=== InspectWP WordPress Connector ===
Contributors: inspectwp
Tags: monitoring, security, health-check, audit, site-health
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Connector plugin that links this site to your InspectWP account and sends a daily health snapshot of your WordPress data. The connector does not analyse anything itself.

== Description ==

InspectWP analyses WordPress sites from the outside (via crawl). This connector plugin closes the gaps that an external crawler cannot see by sending a daily health snapshot to InspectWP:

* Real WP core version, available updates, and core file integrity (against WordPress.org checksums)
* All installed plugins and themes with their versions, latest available versions, and update status
* PHP & MySQL versions, memory limit, debug flags, loaded extensions
* Database health (size, autoloaded options, transients, post revisions, spam comments)
* Configuration hardening flags (default DB prefix, default salts, FS_METHOD, DISALLOW_FILE_EDIT)
* Cron-job health (total jobs, overdue jobs, DISABLE_WP_CRON state)
* User counts (admins, total, dormant) — counts only, never names or emails
* Content health (post/page count, average revisions per post, top 5 posts by revision count — IDs only, no titles)
* Permalink structure (default permalinks hurt SEO and are easy to miss after a migration)
* Internal HTTPS configuration (home_url/siteurl scheme match, FORCE_SSL_ADMIN, count of insecure URLs in autoloaded options)

The plugin is opt-in and pairs to a specific InspectWP project using a one-time pairing code. All requests to the InspectWP API are signed with a per-site HMAC secret.

== How sync works ==

The plugin uses two complementary mechanisms so InspectWP always has up-to-date data:

* **Live pull (primary):** Whenever InspectWP runs a crawl of your site, it asks the plugin for a fresh snapshot via an HMAC-protected REST endpoint (`GET /wp-json/inspectwp/v1/snapshot`). This guarantees the report you see reflects the exact state of the site at crawl time.
* **Daily push (fallback):** Once a day the plugin also pushes a snapshot to InspectWP on its own. This fallback covers cases where the live pull cannot reach the site (Cloudflare, IP whitelists, restrictive firewalls) and ensures sites that are not crawled regularly still have recent plugin data available in the dashboard.

When the live pull succeeds, its data is authoritative and overrides crawl heuristics in the report. When the live pull fails, InspectWP transparently falls back to the most recent push snapshot and shows its age in the report banner.

== Installation ==

1. Install and activate the plugin.
2. In your InspectWP dashboard, open the project you want to connect and click "Connect plugin" to generate a pairing code.
3. In WordPress, go to **Tools → InspectWP**, paste the pairing code, click "Connect".
4. Done. The plugin will deliver a daily snapshot from then on. You can also click "Sync now" to push immediately.

== Frequently Asked Questions ==

= What data does the plugin send? =

A strict allow-list — only the fields documented under **Tools → InspectWP → Data**. No post content, no comments, no customer data, no passwords, no session tokens. Click "Snapshot preview" to see the exact JSON payload before the first sync.

= Where is the data sent? =

To `https://inspectwp.com/wp-plugin/v1/*`. You can override the base URL by defining `IWP_API_BASE` in `wp-config.php` (useful for staging environments).

= How can I disconnect? =

**Tools → InspectWP → Connection → Disconnect**. The plugin will tell the InspectWP backend to revoke this connection, clear local credentials, and stop the cron jobs.

= Does this work without WP-Cron? =

The daily snapshot relies on WP-Cron. If your site has very low traffic, set up a real Linux cron job hitting `wp-cron.php` to make the schedule reliable.

= Do I need an InspectWP account? =

Yes. The plugin pairs your WordPress site to a specific project in your InspectWP account. You can sign up for a free account at https://inspectwp.com/ — the plugin connection itself is a paid feature and requires an active premium plan.

= Can I run this on multiple sites? =

Yes. Each WordPress site pairs to one InspectWP project. One InspectWP account can have many projects and therefore many connected sites.

= How frequent are the snapshots? =

One snapshot per day plus a lightweight heartbeat every 6 hours. You can also push a snapshot on demand from the plugin's settings page.

= What happens if I disconnect? =

The plugin tells the InspectWP backend to revoke the connection, clears all local credentials, and removes its cron jobs. Snapshots already delivered remain visible in your InspectWP project so the historical data is preserved if you reconnect later.

== Screenshots ==

1. The connection tab in Tools → InspectWP, showing the pairing-code input.
2. The data tab listing exactly which fields the plugin sends and rendering a live JSON preview.
3. The schedule tab showing next snapshot and heartbeat times.

== Changelog ==

= 1.0.0 =
* Initial release.

== Privacy ==

The plugin sends a strict allow-list of technical health metrics to InspectWP. The full list is shown in the plugin's "Data" tab and a live preview of the exact JSON payload is rendered before the first sync. No personally identifiable user data is sent.
