Why we chose SSH
over a WordPress plugin.
Every WordPress management tool asks you to install a plugin. We don't. Here's why that matters for your sites' speed, security, and reliability.
Every management plugin has the same flaw.
Tools like ManageWP, WP Umbrella, MainWP, and InfiniteWP all require a "connector" plugin installed on every WordPress site you manage. That plugin runs PHP on every single page request, exposes API endpoints, stores authentication tokens in your WordPress database, and adds another dependency you need to keep updated. That's the price of convenience — or so they say.
Performance cost
The connector plugin loads on every page request. It hooks into WordPress, checks for commands, and phones home to the management server. That's PHP execution time added to every visitor's experience.
Exposed API endpoints
These plugins register REST API or admin-ajax endpoints that accept commands from the management service. Those endpoints are reachable from the public internet — and they've been exploited before.
Stored credentials
The plugin stores authentication tokens in the WordPress database. If someone compromises the database (SQL injection, leaked backup), they get access to your management tool's connection.
Another update cycle
The connector plugin itself needs regular updates. If you forget to update it, you're running vulnerable code on your production sites. If you do update it, there's a chance it breaks something.
Fails during fatal errors
If your WordPress site has a fatal PHP error, the connector plugin can't run either. That means your management tool can't report the problem or help you fix it when you need it most.
Plugin conflicts
WordPress plugins can conflict with each other. Security plugins may block the management plugin's requests. Caching plugins may serve stale responses. The connector plugin becomes another moving part.
One SSH key in authorized_keys.
That's it.
WPGrip connects to your server the same way you do — via SSH. No code installed on WordPress. No endpoints exposed. No database tokens. Just a cryptographic key pair that gives WPGrip access to run WP-CLI commands on your server.
When we need to check for updates, we SSH in and run wp plugin list. When we back up your database, we SSH in and run mysqldump. When we deploy code, we SSH in and run git pull. Every operation goes through the same encrypted tunnel.
# No API endpoint. Just this line.
Plugin-based vs SSH-native
SSH is battle-tested infrastructure security
SSH (Secure Shell) has been the standard for secure remote server access since 1995. Every hosting provider supports it. Every server ships with it. The protocol is reviewed, audited, and hardened by the global security community.
When WPGrip connects to your server, it uses the same encrypted tunnel that you use when you SSH in from your terminal. The connection is authenticated with a cryptographic key pair — no passwords transmitted, no tokens stored in databases.
Revoking access is trivial: delete one line from your ~/.ssh/authorized_keys file. No plugin to deactivate across dozens of sites. No dashboard settings to change. One line, one file, done.
Compare that to plugin-based tools where access tokens live in your WordPress database, API endpoints stay registered in your WordPress installation, and revoking access means logging into every site's admin panel individually.
WP-CLI over SSH is faster than HTTP APIs
Plugin-based tools send HTTP requests to your WordPress site, which triggers a full WordPress bootstrap (loading all plugins, themes, and hooks) before executing the management command. Then the response travels back over HTTP.
WPGrip runs WP-CLI directly on the server. WP-CLI is purpose-built for CLI execution — it skips unnecessary WordPress bootstrapping and outputs results directly. No HTTP overhead. No unnecessary plugin loading.
Common questions
Do I need root access?
No. WPGrip needs SSH access as the user that owns the WordPress files. This is the same user you use for SFTP or when you SSH in to manage the site manually.
What if my hosting doesn't provide SSH access?
WPGrip requires SSH access. Most professional hosting providers (VPS, dedicated, managed WordPress) include SSH. If your hosting doesn't offer SSH, it may be time to consider a provider that does.
Is WP-CLI already installed on my server?
Most managed WordPress hosts include WP-CLI. If it's not installed, you (or your hosting provider) can install it in under a minute. WPGrip checks for WP-CLI during the first connection.
Can I revoke WPGrip's access?
Remove the WPGrip public key from ~/.ssh/authorized_keys on your server. One line, one file. Access is revoked immediately.
Is SSH less convenient than a plugin?
The initial setup takes 2 minutes: copy an SSH key, paste it into your server's authorized_keys file. After that, everything works the same way — except your WordPress stays clean and fast.
Manage WordPress the way servers were meant to be managed
Free trial. No credit card. No plugins to install.