A WordPress plugin for managing a Windows EC2 instance from the WordPress admin area.
This plugin provides a simplified admin interface for managing a Windows EC2 instance used as a remote desktop. It supports:
- Starting and stopping the EC2 instance
- Automatically managing RDP access rules
- Downloading RDP connection files
- Checking instance status from WordPress
- Storing AWS credentials in WordPress settings
This repository uses a hybrid layout:
wp-ec2-backoffice-plugin.phpat the repository root is the WordPress bootstrap file.src/contains the actual plugin source code, Composer files, assets, and tests.infrastructure/contains the AWS deployment assets.
- WordPress 5.0 or later
- PHP 7.4 or later with OpenSSL enabled
- Composer
- An AWS account with appropriate permissions
- The AWS infrastructure deployed first (see
infrastructure/)
git clone https://github.com/Mobile-hub/wp-ec2-backoffice-plugin.git
cd wp-ec2-backoffice-plugin
make installThis creates dist/wp-ec2-backoffice-plugin.zip, which can be uploaded from the WordPress admin panel.
Clone the repository into wp-content/plugins/, then install dependencies inside src/:
cd /path/to/wordpress/wp-content/plugins/
git clone https://github.com/Mobile-hub/wp-ec2-backoffice-plugin.git
cd wp-ec2-backoffice-plugin
composer install --working-dir=src --no-devBefore using the plugin, deploy the required AWS infrastructure. See infrastructure/README.md.
The CloudFormation template creates:
- A Windows Server 2022 EC2 instance
- An IAM user with limited permissions
- A security group for RDP access
- An auto-shutdown script to reduce costs
From the command line:
wp plugin activate wp-ec2-backoffice-pluginOr from the WordPress admin panel:
- Go to Plugins → Installed Plugins
- Find WP EC2 Backoffice Plugin
- Click Activate
-
In the WordPress admin panel, go to EC2 Backoffice in the sidebar.
-
Open the Configuration tab.
-
Fill in the values produced by the CloudFormation deployment:
- AWS Region: The region where you deployed the infrastructure (for example
us-east-1) - Access Key ID: The IAM access key ID created for the plugin
- Secret Access Key: The IAM secret access key created for the plugin
- Instance ID: The EC2 instance ID (for example
i-1234567890abcdef0) - Windows Password: The Windows Administrator password for the instance
- AWS Region: The region where you deployed the infrastructure (for example
-
Click Save Configuration.
-
Click Test Connection to verify that the credentials are valid.
After the CloudFormation stack is deployed, you can retrieve the required values with:
aws cloudformation describe-stacks \
--stack-name wp-ec2-backoffice \
--query 'Stacks[0].Outputs'Or from the AWS Console:
- Go to CloudFormation → Stacks
- Select your stack
- Open the Outputs tab
- Open EC2 Backoffice in the WordPress admin menu.
- In the Access and Control tab, review the current instance status.
- Click Start Instance.
- The plugin will:
- Detect your current public IP address
- Update the security group so RDP is only allowed from your current IP
- Start the EC2 instance
- Wait until the state changes to running. This usually takes 1–2 minutes.
Once the instance is running:
- Click Download RDP File.
- Open the downloaded file with your RDP client.
- When prompted, use:
- Username:
Administrator - Password: The Windows password configured in the plugin
- Username:
When you are done using the instance:
- Close your Remote Desktop session.
- In WordPress, click Stop Instance.
- The instance will stop and compute charges will stop accruing.
The instance can also stop automatically after 2 hours without active RDP sessions, depending on the infrastructure configuration.
The plugin refreshes the instance status automatically while the admin page is open. Supported states include:
- stopped
- pending
- running
- stopping
- terminated
Cause: The plugin cannot detect a valid public client IP.
Solution:
- Verify that your WordPress host can access the internet
- If your site is behind a trusted reverse proxy, make sure your proxy configuration is explicit and reliable
- Verify that
$_SERVER['REMOTE_ADDR']is available on the server
Cause: The configured access key or secret key is invalid.
Solution:
- Open the Configuration tab.
- Verify the credentials copied from the CloudFormation outputs or Secrets Manager.
- Make sure no leading or trailing spaces were pasted.
- Click Test Connection again.
Cause: The IAM user does not have the required permissions.
Solution:
- Verify that the CloudFormation stack completed successfully
- Confirm that the IAM policy is attached as expected
- Review the infrastructure documentation in infrastructure/README.md
Cause: Several AWS-side issues can cause this.
Solution:
- Check the instance status in the AWS EC2 console.
- Review any relevant CloudWatch logs.
- Make sure the instance has not been terminated.
- Check whether your AWS account hit service quotas.
Cause: The security group rule or your client network may be blocking access.
Solution:
- Confirm that your current public IP matches the one expected by the plugin.
- If your IP changed, start the instance again so the rule is refreshed.
- Verify in AWS that port 3389 is allowed from your current IP.
- Confirm that your local firewall allows outbound RDP traffic.
Cause: The AWS SDK for PHP is missing.
Solution:
cd /path/to/wordpress/wp-content/plugins/wp-ec2-backoffice-plugin
composer install --working-dir=src --no-devCause: The auto-shutdown script or scheduled task is not running as expected.
Solution:
- Connect to the instance over RDP.
- Open Event Viewer.
- Review Windows Logs → Application.
- Filter for the
WP-EC2-AutoShutdownsource. - Confirm that the task is running every 15 minutes.
- If necessary, inspect the Windows Task Scheduler configuration.
- Use HTTPS for WordPress admin access.
- Restrict plugin access to trusted administrators only.
- Rotate IAM credentials periodically.
- Monitor AWS usage and logs regularly.
- Keep WordPress, PHP, and the plugin dependencies updated.
- The AWS secret access key is encrypted before being stored in WordPress.
- The encryption key is derived from WordPress salts.
- Sensitive values are no longer rendered directly into the admin DOM on page load.
- RDP access is restricted to the current public IP detected by the plugin.
- Security group rules are refreshed automatically when the instance is started.
- Old plugin-managed rules are removed to avoid stale IP allow-lists.
See infrastructure/README.md for deployment details.
composer install --working-dir=src
src/vendor/bin/phpunit --configuration src/phpunit.xmlThis project is licensed under the MIT License. See LICENSE for details.
Contributions are welcome. Please open an issue or a pull request on GitHub.
To report a bug or request a feature, open an issue on GitHub.
- AWS SDK for PHP
- WordPress Plugin API