@adsim/wordpress-mcp-server 4.5.1 → 5.1.0

package/tests/unit/tools/security.test.js

@@ -0,0 +1,695 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall } from '../../../index.js';
+import { makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+function mockFetchJson(data, status = 200) {
+  return Promise.resolve({
+    ok: status >= 200 && status < 400,
+    status,
+    headers: { get: (h) => h === 'content-type' ? 'application/json' : null },
+    json: () => Promise.resolve(data),
+    text: () => Promise.resolve(typeof data === 'string' ? data : JSON.stringify(data))
+  });
+}
+
+function mockFetchText(text, status = 200) {
+  return Promise.resolve({
+    ok: status >= 200 && status < 400,
+    status,
+    headers: { get: (h) => h === 'content-type' ? 'text/html' : null },
+    json: () => Promise.reject(new Error('not json')),
+    text: () => Promise.resolve(text)
+  });
+}
+
+let consoleSpy;
+const envBackup = {};
+
+beforeEach(() => {
+  fetch.mockReset();
+  consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  envBackup.WPSCAN_API_KEY = process.env.WPSCAN_API_KEY;
+  delete process.env.WPSCAN_API_KEY;
+});
+afterEach(() => {
+  consoleSpy.mockRestore();
+  if (envBackup.WPSCAN_API_KEY === undefined) delete process.env.WPSCAN_API_KEY;
+  else process.env.WPSCAN_API_KEY = envBackup.WPSCAN_API_KEY;
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_audit_user_security
+// ════════════════════════════════════════════════════════════
+
+describe('wp_audit_user_security', () => {
+  it('detects default "admin" username as CRITICAL', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 1, slug: 'admin', email: 'admin@company.com', name: 'Admin', registered_date: '2020-01-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security');
+    const d = parseResult(res);
+    expect(d.users[0].risk_level).toBe('critical');
+    expect(d.users[0].risks[0].level).toBe('critical');
+    expect(d.users[0].risks[0].reason).toContain('Default username');
+    expect(d.summary.critical).toBe(1);
+  });
+
+  it('flags generic email on admin as HIGH', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 2, slug: 'john', email: 'john@gmail.com', name: 'John D', registered_date: '2021-01-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security');
+    const d = parseResult(res);
+    const emailRisk = d.users[0].risks.find(r => r.reason.includes('Generic email'));
+    expect(emailRisk).toBeTruthy();
+    expect(emailRisk.level).toBe('high');
+  });
+
+  it('flags inactivity beyond threshold as HIGH', async () => {
+    const oldDate = new Date(Date.now() - 120 * 86400000).toISOString();
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 3, slug: 'editor1', email: 'editor@company.com', name: 'Editor', registered_date: '2020-06-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [{ user_id: 3, last_login: oldDate }] });
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security', { days: 90 });
+    const d = parseResult(res);
+    const inactiveRisk = d.users[0].risks.find(r => r.reason.includes('No activity'));
+    expect(inactiveRisk).toBeTruthy();
+    expect(inactiveRisk.level).toBe('high');
+  });
+
+  it('detects missing 2FA as MEDIUM', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 4, slug: 'secuser', email: 'sec@company.com', name: 'SecUser', registered_date: '2022-01-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security');
+    const d = parseResult(res);
+    const tfaRisk = d.users[0].risks.find(r => r.reason.includes('No 2FA'));
+    expect(tfaRisk).toBeTruthy();
+    expect(tfaRisk.level).toBe('medium');
+  });
+
+  it('flags display_name matching login as LOW', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 5, slug: 'johndoe', email: 'john@company.com', name: 'johndoe', registered_date: '2022-01-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([{ plugin: 'wp-2fa/wp-2fa.php', status: 'active' }]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security');
+    const d = parseResult(res);
+    const dispRisk = d.users[0].risks.find(r => r.reason.includes('Display name identical'));
+    expect(dispRisk).toBeTruthy();
+    expect(dispRisk.level).toBe('low');
+  });
+
+  it('returns no risks for a clean account', async () => {
+    const recentDate = new Date(Date.now() - 2 * 86400000).toISOString();
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 6, slug: 'goodadmin', email: 'admin@mycompany.be', name: 'Good Admin', registered_date: '2022-01-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [{ user_id: 6, last_login: recentDate }] });
+      if (u.includes('/plugins')) return mockFetchJson([{ plugin: 'wordfence/wordfence.php', status: 'active' }]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security');
+    const d = parseResult(res);
+    expect(d.users[0].risk_level).toBe('none');
+    expect(d.users[0].risks).toHaveLength(0);
+  });
+
+  it('reports 2FA plugin when detected', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([{ id: 7, slug: 'u7', email: 'u@co.com', name: 'U7' }]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([{ plugin: 'two-factor/two-factor.php', status: 'active' }]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security');
+    const d = parseResult(res);
+    expect(d.plugins_checked.two_factor_plugin).toContain('two-factor');
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_check_file_permissions
+// ════════════════════════════════════════════════════════════
+
+describe('wp_check_file_permissions', () => {
+  it('returns ok for correct permissions', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/file-permissions')) return mockFetchJson({ files: [
+        { path: 'wp-config.php', permission_octal: '400', permission_human: 'r--------', recommended: '400', exists: true },
+        { path: '.htaccess', permission_octal: '644', permission_human: 'rw-r--r--', recommended: '644', exists: true },
+        { path: 'wp-content/uploads', permission_octal: '755', permission_human: 'rwxr-xr-x', recommended: '755', exists: true },
+      ] });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_file_permissions');
+    const d = parseResult(res);
+    expect(d.overall_status).toBe('secure');
+    expect(d.files.every(f => f.status === 'ok')).toBe(true);
+  });
+
