AxioRankDocs
Integrations

WordPress

Verify the AI agents that reach your WordPress REST API, admin, and dynamic endpoints with the AxioRank Agent Verification plugin. A thin client of the inbound verify endpoint, with monitor and enforce modes.

Most AxioRank integrations govern the calls your agents make outbound. The WordPress plugin is on the inbound side: it verifies the AI agents reaching into a website surface you operate. It is a thin client of the verify endpoint, so each protected request is forwarded as one authenticated POST to /api/gateway/verify-request and the verdict is applied in WordPress. There is no PHP SDK to install and no local model.

An API verifier, not a crawler blocker

Full-page-cached pages are served before PHP loads, so the plugin never sees them. That is by design: it governs the surface that actually reaches PHP, your REST API (/wp-json), admin-ajax, XML-RPC, login, search, and any signed or bot-like request. To challenge crawlers on cached pages, verify at the edge (in front of the cache) instead.

Install

  1. Register a website surface in AxioRank under Settings, Surfaces (or with POST /api/surfaces) and copy its site key (axr_site_...), distinct from your agent key.

  2. Install and activate the AxioRank Agent Verification plugin.

  3. Open Settings, AxioRank and paste the site key, or define it in wp-config.php for better hygiene:

    define( 'AXIORANK_SITE_KEY', 'axr_site_...' );

  4. Leave the mode on Monitor, save, and use Test connection to confirm AxioRank is reachable.

What gets verified

The plugin only forwards requests worth checking, so ordinary human page views never call out:

  • Any request carrying Web Bot Auth signature headers (always verified).
  • An enabled sensitive endpoint: REST (/wp-json), admin-ajax, XML-RPC, login, or search. Each is a toggle on the settings page.
  • Any request with a bot-like user-agent, which catches crawlers that reach PHP on a cache miss.

Each verified request is scored and logged in your AxioRank dashboard with the agent identity, verification method, and risk, exactly like any other inbound surface request.

Monitor first, then enforce

A surface starts in monitor posture: AxioRank computes and logs the verdict, but nothing is blocked. Watch the audit log to see what would have been challenged or blocked, then set both the AxioRank surface and the plugin to enforce. The plugin acts only when the response's own enforced flag is true, so the surface posture stays authoritative:

  • block returns 403 (a WP_Error for REST).
  • challenge returns 401.

Fail-open by design

Verification sits in the hot path of your own site, so it fails open. Only a rejected site key raises an admin notice; any timeout or transport failure resolves to an allow, so a verification outage never takes WordPress down.

Next steps

  • Inbound surfaces: the model behind the website surface.
  • Policies: scope inbound decisions by operation and agent.
  • Gateway API: the raw verify-request contract the plugin speaks.

Slack

Add AxioRank to Slack with one click. Route high-risk AI-agent alerts to a channel, approve or deny held tool calls right in Slack, and run /axiorank for what needs attention.

Datadog

Stream the AxioRank governed audit log into Datadog and install the AxioRank tile for a prebuilt log pipeline, two dashboards, and four monitors. Watch agent governance next to the rest of your stack.

On this page

InstallWhat gets verifiedMonitor first, then enforceNext steps