audit_wordpress_plugin
Analyze WordPress plugins for security vulnerabilities, performance issues, code quality, and dependency management through structured multi-step auditing.
Instructions
Comprehensive WordPress plugin audit - chains multiple analysis steps for security, performance, dependencies, and code quality
WORKFLOW: Perfect for understanding complex code, identifying issues, and technical debt assessment TIP: Use Desktop Commander to read files, then pass content here for analysis SAVES: Claude context for strategic decisions
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| auditDepth | No | Depth of audit analysis | comprehensive |
| auditType | No | Type of audit focus | full-audit |
| includeSteps | No | Analysis steps to include in audit | |
| maxDepth | No | Maximum directory depth for analysis (1-5) | |
| phpVersion | No | Target PHP version for compatibility checks | 8.0 |
| projectPath | Yes | Path to WordPress plugin root directory | |
| wpVersion | No | Target WordPress version for compatibility checks | 6.4 |
Implementation Reference
- Main handler function that orchestrates the WordPress plugin audit execution, including validation, model setup, and chained analysis.
async execute(params: any, llmClient: any) { return await withSecurity(this, params, llmClient, async (secureParams) => { try { // 1. Validate WordPress plugin structure this.validateWordPressPlugin(secureParams); // 2. Setup model const { model, contextLength } = await ModelSetup.getReadyModel(llmClient); // 3. Execute chained analysis workflow return await this.executeChainedAnalysis(secureParams, llmClient, model, contextLength); } catch (error: any) { return ErrorHandler.createExecutionError('audit_wordpress_plugin', error); } }); } - Core chained analysis orchestrator that executes multiple sub-tools (structure, dependencies, security, etc.) and synthesizes results.
private async executeChainedAnalysis(params: any, llmClient: any, model: any, contextLength: number) { const auditSteps = params.includeSteps || ['structure', 'dependencies', 'security', 'database', 'quality']; const results: Record<string, any> = {}; const stepExecutionLog: string[] = []; try { stepExecutionLog.push(`Starting WordPress plugin audit with ${auditSteps.length} steps`); // Step 1: Project Structure Overview if (auditSteps.includes('structure')) { stepExecutionLog.push('Executing: Project structure analysis'); results.structure = await this.runAnalysisStep('count_files', { projectPath: params.projectPath, analysisType: 'comprehensive', maxDepth: params.maxDepth }, llmClient); stepExecutionLog.push(`Structure analysis: ${results.structure.success ? 'SUCCESS' : 'FAILED'}`); } // Step 2: Dependencies Analysis if (auditSteps.includes('dependencies')) { stepExecutionLog.push('Executing: Dependencies analysis'); results.dependencies = await this.runAnalysisStep('analyze_dependencies', { projectPath: params.projectPath, analysisType: 'comprehensive', includePackageJson: true, checkDevDependencies: false }, llmClient); stepExecutionLog.push(`Dependencies analysis: ${results.dependencies.success ? 'SUCCESS' : 'FAILED'}`); } // Step 3: WordPress Security Audit if (auditSteps.includes('security')) { stepExecutionLog.push('Executing: WordPress security analysis'); results.security = await this.runAnalysisStep('analyze_wordpress_security', { projectPath: params.projectPath, wpType: 'plugin', wpVersion: params.wpVersion, analysisType: 'comprehensive', includeOwaspTop10: true }, llmClient); stepExecutionLog.push(`Security analysis: ${results.security.success ? 'SUCCESS' : 'FAILED'}`); } // Step 4: Database Query Analysis if (auditSteps.includes('database')) { stepExecutionLog.push('Executing: Database query analysis'); results.database = await this.runAnalysisStep('analyze_database_queries', { projectPath: params.projectPath, analysisType: 'comprehensive', context: { projectType: 'wordpress-plugin' } }, llmClient); stepExecutionLog.push(`Database analysis: ${results.database.success ? 'SUCCESS' : 'FAILED'}`); } // Step 5: Code Quality Assessment if (auditSteps.includes('quality')) { stepExecutionLog.push('Executing: Code quality analysis'); results.quality = await this.runAnalysisStep('analyze_code_quality', { projectPath: params.projectPath, analysisType: 'comprehensive', language: 'php' }, llmClient); stepExecutionLog.push(`Quality analysis: ${results.quality.success ? 'SUCCESS' : 'FAILED'}`); } // Step 6: Synthesize all results stepExecutionLog.push('Synthesizing comprehensive audit report'); const synthesizedResults = await this.synthesizeAuditResults({ ...results, executionLog: stepExecutionLog, completedSteps: auditSteps.filter(step => results[step]?.success), failedSteps: auditSteps.filter(step => results[step]?.success === false) }, params, model, contextLength); stepExecutionLog.push('Audit synthesis: COMPLETED'); return synthesizedResults; } catch (error: any) { stepExecutionLog.push(`Audit failed: ${error.message}`); return ErrorHandler.createExecutionError('audit_wordpress_plugin', error); } } - Input schema defining parameters for the tool, including projectPath, auditDepth, auditType, etc.
parameters = { // Multi-file parameters (primary mode for plugin audit) projectPath: { type: 'string' as const, description: 'Path to WordPress plugin root directory', required: true }, // Analysis configuration auditDepth: { type: 'string' as const, description: 'Depth of audit analysis', enum: ['basic', 'detailed', 'comprehensive'], default: 'comprehensive', required: false }, auditType: { type: 'string' as const, description: 'Type of audit focus', enum: ['security', 'performance', 'quality', 'full-audit'], default: 'full-audit', required: false }, // Analysis step configuration includeSteps: { type: 'array' as const, description: 'Analysis steps to include in audit', required: false, items: { type: 'string' as const }, default: ['structure', 'dependencies', 'security', 'database', 'quality'] }, maxDepth: { type: 'number' as const, description: 'Maximum directory depth for analysis (1-5)', required: false, default: 4 }, // WordPress-specific context wpVersion: { type: 'string' as const, description: 'Target WordPress version for compatibility checks', required: false, default: '6.4' }, phpVersion: { type: 'string' as const, description: 'Target PHP version for compatibility checks', required: false, default: '8.0' } }; - src/prompts/analyze/wordpress-plugin-audit.ts:30-33 (registration)Plugin class definition and registration with tool name 'audit_wordpress_plugin' and description.
export class WordPressPluginAuditor extends BasePlugin implements IPromptPlugin { name = 'audit_wordpress_plugin'; category = 'analyze' as const; description = 'Comprehensive WordPress plugin audit - chains multiple analysis steps for security, performance, dependencies, and code quality'; - Helper method generating the multi-stage prompt for synthesizing audit results into a comprehensive report.
private getMultiFilePromptStages(params: any): PromptStages { const { analysisResult, auditType, auditDepth, wpVersion, phpVersion, stepCount } = params; const systemAndContext = `You are a senior WordPress plugin security and performance expert with 15+ years of experience auditing enterprise WordPress installations. **AUDIT CONTEXT:** - Audit Type: ${auditType} - Audit Depth: ${auditDepth} - Analysis Steps Completed: ${stepCount} - Target WordPress Version: ${wpVersion} - Target PHP Version: ${phpVersion} - Plugin Type: WordPress Plugin **YOUR EXPERTISE:** You are internationally recognized for: - WordPress plugin security auditing and penetration testing - Performance optimization for high-traffic WordPress sites - Code quality assessment for WordPress.org repository submissions - Database optimization and query performance analysis - Dependency management and conflict resolution **AUDIT METHODOLOGY:** 1. **Security Assessment**: OWASP Top 10, WordPress-specific vulnerabilities 2. **Performance Analysis**: Database queries, caching, resource usage 3. **Code Quality Review**: WordPress Coding Standards, best practices 4. **Dependency Analysis**: Plugin conflicts, version compatibility 5. **Architecture Review**: Plugin structure, hooks usage, extensibility **CRITICAL FOCUS AREAS:** - SQL injection vulnerabilities in custom queries - XSS vulnerabilities in admin interfaces and frontend output - CSRF protection through nonces validation - Capability and permission checks - Data sanitization and validation - Performance bottlenecks in database queries - Unused code and dependencies - WordPress API compliance and best practices`; const dataPayload = `**COMPREHENSIVE AUDIT RESULTS:** ${JSON.stringify(analysisResult, null, 2)}`; const outputInstructions = `**PROVIDE COMPREHENSIVE WORDPRESS PLUGIN AUDIT REPORT:** { "executiveSummary": { "overallRating": "critical|high-risk|medium-risk|low-risk|excellent", "primaryConcerns": ["concern1", "concern2", "concern3"], "strengths": ["strength1", "strength2"], "recommendedActions": ["action1", "action2"], "timeToFix": "immediate|1-2 days|1 week|2+ weeks" }, "securityAssessment": { "criticalVulnerabilities": [ { "type": "SQL Injection|XSS|CSRF|Authentication Bypass", "severity": "critical|high|medium|low", "location": "specific file and line", "description": "detailed vulnerability description", "exploit": "how this could be exploited", "fix": "specific fix with code example" } ], "securityScore": "A|B|C|D|F", "complianceIssues": ["OWASP issue 1", "WordPress security issue 2"] }, "performanceAssessment": { "databaseIssues": [ { "type": "N+1 Query|Missing Index|Inefficient Query|Direct SQL", "severity": "critical|high|medium|low", "location": "file and function", "impact": "performance impact description", "optimization": "specific optimization recommendation" } ], "performanceScore": "A|B|C|D|F", "bottlenecks": ["bottleneck1", "bottleneck2"], "optimizations": ["optimization1", "optimization2"] }, "codeQualityAssessment": { "wordpressStandards": { "compliance": "high|medium|low", "violations": ["violation1", "violation2"], "score": "A|B|C|D|F" }, "maintainability": { "score": "high|medium|low", "issues": ["issue1", "issue2"], "improvements": ["improvement1", "improvement2"] } }, "dependencyAssessment": { "unusedCode": ["unused file 1", "unused function 2"], "conflicts": ["potential conflict 1"], "outdatedDependencies": ["dependency1", "dependency2"], "recommendations": ["remove unused X", "update Y to version Z"] }, "actionPlan": { "immediate": [ { "priority": 1, "task": "fix critical security vulnerability", "estimatedTime": "2 hours", "risk": "critical" } ], "shortTerm": [ { "priority": 2, "task": "optimize database queries", "estimatedTime": "4 hours", "risk": "medium" } ], "longTerm": [ { "priority": 3, "task": "refactor architecture", "estimatedTime": "2 days", "risk": "low" } ] }, "complianceReport": { "wordpressOrgReady": true, "issuesBlocking": ["issue1", "issue2"], "recommendationsForSubmission": ["recommendation1", "recommendation2"] } } **REQUIREMENTS:** - Provide specific file names and line numbers for all issues - Include code examples for fixes where applicable - Prioritize findings by business impact and security risk - Ensure all recommendations are actionable and testable - Focus on WordPress-specific best practices and security guidelines`; return { systemAndContext, dataPayload, outputInstructions }; }