Cryptographic post signing and verification for WordPress

Name: Cryptographic post signing and verification for WordPress
Availability: InStock
Author: mvpprojects

by mvpprojects·Feb 23, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●MidNiche Gem

Solves a real WordPress hosting pain (no FTP for security.txt), but feature creep dilutes focus.

Strengths

•Wire-protocol agnostic solution: manages files that normally require FTP access via WordPress admin only
•Append-only changelog + UUID tracking gives genuine audit trail for compliance workflows
•Multiple hash algorithms (SHA-256, BLAKE3, HMAC) exceed standard document-signing use cases

Weaknesses

•Feature bloat: document management, sitemaps, HMAC, and Git anchoring in one plugin feels unfocused
•Fewer than 10 active installations—narrow audience (WordPress admins who need root-level file management)

Post Description

ArchivioMD + ArchivioID — Markdown file management, cryptographic post signing, and Git-anchored integrity for WordPress

In February 2023, a developer named James Tomasino wrote about signing blog posts with GPG keys and ended with one line:

"If you're using WordPress, you'll need to find some other path forward."

That sat unanswered for two years. I built the path forward — and the foundation it runs on. Two GPL plugins.

ArchivioMD solves a problem every WordPress site on managed hosting hits eventually: you need files at the site root security.md, privacy.md, disclosure.md, robots.txt and you have no FTP access to put them there.

The plugin manages 30+ predefined Markdown documents from the WordPress admin, writes them to wherever the server will accept them (.well-known/meta-docs/ site root uploads fallback), and serves them via WordPress rewrite rules so they appear at the correct URL regardless of physical location. Every document gets a UUID, a checksum, and an append-only changelog. No more one-off file placements nobody can audit or reproduce.

On top of that: cryptographic hash verification for posts (SHA-256 through BLAKE3, HMAC mode, hash_equals() throughout), external Git anchoring that pushes JSON integrity records to GitHub or GitLab via a persistent queue with exponential backoff, HTML rendering of Markdown files, compliance tooling, and sitemap management. ArchivioID is the OpenPGP signing extension. Authors sign posts locally with their own GPG key — private key never touches the server.

A badge appears on published posts. Any reader can verify with standard GPG tools, no WordPress required. Server-side verification handles Ed25519 via libsodium, RSA and ECDSA via phpseclib v3. Browser signing via OpenPGP.js for editors who aren't comfortable with a terminal. Full audit log with CSV export. The proof outlives the platform.

ArchivioMD (WordPress.org): https://wordpress.org/plugins/archiviomd

ArchivioMD (GitHub): https://github.com/MountainViewProvisions/archiviomd

ArchivioID (GitHub): https://github.com/MountainViewProvisions/ArchivioID/release... PHP 7.4+, WordPress 6.0+, phpseclib v3, OpenPGP-PHP, OpenPGP.js, libsodium, GPL-2.0.