Stats
Actions
Tags
From wordpress-expert
Audits WordPress core, PHP, MySQL/MariaDB, plugins, and themes for outdated versions, compatibility issues, and updates via WP-CLI over SSH.
How this skill is triggered — by the user, by Claude, or both
Slash command
/wordpress-expert:diagnostic-version-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You perform comprehensive version auditing for WordPress installations to identify outdated software, compatibility issues, and available updates. This diagnostic uses WP-CLI commands executed over SSH and WordPress.org API queries — no external API keys required.
You perform comprehensive version auditing for WordPress installations to identify outdated software, compatibility issues, and available updates. This diagnostic uses WP-CLI commands executed over SSH and WordPress.org API queries — no external API keys required.
This skill checks four critical version areas:
Before running checks, you need:
sites.json (loaded by CoWork)If WP-CLI is not available, return a single Warning finding and skip WP-CLI-dependent checks.
Command:
ssh {user}@{host} "cd {wp_path} && {wp_cli_path} core version"
Parse output: Extract version number (e.g., "6.4.3")
Check for updates:
ssh {user}@{host} "cd {wp_path} && {wp_cli_path} core check-update --format=json"
Response format:
[
{
"version": "6.5.0",
"update_type": "major",
"package_url": "https://downloads.wordpress.org/release/wordpress-6.5.0.zip"
}
]
Empty array = no updates available.
Severity Logic:
"update_type": "major" → Critical (major version updates often include security fixes)"update_type": "minor" → Warning (minor updates, bug fixes)Finding ID Format: DIAG-VERSION-{3-char-md5-of-"wordpress-core"}
Example Finding (Update Available):
{
"id": "DIAG-VERSION-a1b",
"severity": "Critical",
"category": "Version & Compatibility",
"title": "WordPress core update available",
"summary": "Your WordPress version is outdated. A newer version with security and bug fixes is available.",
"detail": "Current version: 6.4.3. Available version: 6.5.0 (major update). Major updates often include critical security patches.",
"location": "WordPress Core",
"fix": "Update via WP-CLI: `wp core update` or use WordPress admin dashboard (Dashboard > Updates)."
}
Example Finding (Up to Date):
{
"id": "DIAG-VERSION-a1b",
"severity": "Info",
"category": "Version & Compatibility",
"title": "WordPress core is up to date",
"summary": "Your WordPress installation is running the latest version.",
"detail": "Current version: 6.5.0. No updates available.",
"location": "WordPress Core",
"fix": "No action required."
}
Command:
ssh {user}@{host} "php -v"
Parse output: Extract version number from first line (e.g., "PHP 8.2.10...")
Version Support Status (as of 2026):
Finding ID Format: DIAG-PHP-{3-char-md5-of-php-version}
Example Finding (Outdated):
{
"id": "DIAG-PHP-c3d",
"severity": "Critical",
"category": "Version & Compatibility",
"title": "PHP version is end-of-life",
"summary": "Your PHP version no longer receives security updates, putting your site at risk.",
"detail": "Current PHP version: 7.4.33. This version reached end of life in November 2022. Security vulnerabilities discovered after this date will not be patched.",
"location": "Server PHP Runtime",
"fix": "Contact your hosting provider to upgrade PHP to version 8.1 or higher. Test your site on a staging environment first, as some plugins may require updates for compatibility."
}
Example Finding (Current):
{
"id": "DIAG-PHP-c3d",
"severity": "Info",
"category": "Version & Compatibility",
"title": "PHP version is current",
"summary": "Your PHP version is actively supported with security updates.",
"detail": "Current PHP version: 8.2.10. This version receives active support and security updates.",
"location": "Server PHP Runtime",
"fix": "No action required."
}
Command:
ssh {user}@{host} "cd {wp_path} && {wp_cli_path} db version"
Parse output: Extract database type and version (e.g., "mysql Ver 8.0.35" or "MariaDB 10.6.16")
Version Compatibility:
Finding ID Format: DIAG-DB-{3-char-md5-of-db-version}
Example Finding (Old Version):
{
"id": "DIAG-DB-e5f",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "Database version below recommended",
"summary": "Your database version is older than WordPress recommends for optimal performance and security.",
"detail": "Current database: MySQL 5.6.51. WordPress recommends MySQL 5.7 or higher (or MariaDB 10.3+) for full feature support and security updates.",
"location": "Database Server",
"fix": "Contact your hosting provider to upgrade your database server. MySQL 5.7+ or MariaDB 10.5+ recommended."
}
Get Full Plugin Inventory:
ssh {user}@{host} "cd {wp_path} && {wp_cli_path} plugin list --format=json"
Response format:
[
{
"name": "akismet",
"status": "active",
"update": "available",
"version": "4.2.1",
"update_version": "5.0.1"
},
{
"name": "custom-plugin",
"status": "active",
"update": "none",
"version": "1.0.0"
}
]
Filter to Outdated Plugins:
ssh {user}@{host} "cd {wp_path} && {wp_cli_path} plugin list --update=available --format=json"
Get Theme Status:
ssh {user}@{host} "cd {wp_path} && {wp_cli_path} theme list --format=json"
ssh {user}@{host} "cd {wp_path} && {wp_cli_path} theme list --update=available --format=json"
For Each Outdated Plugin/Theme:
Generate deterministic finding ID: DIAG-PLUGIN-{3-char-md5-of-slug} or DIAG-THEME-{3-char-md5-of-slug}
Check WordPress.org compatibility (optional but recommended):
curl -s "https://api.wordpress.org/plugins/info/1.2/?action=plugin_information&request[slug]={slug}"
Parse tested field: If the plugin's tested version is lower than the current WordPress version, add a compatibility note.
Example: Plugin tested up to WP 6.3, but site is running WP 6.5 → add note: "This plugin has not been tested with your WordPress version. Update may require testing."
Create finding:
Example Finding (Plugin Update):
{
"id": "DIAG-PLUGIN-7a3",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "Plugin update available: Akismet Anti-Spam",
"summary": "An outdated plugin may have security vulnerabilities or compatibility issues.",
"detail": "Plugin 'Akismet Anti-Spam' (akismet) is outdated. Current version: 4.2.1. Available version: 5.0.1. This plugin has been tested with WordPress 6.5.",
"location": "wp-content/plugins/akismet/",
"fix": "Update via WP-CLI: `wp plugin update akismet` or via WordPress admin (Plugins > Updates). Review changelog before updating: https://wordpress.org/plugins/akismet/#developers"
}
Example Finding (Plugin Not Tested):
{
"id": "DIAG-PLUGIN-9c2",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "Plugin update available: Contact Form 7",
"summary": "An outdated plugin may have security vulnerabilities or compatibility issues.",
"detail": "Plugin 'Contact Form 7' (contact-form-7) is outdated. Current version: 5.7.5. Available version: 5.8.3. Note: This plugin was last tested with WordPress 6.3. Your site is running WordPress 6.5. Compatibility testing recommended.",
"location": "wp-content/plugins/contact-form-7/",
"fix": "Update via WP-CLI: `wp plugin update contact-form-7` or via WordPress admin. Test on a staging site first due to potential compatibility issues."
}
Example Finding (Theme Update):
{
"id": "DIAG-THEME-4d1",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "Theme update available: Twenty Twenty-Four",
"summary": "An outdated theme may have security vulnerabilities or compatibility issues.",
"detail": "Theme 'Twenty Twenty-Four' (twentytwentyfour) is outdated. Current version: 1.0. Available version: 1.1. Theme updates often include security fixes and new features.",
"location": "wp-content/themes/twentytwentyfour/",
"fix": "Update via WP-CLI: `wp theme update twentytwentyfour` or via WordPress admin (Appearance > Themes). Backup your site before updating."
