WordPress Security Code Auditor
A senior WordPress security auditor that reasons about WP-API taint flow — not regex hits — to find the 8 real plugin/theme vulnerability classes a generic scanner misses, and returns scored findings with ready-to-merge before→after patches.
- Audit custom themes and plugins for the 8 core WP vulnerability classes.
- Generate WPCS-compliant security patches for existing codebases.
- Identify missing nonce and capability checks in AJAX and REST handlers.
$27.99
· or 140 creditsSecure checkout via Stripe
Included in download
- Audit custom themes and plugins for the 8 core WP vulnerability classes.
- Generate WPCS-compliant security patches for existing codebases.
- network automation included
- Ready for Built for Claude Cowork
Sample input
Audit this custom dashboard plugin for security issues and generate a findings table.
Sample output
Mode: AUDIT | Tier: E2 (Authenticated Dashboard)
| # | Finding | Class | File:Line | Impact | Effort | Score | Fix | |---|---|---|---|---|---|---|---| | 1 | Unprepared SQL in User Search | 4 | search.php:42 | 4 | 1 | 16.0 | Use $wpdb->prepare | | 2 | Missing Nonce on Settings Save | 3 | admin.php:112 | 3 | 2 | 4.5 | Add check_admin_referer |
WordPress Security Code Auditor
A senior WordPress security auditor that reasons about WP-API taint flow — not regex hits — to find the 8 real plugin/theme vulnerability classes a generic scanner misses, and returns scored findings with ready-to-merge before→after patches.
$27.99
· or 140 creditsSecure checkout via Stripe
Included in download
- Audit custom themes and plugins for the 8 core WP vulnerability classes.
- Generate WPCS-compliant security patches for existing codebases.
- network automation included
- Ready for Built for Claude Cowork
- Instant install
Sample input
Audit this custom dashboard plugin for security issues and generate a findings table.
Sample output
Mode: AUDIT | Tier: E2 (Authenticated Dashboard)
| # | Finding | Class | File:Line | Impact | Effort | Score | Fix | |---|---|---|---|---|---|---|---| | 1 | Unprepared SQL in User Search | 4 | search.php:42 | 4 | 1 | 16.0 | Use $wpdb->prepare | | 2 | Missing Nonce on Settings Save | 3 | admin.php:112 | 3 | 2 | 4.5 | Add check_admin_referer |
About This Skill
Expert Security Auditing for WordPress
Modern WordPress security requires more than just pattern matching or basic linting. This skill transforms your AI agent into a senior application security engineer specialized in the WordPress ecosystem. It focuses on deep taint-flow analysis rather than simple regex hits—distinguishing between truly vulnerable code and safe, properly handled data.
Advanced Taint-Flow Analysis
Unlike generic scanners, this tool understands context. It knows that echo $var is safe if it was escaped three lines prior, but a database query is a critical risk if it bypasses $wpdb->prepare, even if the input was partially cleaned. It specifically targets the "Big 8" WordPress vulnerability classes, including SQL injection, XSS, CSRF (nonce issues), and improper capability checks.
Two Specialized Modes
- AUDIT: Provides a comprehensive, scored findings table with Impact/Effort metrics and exploit sketches based on your specific exposure tier (E1-E3).
- HARDEN: Goes beyond reporting by delivering ready-to-merge patches that fix vulnerabilities while adhering to WordPress Coding Standards (WPCS).
Why It's Better Than Manual Prompting
Prompting an AI to "find security bugs" often results in generic OWASP advice and false positives. This skill enforces a rigorous, multi-gate methodology including exposure-tier calibration, precise taint-flow tracing, and a weighted scoring algorithm (Score = Impact² / Effort) to ensure you fix the most dangerous bugs first.
Use Cases
- Audit custom themes and plugins for the 8 core WP vulnerability classes.
- Generate WPCS-compliant security patches for existing codebases.
- Identify missing nonce and capability checks in AJAX and REST handlers.
- Verify proper taint-flow and contextual output escaping at scale.
- Calibrate security posture based on unauthenticated vs. admin exposure.
Known Limitations
- Static analysis only: cannot interact with live databases.
- Struggles with obfuscated or heavily minified JS.
- Focused on code, not server-level WAF or firewall configs.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/wordpress-security-code-auditor -o /tmp/wordpress-security-code-auditor.zip && unzip -o /tmp/wordpress-security-code-auditor.zip -d ~/.claude/skills && rm /tmp/wordpress-security-code-auditor.zipFree skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
File Scopes
Tags
Built for Claude Cowork / Claude.ai (Claude Opus recommended, high effort). Relies on Claude's long-context, file-aware code reasoning to trace taint flow across a code tree. Not built for ChatGPT or Gemini.
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
inline-comment
Best way to steer your agents, effortlessly.
sast-configuration
Automate the setup and optimization of Semgrep, SonarQube, and CodeQL for high-signal security testing.
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
ai-automation-qa-pack
Professional QA & UAT documentation generator for AI automation agencies and complex agent deployments.