
C2PA WordPress Plugin: Auto-Sign Media on Upload
Definition: The Original Pictures WordPress integration hooks into the media-upload pipeline so every image is signed with a manifest, watermark, and anchor as it is added, with no change to the editorial workflow.
TL;DR: WordPress runs a large share of the web and dominates newsroom CMS. Hooking wp_handle_upload to call the signing API auto-signs media on upload, so provenance is added without retraining editors.
Hook the upload pipeline
WordPress fires filters during media upload. Hooking wp_handle_upload lets the plugin intercept each file, call the signing API, and store the returned manifest and verify URL alongside the attachment. Editors upload as usual; signing happens transparently.
Why it fits publishers
Newsrooms and publishers run heavily on WordPress. Auto-signing at upload means every published image carries provenance with zero added steps for the editorial team, which is the difference between a policy that sticks and one that does not.
Display and verification
The plugin can surface a verified badge on the front end and link to the open verifier. Because the watermark survives re-encoding, the manifest pointer is recoverable even after a social platform strips metadata downstream.
Implementation
<?php add_filter('wp_handle_upload', function ($upload) { $res = wp_remote_post('https://api.originalpictures.com/v1/sign', [ 'headers' => ['Authorization' => 'Bearer ' . OP_API_KEY], 'body' => ['asset' => curl_file_create($upload['file']), 'producer' => get_bloginfo('name'), 'watermark' => 'trustmark', 'anchor' => 'true'], ]); $data = json_decode(wp_remote_retrieve_body($res), true); update_post_meta_by_file($upload['file'], 'op_manifest', $data['manifest_url']); return $upload; });
FAQ
Does it slow uploads?
Signing adds well under a second per image and can be queued asynchronously so the editor is not blocked.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: Hook the WordPress upload pipeline to auto-sign media, adding provenance to every published image with no editorial workflow change.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.