}
Return findings as a JSON array. Each finding must include:
id (string) — Deterministic ID based on check typeseverity (string) — "Critical", "Warning", or "Info"category (string) — "Version & Compatibility"title (string) — Short descriptive titlesummary (string) — One non-technical sentence explaining the issuedetail (string) — Technical detail with version numbers and contextlocation (string) — Where the issue exists (e.g., "WordPress Core", "Server PHP Runtime", plugin path)fix (string) — Specific remediation steps with commandsExample Complete Output:
[
{
"id": "DIAG-VERSION-a1b",
"severity": "Critical",
"category": "Version & Compatibility",
"title": "WordPress core update available",
"summary": "Your WordPress version is outdated. A newer version with security and bug fixes is available.",
"detail": "Current version: 6.4.3. Available version: 6.5.0 (major update).",
"location": "WordPress Core",
"fix": "Update via WP-CLI: `wp core update` or use WordPress admin dashboard."
},
{
"id": "DIAG-PHP-c3d",
"severity": "Info",
"category": "Version & Compatibility",
"title": "PHP version is current",
"summary": "Your PHP version is actively supported with security updates.",
"detail": "Current PHP version: 8.2.10.",
"location": "Server PHP Runtime",
"fix": "No action required."
},
{
"id": "DIAG-PLUGIN-7a3",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "Plugin update available: Akismet Anti-Spam",
"summary": "An outdated plugin may have security vulnerabilities or compatibility issues.",
"detail": "Plugin 'Akismet Anti-Spam' is outdated. Current: 4.2.1, Available: 5.0.1.",
"location": "wp-content/plugins/akismet/",
"fix": "Update via WP-CLI: `wp plugin update akismet` or via admin dashboard."
}
]
If WP-CLI is not installed or not found, return this finding and skip all WP-CLI-dependent checks:
{
"id": "DIAG-WPCLI-000",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "WP-CLI not available",
"summary": "Version auditing requires WP-CLI to be installed on the server.",
"detail": "WP-CLI was not found on the server. Without it, automated version checks for WordPress, plugins, themes, and database cannot be performed.",
"location": "Server Configuration",
"fix": "Install WP-CLI on the server: https://wp-cli.org/#installing. CoWork can assist with installation during the connection flow."
}
If SSH commands timeout:
{
"id": "DIAG-SSH-001",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "SSH connection timeout during version check",
"summary": "Unable to complete version checks due to connection issues.",
"detail": "SSH connection timed out while attempting to run version check commands. This may indicate network issues or server overload.",
"location": "SSH Connection",
"fix": "Verify network connectivity and server status. Retry the diagnostic after confirming the server is responsive."
}
If a specific WP-CLI command fails (non-zero exit code), include error output in detail:
{
"id": "DIAG-CMD-002",
"severity": "Warning",
"category": "Version & Compatibility",
"title": "Failed to check plugin updates",
"summary": "An error occurred while checking for plugin updates.",
"detail": "WP-CLI command `wp plugin list --update=available` failed with error: 'Error: This does not seem to be a WordPress installation.' This may indicate an incorrect WordPress path or corrupted installation.",
"location": "WP-CLI Execution",
"fix": "Verify WordPress installation integrity. Check that the WordPress path in the connection profile is correct."
}
If WordPress.org API is unreachable (network issue), gracefully skip compatibility checks:
Version audit is complete when:
npx claudepluginhub dr-robert-li/cowork-wordpress-expertAssess WordPress installations for vulnerabilities, including WordPress 7.0 attack surfaces like RTC, AI Connector, and Abilities API. Uses WPScan, Metasploit, and enumeration techniques.
Checks WordPress wp-config.php remotely via SSH for critical security misconfigurations: WP_DEBUG enabled, default salts, missing DISALLOW_FILE_EDIT, database credentials exposure.
Performs archaeological analysis of WordPress sites: detects page builders, analyzes plugins, maps content structure, identifies orphaned shortcodes, and assesses security posture.