Announcements · 5 min read

WP Vanguard Partner API - Security Scanning for Agencies and Hosting Companies

By WP Vanguard Team

WP Vanguard Partner API - Security Scanning for Agencies and Hosting Companies

If you manage 50, 500, or 5,000 WordPress sites, running security scans one at a time is not practical. You need an API that fits into your existing workflow, runs scans on your schedule, and reports results back to your platform automatically.

That is exactly what the WP Vanguard Partner API does.

What the Partner API Offers

The Partner API gives you programmatic access to the same scanning and cleanup tools available on our web dashboard. Everything runs through a simple REST API authenticated with an API key.

Surface scans check a site from the outside over HTTP. No server access needed. You get WordPress version detection, plugin and theme fingerprinting, vulnerability matching against 38,000+ CVEs, security header analysis, SSL validation, blacklist checks across 11 services, and an overall security grade from A to F.

Deep scans connect via SSH and examine the site from the inside. Core file integrity checks, plugin and theme verification against wordpress.org, malware signature scanning with 48+ detection patterns, uploads directory inspection, admin user auditing, database injection checks, and recently modified file analysis.

Malware cleanup removes infections, restores core files, hardens wp-config, and verifies the site is clean. Professional cleanup handled by our team.

How It Works

The integration is straightforward.

Step 1: Get your API key. We set up your partner account with the right tier for your volume. You receive an API key.

Step 2: Authenticate. Add your key to the X-Api-Key header on every request.

Step 3: Start scanning. A surface scan is one POST request:

curl -X POST https://wpvanguard.com/api/v1/scans/surface \
  -H "X-Api-Key: your_key" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://client-site.com"}'

You get back a scan ID and a poll URL. Check the status endpoint until the scan completes, or set up a webhook and we push the result to you.

Step 4: Read results. Fetch the full scan report with grades, issues by severity, and specific findings.

For deep scans, register your sites first with SSH credentials (encrypted at rest), then trigger scans against those sites.

Built for Production Workloads

Running scans at scale requires more than just endpoints. Here is what the Partner API includes out of the box.

Rate Limits and Quotas

Every response includes headers showing your current rate limit status and monthly quota usage:

X-RateLimit-Limit: 10
X-RateLimit-Remaining: 8
X-RateLimit-Reset: 1709301600
X-Quota-Limit: 2000
X-Quota-Remaining: 1847
X-Quota-Reset: 2026-03-31T23:59:59+00:00

Rate limits are per-minute. Quotas are per-month and reset on the 1st. You always know exactly where you stand.

Webhooks

Instead of polling for scan results, configure a webhook URL and we POST the result to you when the scan completes. Webhook payloads include an HMAC-SHA256 signature so you can verify they came from us. Failed deliveries retry automatically with exponential backoff.

Idempotency

Network retries should not create duplicate scans. Include an Idempotency-Key header on POST requests, and if the same key is sent within 24 hours, you get back the original response. No duplicate work.

IP Whitelisting

Lock your API key to specific IP addresses or CIDR ranges. Requests from any other IP get rejected immediately. One less thing to worry about if a key leaks.

Bulk Scanning

Submit up to 100 surface scans in a single request. Useful for nightly sweeps across your entire fleet.

Tier Options

Tiers are based on volume. Pick the one that matches your client count.

Tier Surface Scans/min Deep Scans/min Monthly Surface Monthly Deep Monthly Cleanup
Starter 5 1 500 50 5
Growth 10 2 2,000 200 20
Scale 20 5 10,000 1,000 100
Enterprise 50 10 50,000 5,000 500

Need something custom? Enterprise tier limits are flexible based on your contract.

Partner Portal

Every partner also gets a web portal at wpvanguard.com/partner where you can monitor usage, view scan results, check API logs, and manage your account without writing code.

Use Cases

Managed WordPress hosting. Run surface scans on every new site during provisioning. Schedule nightly deep scans for all active sites. Trigger cleanup automatically when critical issues are detected.

Agency maintenance plans. Include monthly security scans in your retainer packages. Show clients a dashboard of their security grade over time. Catch infections before they turn into emergencies.

WordPress management platforms. Add a "Security" tab to your platform UI. Let your users trigger scans and view results without leaving your app.

WooCommerce hosting. E-commerce sites handle payment data and need PCI-aware security checks. Surface scans catch exposed admin pages, weak headers, and outdated software before they become compliance problems.

What Makes This Different

We are not selling a WordPress plugin. There is nothing to install on the client's site for surface scans. Your platform makes an API call, we scan the site from the outside, and you get structured JSON results. For deep scans, you provide SSH access once and we handle the rest.

The scanner runs our own vulnerability database with 38,000+ CVEs sourced from Wordfence Intelligence, Patchstack, WPScan, and WPVulnerability.net. It checks 48+ malware signatures, 23 exposed path patterns, 11 blacklist services, and validates security headers and SSL certificates.

Results are actionable. Every issue comes with a severity level, a description, and a recommendation. Your support team can act on them without being security experts.

Getting Started

The Partner API is available by contract. There are no self-serve signups - we work with you to set up the right tier and onboard your integration properly.

To get started, email partner@wpvanguard.com with:

We will get you set up within 24 hours.

Full API documentation is available at wpvanguard.com/docs/partner-api.

partner-api agencies hosting wordpress-security api

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog