One agent on your site. One control plane. Five jobs running continuously.
HBM Rocket runs on a hub and spoke model. Your sites stay yours. The control plane signs every request with HMAC and never serves visitor traffic. The agent does the optimization work locally, the cloud does the heavy compute.
Install the agent on every site
A small PHP plugin on each WordPress install. Mirrors HBM's existing security connector pattern. Activate, paste a per site secret, the heartbeat begins.
- About 15 KB compressed
- PHP 7.4 plus, WordPress 6.0 plus
- WP-CLI native: wp hbm-rocket sync
Heartbeat every five minutes
The agent reports environment, version, and recent stats. The control plane updates the site row, opens or closes alerts, and decides what artifacts the agent needs.
- HMAC SHA256 signed payload
- Replay protected (300s window)
- Auto upgrades flags from the dashboard
Workers run heavy compute
Lighthouse audits, Penthouse critical CSS, Coverage based unused CSS. Each job claims a Puppeteer pool, runs against the real site URL, writes artifacts.
- BullMQ on Redis, retried with backoff
- Idempotent: same input, same output
- Concurrency tuned per host
Artifacts pushed back to the agent
On the next heartbeat, the agent pulls the active config bundle: critical CSS for each detected template, the JS delay list, preconnect hints, and feature flags.
- Hash compared, only deltas applied
- Stored in wp_options, served from PHP
- Versioned and rollback safe
Audited again, alerts on regression
Nightly Lighthouse re run. Self heal kicks in if a metric drops past target. Alerts opened only if self heal fails twice in a row.
- Audit history charted per site
- CrUX RUM ingest when available
- Email or Slack delivery
From content change to optimized cache, in under a minute.
Save post on origin
WordPress fires save_post.
Event sent to control plane
HMAC signed, queued for purge.
Purge graph executed
Post, taxonomy, home, feed, sitemap.
Cache warmup queued
Top URLs crawled in parallel.
Audit on next cycle
Score and CWV captured.
HMAC signed agents. No credentials shared. Per site rotation.
Per site HMAC secrets
Each site has its own 64 character hex secret used to sign every request. Rotate from the dashboard with one click. The new secret is propagated on next heartbeat.
Replay protection
Every signed request includes a unix timestamp. We reject anything outside a 300 second window. The signature covers the timestamp so it cannot be reused.
Read only by default
The agent never writes to your filesystem outside its own option keys. It never inspects user data. It never proxies visitor traffic. The control plane never logs in.
Self host the entire stack.
The Enterprise tier ships the same Node services we run, the same Postgres schema, the same Redis queues, and the same WordPress agent. Run it in your data center, your data never leaves.