Stats
Actions
Tags
From wordpress-expert
Evaluates WordPress codebase against OWASP Top 10 and WP-specific vulnerability patterns. Use for code security reviews, plugin/theme audits, and incident investigations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/wordpress-expert:security-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Evaluate the codebase and configuration against OWASP Top 10 and WordPress-specific vulnerability patterns.
Evaluate the codebase and configuration against OWASP Top 10 and WordPress-specific vulnerability patterns.
sanitize_text_field(), sanitize_email(), absint(), wp_kses(), wp_kses_post())$_GET, $_POST, $_REQUEST, $_SERVER, $_COOKIE are never used directly without sanitization$wpdb->prepare() for all parameterized queries — no raw string concatenation in SQLesc_url() used for all URLs before output or redirectesc_html()esc_attr()esc_js() or wp_json_encode()esc_url()esc_html__(), esc_html_e(), esc_attr__()echo of user-controlled dataeval(), assert(), preg_replace() with e modifier, or create_function()check_ajax_referer() or equivalent nonce verificationwp_verify_nonce()permission_callback (never __return_true for sensitive operations)current_user_can()) before any privileged operationhttpOnly, Secure, and SameSite flags where applicablewp_nonce_field()wp_create_nonce() / check_ajax_referer()$wpdb->prepare() with proper placeholders (%s, %d, %f)LIKE queries use $wpdb->esc_like() followed by $wpdb->prepare()dbDelta() with proper schemaquery() with unsanitized inputABSPATH check at top of PHP files.htaccess protectionwp-config.php not accessible from webdebug.log) not publicly accessiblephpinfo() calls in production codeWP_DEBUG set to false in productionWP_DEBUG_DISPLAY set to false in productionWP_DEBUG_LOG either false or logging to a non-public pathdisplay_errors = Off)wp_options without encryptionreadme.html and license.txt removed or access-restrictedbase64_decode(), gzinflate(), str_rot13(), gzuncompress() chainseval() usage with dynamic contentwp_options entriesnpm auditImmediate investigation triggers — if you encounter any of these, escalate severity:
eval() with any dynamic contentbase64_decode() followed by eval() or include$wpdb->prepare()wp_ajax_nopriv_ handlers without rate limiting or input validationWP_DEBUG set to true with WP_DEBUG_DISPLAY also true in productionwp_ table prefix in productionindex.php files missing from directories (directory traversal risk).git directory accessible from webwp-config.php backup files in webroot (wp-config.php.bak, wp-config.old)# Scan for eval() usage
grep -rn "eval(" /path/to/plugin --include="*.php"
# Scan for base64_decode (potential obfuscation)
grep -rn "base64_decode(" /path/to/plugin --include="*.php"
# Scan for direct superglobal usage (missing sanitization)
grep -rn '$_GET\|$_POST\|$_REQUEST\|$_SERVER\|$_COOKIE' /path/to/plugin --include="*.php"
# Scan for SQL queries without prepare (SQL injection risk)
grep -rn "query(" /path/to/plugin --include="*.php" | grep -v "prepare"
# Scan for common backdoor functions
grep -rn 'system(\|exec(\|passthru(\|shell_exec(\|popen(' /path/to/plugin --include="*.php"
# Verify WordPress core file checksums
wp core verify-checksums
# Verify plugin checksums
wp plugin verify-checksums --all
npx claudepluginhub dr-robert-li/cowork-wordpress-expertAnalyzes code quality in custom WordPress themes and plugins using two-pass approach: quick grep scans for deprecated functions and anti-patterns, then AI contextual review of flagged PHP/JS files.
Runs OWASP Top 10 security audits with configurable depth, scope, and output formats. Supports Drupal and WordPress codebases.
Scans codebases for vulnerabilities like SQL injection, XSS, auth flaws, insecure deps, and secrets using grep and bash. Generates severity-rated reports with file locations, explanations, and fixes.