This document outlines the technical specification for the WP Manager project. It is intended to be a living document that will be updated as the project evolves.
WP Manager (name likely to change during scoping phase) is a project that allows centralised management of WordPress websites alongside integrations with third-party services such as GitHub, Cloudflare, WPEngine and BitBucket.
There are a few core principles for this app:
- "WP Manager" is to remain Open Source and will most likely be licensed under a Creative Commons license.
- When interfacing with WordPress, it must use the WordPress REST API. No other form of communication is permitted (e.g. AJAX routes, direct database access, etc.). This is to ensure that the app conforms to the WordPress coding standards.
- Any sensitive credential must be stored in the server database using a password-based encryption method. This includes API tokens, database credentials, etc. The recommended method is AES-256-CBC with Argon2.
- Communication with both the WordPress and third-party APIs must be proxied through the server for authorisation injection. This is to ensure that no sensitive data is exposed to the front-end app and that the server can enforce rate limiting.
- The server should not store any data other than what is required to operate the API to the expected standard. The front-end app may store data locally (e.g. via local storage) for caching purposes but it should not be relied upon.
Frameworks/Libraries: The app should be running VueJS v3.3 or above. At present, there are no external libraries that the app depends on. However, the following libraries have been considered:
- SimpleWebAuthn - To provide passkey support / passwordless authentication (not a priority at this stage).
User Interface: The app should have a clean, modern interface that is easy to use that defaults to a dark theme but should respect the user's system preferences (e.g. dark/light mode) where possible. Whilst this app is primary made for use on desktop, it should be responsive and usable on mobile devices.
Data Handling: The client app must not store any data from API responses locally unless it is deemed necessary for the app to function. The server may cache some data due to uncontrollable factors (e.g. rate limiting) but it remains that the client app should not premtively cache responses to ensure a single source of truth.
Routing: The app should use the Vue Router library to handle routing using the HTML5 history API. The app should always be able to be functional by navigating to a specific route (e.g. /dashboard) without having to navigate through the app. The app should also be able to handle deep linking (e.g. /dashboard/site/123) and should be able to handle invalid routes (e.g. /dashboard/site/123/invalid).
Frameworks/Libraries: The server should be running NodeJS v21.4 or above. It should use the new .env file format for storing environment variables introduced in NodeJS v20.4 to avoid loading libraries such as dotenv. The server should use ExpressJS v4.18 or above to handle routing and will use the common Model-View-Controller (MVC) pattern for structuring the app. The server should use MongoDB v7.0 or above as the database engine and should use the Mongoose library to interface with the database.
WordPress Version: The app should be compatible with WordPress sites running version v5.6 or above*. Sites running older versions of WordPress will not be supported due to the lack of support for Application Passwords.
*Providing the site doesn't restrict the use of the REST API or Application Passwords (e.g. Wordfence)
Authentication: The authentication of a WordPress site must be done via the use of Application Passwords which guides the user through authorising an application password specifically for this app. During authentication, the app gives WordPress a unique identifier that is consistent for this project as a whole. This is to be able to identify which application passwords on a site are used for this app. The callback URL for the authorisation must go to the server for encryption and storage. The server will then redirect the user back to the relative route on the client app.
Panic Mode: Although the server uses zero-knowledge encryption when storing user credentials, it could be that an attacker obtains the users app password or a user using this app has abused their privelages. To mitigate this, the app should use the Delete Application Password API route so that other users can revoke their access to the app.
Permissions: Since the app uses Application Passwords for authentication, WordPress naturally inherits the permissions of the user that created the application password. This means that the app can only perform actions that the user can perform.