
Surface scans check a site from the outside over HTTP. No server access needed. You get WordPress version detection, plugin and theme fingerprinting, vulnerability matching against 38,000+ CVEs, security header analysis, SSL validation, blacklist checks across 11 services, and an overall security grade from A to F.
Deep scans connect via SSH and examine the site from the inside. Core file integrity checks, plugin and theme verification against wordpress.org, malware signature scanning with 48+ detection patterns, uploads directory inspection, admin user auditing, database injection checks, and recently modified file analysis.
Malware cleanup removes infections, restores core files, hardens wp-config, and verifies the site is clean. Professional cleanup handled by our team.
How It Works
The integration is straightforward.
Step 1: Get your API key. We set up your partner account with the right tier for your volume. You receive an API key.
Step 2: Authenticate. Add your key to the X-Api-Key header on every request.
Step 3: Start scanning. A surface scan is one POST request:
curl -X POST https://wpvanguard.com/api/v1/scans/surface \
-H "X-Api-Key: your_key" \
-H "Content-Type: application/json" \
-d '{"url": "https://client-site.com"}'
You get back a scan ID and a poll URL. Check the status endpoint until the scan completes, or set up a webhook and we push the result to you.
Step 4: Read results. Fetch the full scan report with grades, issues by severity, and specific findings.
For deep scans, register your sites first with SSH credentials (encrypted at rest), then trigger scans against those sites.
Built for Production Workloads
Running scans at scale requires more than just endpoints. Here is what the Partner API includes out of the box.
Rate Limits and Quotas
Every response includes headers showing your current rate limit status and monthly quota usage:
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 8
X-RateLimit-Reset: 1709301600
X-Quota-Limit: 2000
X-Quota-Remaining: 1847
X-Quota-Reset: 2026-03-31T23:59:59+00:00
Rate limits are per-minute. Quotas are per-month and reset on the 1st. You always know exactly where you stand.
Webhooks
Instead of polling for scan results, configure a webhook URL and we POST the result to you when the scan completes. Webhook payloads include an HMAC-SHA256 signature so you can verify they came from us. Failed deliveries retry automatically with exponential backoff.
Idempotency
Network retries should not create duplicate scans. Include an Idempotency-Key header on POST requests, and if the same key is sent within 24 hours, you get back the original response. No duplicate work.
IP Whitelisting
Lock your API key to specific IP addresses or CIDR ranges. Requests from any other IP get rejected immediately. One less thing to worry about if a key leaks.
Bulk Scanning
Submit up to 100 surface scans in a single request. Useful for nightly sweeps across your entire fleet.
Tier Options
Tiers are based on volume. Pick the one that matches your client count.
| Tier | Surface Scans/min | Deep Scans/min | Monthly Surface | Monthly Deep | Monthly Cleanup |
|---|---|---|---|---|---|
| Starter | 5 | 1 | 500 | 50 | 5 |
| Growth | 10 | 2 | 2,000 | 200 | 20 |
| Scale | 20 | 5 | 10,000 | 1,000 | 100 |
| Enterprise | 50 | 10 | 50,000 | 5,000 | 500 |
Need something custom? Enterprise tier limits are flexible based on your contract.
Partner Portal
Every partner also gets a web portal at wpvanguard.com/partner where you can monitor usage, view scan results, check API logs, and manage your account without writing code.
Use Cases
Managed WordPress hosting. Run surface scans on every new site during provisioning. Schedule nightly deep scans for all active sites. Trigger cleanup automatically when critical issues are detected.
Agency maintenance plans. Include monthly security scans in your retainer packages. Show clients a dashboard of their security grade over time. Catch infections before they turn into emergencies.
WordPress management platforms. Add a "Security" tab to your platform UI. Let your users trigger scans and view results without leaving your app.
WooCommerce hosting. E-commerce sites handle payment data and need PCI-aware security checks. Surface scans catch exposed admin pages, weak headers, and outdated software before they become compliance problems.
What Makes This Different
We are not selling a WordPress plugin. There is nothing to install on the client's site for surface scans. Your platform makes an API call, we scan the site from the outside, and you get structured JSON results. For deep scans, you provide SSH access once and we handle the rest.
The scanner runs our own vulnerability database with 38,000+ CVEs sourced from Wordfence Intelligence, Patchstack, WPScan, and WPVulnerability.net. It checks 48+ malware signatures, 23 exposed path patterns, 11 blacklist services, and validates security headers and SSL certificates.
Results are actionable. Every issue comes with a severity level, a description, and a recommendation. Your support team can act on them without being security experts.
Getting Started
The Partner API is available by contract. There are no self-serve signups - we work with you to set up the right tier and onboard your integration properly.
To get started, email partner@wpvanguard.com with:
- Your company name and website
- How many WordPress sites you manage
- What you want to integrate (surface scans, deep scans, cleanup, or all three)
We will get you set up within 24 hours.
Full API documentation is available at wpvanguard.com/docs/partner-api.
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.