Developer reference
SteadyScore is built as a standalone product, not as an extension platform — there is no large public hooks API in v1.0.0. A small set of filter hooks are available so site owners and agencies can tune timeouts, batch sizes, and cache lifetimes for their environment.
Filter hooks
All hooks are namespaced under the steadyscore_ prefix. Each one is documented inline in the codebase at the call site.
steadyscore_wporg_timeout
HTTP timeout for outbound requests to the WordPress.org plugin API.
| Default | 15 seconds (2 seconds during the initial-population batch) |
| Type | int (seconds) |
| Use when | The WordPress.org API is slow from your network and you want to give it more time before SteadyScore gives up on a request. |
add_filter('steadyscore_wporg_timeout', function ($seconds) {
return 30;
});steadyscore_wordfence_timeout
HTTP timeout for outbound requests to the Wordfence Intelligence API.
| Default | 15 seconds |
| Type | int (seconds) |
add_filter('steadyscore_wordfence_timeout', function ($seconds) {
return 30;
});steadyscore_chunk_size
Batch size for background jobs. The initial-population job, the background refresh job, and the author-reputation recalculation job all process plugins in chunks of this size, scheduling the next chunk via Action Scheduler.
| Default | 10 plugins per chunk |
| Type | int |
| Use when | Lower the value on memory-constrained shared hosting; raise it on a fast box where you want scoring to finish sooner. |
add_filter('steadyscore_chunk_size', function ($size) {
return 5;
});steadyscore_sync_budget
Maximum number of outbound API requests SteadyScore will make in a single sync invocation. Used by the data sync service as a safety valve so runaway runs cannot hammer upstream APIs.
| Default | 20 requests per sync invocation |
| Type | int |
add_filter('steadyscore_sync_budget', function ($budget) {
return 50;
});steadyscore_cache_ttl
TTL (in seconds) for cached upstream data. The filter receives the proposed TTL and the data-source slug so you can override per source.
| Default | 7 days for wporg, 3 days for wordfence, 1 day for steadypress (Pro), 7 days for codecanyon (Pro) |
| Type | int (seconds), string $dataSource second argument |
| Use when | You want longer caches on a quiet site, or shorter caches on a development site where you want every change reflected fast. |
add_filter('steadyscore_cache_ttl', function ($ttl, $dataSource) {
if ($dataSource === 'wordfence') {
return DAY_IN_SECONDS; // 24 hours for Wordfence
}
return $ttl;
}, 10, 2);REST API
SteadyScore exposes a REST namespace at /wp-json/steadyscore/v1/. Every route requires the manage_options capability except the Google OAuth callback, which is public so the browser can complete the redirect.
| Route | Method | Purpose |
|---|---|---|
/status |
GET | Poll initial-population and refresh progress. |
/settings |
POST | Save dashboard, display, and Wordfence settings. |
/settings/monitoring |
POST | Save monitoring schedule and alert configuration (Pro). |
/license/activate |
POST | Activate a Pro license against the SteadyPress API. |
/license/deactivate |
POST | Release the license slot for this site. |
/data/delete-all |
POST | Truncate every SteadyScore table and clear every SteadyScore option. |
/ai/scan |
POST | Trigger an AI analysis run for all plugins (Pro). |
/ai/results |
GET | Fetch latest AI analysis results (Pro). |
/export/google-sheets |
POST | Export the dashboard view to a Google Sheet (Pro). |
/oauth/google/initiate |
POST | Start the Google OAuth flow (Pro). |
/oauth/google/callback |
GET | OAuth callback handler. |
The REST API is considered internal to the plugin's admin UI in v1.0.0 — the contract may evolve in future releases without deprecation. If you have a use case that needs a stable public REST contract, please contact us at https://steadypress.ai/contact/?subject=SteadyScore so we can scope it before locking the interface.
PSR-4 autoloading
The plugin uses Composer's PSR-4 autoloader. Free classes live under SteadyPress\SteadyScore\ (mapping to includes/base/ and includes/free/); Pro classes live under SteadyPress\SteadyScore\Pro\ (mapping to includes/pro/). The Pro autoload entry is stripped from the free build.
Action Scheduler hooks
Background jobs are registered against Action Scheduler hooks. These are implementation details rather than a public extension surface, but if you are debugging in Tools → Scheduled Actions, you will see them as:
| Hook | Job class | What it does |
|---|---|---|
steadyscore_initial_population_batch |
InitialPopulationJob |
Detects, paths, fetches, and scores every installed plugin. Self-chains until done. |
steadyscore_background_refresh |
BackgroundRefreshJob |
Re-fetches expiring cache entries and re-scores affected plugins. |
steadyscore_author_reputation_recalc |
AuthorReputationRecalcJob |
Recalculates author reputation across all scored plugins. |
steadyscore_pruning |
PruningJob |
Weekly cleanup of expired cache rows and old refresh metadata. |
steadyscore_scheduled_monitoring |
ScheduledMonitoringJob (Pro) |
Runs the monitoring cadence and evaluates alert triggers. |
steadyscore_ai_analysis_job |
AiAnalysisJob (Pro) |
Calls the SteadyPress API to run AI analysis on a batch of plugins. |
Database schema
SteadyScore owns six tables under your existing WordPress table prefix:
<prefix>_steadyscore_plugins— inventory of detected plugins.<prefix>_steadyscore_refreshes— metadata for each refresh run.<prefix>_steadyscore_scores— per-plugin per-refresh scoring results.<prefix>_steadyscore_vulnerabilities— vulnerability records.<prefix>_steadyscore_data_cache— TTL-based cache of fetched upstream data.<prefix>_steadyscore_ai_results— Pro-only AI analysis results.
The schema is created via dbDelta() in Database/Migrator.php on activation. Uninstall drops every one.
Capability and security
Every admin screen, every REST endpoint (apart from the OAuth callback), and every settings save requires the manage_options capability. There is no separate custom capability — administrators have access; nobody else does.
Pro requests to the SteadyPress API are signed with HMAC-SHA256 using a per-site secret returned at license activation. The signature is sent in the X-PTS-HMAC header. There is no API-key model — the HMAC is the only credential.
Source code
SteadyScore is licensed under GPL v2 or later. The free build is also distributed through the WordPress.org plugin directory.
Need more help? Contact support.