Home Developer Docs Webhook Events

Webhook Events

Configure HTTP endpoints to receive real-time notifications about your managed WordPress sites. All payloads are signed and delivered with exponential backoff retry logic.

Configuration & Setup

🔗 Endpoint URL

Set your webhook URL in Dashboard → Integrations → Webhooks. Endpoints must accept `POST` requests and respond with a `2xx` status code within 5 seconds.

Wp Admin sends webhook payloads as JSON with the `Content-Type: application/json` header. Each request includes an authentication header for signature verification.

HTTP Request Headers 
POST /your-webhook-endpoint HTTP/1.1
Host: yourdomain.com
Content-Type: application/json
X-WpAdmin-Signature: sha256=a1b2c3d4e5f6...
X-WpAdmin-Timestamp: 1698765432
User-Agent: WpAdmin-Webhook/2.0

Event Catalog

The following events are triggered by system actions, security scans, and maintenance jobs across your managed WordPress properties.

Event Name Type Description Trigger Condition
backup.completed Success Full or incremental backup finished successfully. After backup job completes without errors
backup.failed Error Backup process encountered a critical failure. Storage quota exceeded, DB lock, or timeout
security.threat.detected Alert Malware, suspicious file, or brute force attempt detected. Real-time WAF/Scanner trigger
plugin.update.failed Error Automatic plugin or theme update failed during staging test. Staging environment health check failed
performance.score.changed Metric Core Web Vitals or page speed score dropped below threshold. Daily performance audit
site.uptime.down Alert Site failed consecutive health checks. 3 failed checks within 60 seconds
site.uptime.recovered Recovery Site returned to healthy state after downtime. 3 consecutive successful checks
system.maintenance.window System Scheduled infrastructure or WordPress core maintenance. 1 hour before scheduled window

Payload Examples

security.threat.detected

Alert
Triggered when our security scanner identifies a potential vulnerability or unauthorized file modification.
JSON Payload 
{
  "event": "security.threat.detected",
  "timestamp": "2024-01-15T14:32:00Z",
  "site_id": "wp_prod_88a2c1",
  "site_url": "https://example.com",
  "data": {
    "threat_type": "suspicious_file",
    "severity": "high",
    "file_path": "/wp-content/uploads/cache/eval.php",
    "action_taken": "quarantined",
    "hash_md5": "d41d8cd98f00b204e9800998ecf8427e"
  }
}

backup.completed

Success
Sent after a successful full site backup including database, uploads, and custom files.
JSON Payload 
{
  "event": "backup.completed",
  "timestamp": "2024-01-15T03:00:00Z",
  "site_id": "wp_prod_88a2c1",
  "data": {
    "backup_id": "bkp_992834710",
    "type": "full",
    "size_mb": 245.8,
    "duration_sec": 142,
    "storage_location": "s3://wpadmin-backups/prod/",
    "checksum_sha256": "e3b0c44298fc1c149afbf4c8996fb924..."
  }
}

Security & Verification

All webhook payloads are signed using HMAC-SHA256. Verify signatures server-side to ensure requests originate from Wp Admin.

Node.js Signature Verification 
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature.replace('sha256=', '')),
    Buffer.from(expected)
  );
}

🔄 Retry Policy

If your endpoint fails to respond with a `2xx` status, Wp Admin retries delivery using exponential backoff: 30s, 2m, 10m, 30m, 2h, 8h. After 6 failed attempts, the event is marked as failed in your dashboard.