+  it('detects critical wp-config.php permissions', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/file-permissions')) return mockFetchJson({ files: [
+        { path: 'wp-config.php', permission_octal: '644', permission_human: 'rw-r--r--', recommended: '400', exists: true },
+      ] });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_file_permissions');
+    const d = parseResult(res);
+    expect(d.files[0].status).toBe('critical');
+    expect(d.files[0].fix_command).toContain('chmod 400');
+    expect(d.overall_status).toBe('critical');
+  });
+
+  it('detects critical 777 permissions', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/file-permissions')) return mockFetchJson({ files: [
+        { path: 'wp-content/uploads', permission_octal: '777', permission_human: 'rwxrwxrwx', recommended: '755', exists: true },
+      ] });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_file_permissions');
+    const d = parseResult(res);
+    expect(d.files[0].status).toBe('critical');
+    expect(d.overall_status).toBe('critical');
+  });
+
+  it('detects warning-level permissions', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/file-permissions')) return mockFetchJson({ files: [
+        { path: 'wp-admin', permission_octal: '775', permission_human: 'rwxrwxr-x', recommended: '755', exists: true },
+      ] });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_file_permissions');
+    const d = parseResult(res);
+    expect(d.files[0].status).toBe('warning');
+    expect(d.overall_status).toBe('warnings');
+  });
+
+  it('handles mu-plugin not installed gracefully', async () => {
+    fetch.mockImplementation(() => mockFetchJson({ code: 'rest_no_route', message: 'No route' }, 404));
+    const res = await call('wp_check_file_permissions');
+    const d = parseResult(res);
+    expect(d.overall_status).toBe('unavailable');
+    expect(d.message).toContain('mu-plugin');
+  });
+
+  it('provides fix_command for problematic files', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/file-permissions')) return mockFetchJson({ files: [
+        { path: '.htaccess', permission_octal: '755', permission_human: 'rwxr-xr-x', recommended: '644', exists: true },
+      ] });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_file_permissions');
+    const d = parseResult(res);
+    expect(d.files[0].fix_command).toBe('chmod 644 .htaccess');
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_list_recently_modified_files
+// ════════════════════════════════════════════════════════════
+
+describe('wp_list_recently_modified_files', () => {
+  it('identifies legitimate file (within update window)', async () => {
+    const now = new Date().toISOString();
+    fetch.mockImplementation((u) => {
+      if (u.includes('/modified-files')) return mockFetchJson({ files: [
+        { path: 'wp-content/plugins/akismet/akismet.php', modified_at: now, size: 5000, extension: '.php' }
+      ] });
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'akismet/akismet.php', status: 'active', updated: now }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_list_recently_modified_files');
+    const d = parseResult(res);
+    expect(d.files[0].suspicious).toBe(false);
+    expect(d.summary.suspicious_count).toBe(0);
+    expect(d.alert).toBe(false);
+  });
+
+  it('flags PHP in uploads as suspicious', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/modified-files')) return mockFetchJson({ files: [
+        { path: 'wp-content/uploads/2024/backdoor.php', modified_at: new Date().toISOString(), size: 1234, extension: '.php' }
+      ] });
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_list_recently_modified_files');
+    const d = parseResult(res);
+    expect(d.files[0].suspicious).toBe(true);
+    expect(d.files[0].reason).toContain('PHP file in uploads');
+    expect(d.alert).toBe(true);
+  });
+
+  it('flags random hex filename as suspicious', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/modified-files')) return mockFetchJson({ files: [
+        { path: 'wp-content/plugins/myplugin/a1b2c3d4e5f6.php', modified_at: new Date().toISOString(), size: 800, extension: '.php' }
+      ] });
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_list_recently_modified_files');
+    const d = parseResult(res);
+    expect(d.files[0].suspicious).toBe(true);
+    expect(d.files[0].reason).toContain('Random hex');
+  });
+
+  it('flags files modified outside plugin update window', async () => {
+    const fileTime = new Date().toISOString();
+    const updateTime = new Date(Date.now() - 5 * 86400000).toISOString();
+    fetch.mockImplementation((u) => {
+      if (u.includes('/modified-files')) return mockFetchJson({ files: [
+        { path: 'wp-content/plugins/contact-form-7/cf7.php', modified_at: fileTime, size: 3000, extension: '.php' }
+      ] });
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'contact-form-7/cf7.php', status: 'active', updated: updateTime }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_list_recently_modified_files');
+    const d = parseResult(res);
+    expect(d.files[0].suspicious).toBe(true);
+    expect(d.files[0].reason).toContain('outside plugin update window');
+  });
+
+  it('handles mu-plugin not installed gracefully', async () => {
+    fetch.mockImplementation(() => mockFetchJson({ code: 'rest_no_route' }, 404));
+    const res = await call('wp_list_recently_modified_files');
+    const d = parseResult(res);
+    expect(d.message).toContain('mu-plugin');
+    expect(d.files).toHaveLength(0);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_audit_plugin_vulnerabilities
+// ════════════════════════════════════════════════════════════
+
+describe('wp_audit_plugin_vulnerabilities', () => {
+  it('returns CVE data when WPSCAN_API_KEY is present', async () => {
+    process.env.WPSCAN_API_KEY = 'test-key-123';
+    fetch.mockImplementation((u) => {
+      if (u.includes('wpscan.com')) return Promise.resolve({
+        ok: true,
+        status: 200,
+        headers: { get: (h) => h === 'x-ratelimit-remaining' ? '24' : h === 'content-type' ? 'application/json' : null },
+        json: () => Promise.resolve({
+          'contact-form-7': {
+            vulnerabilities: [{
+              title: 'XSS in CF7',
+              references: { cve: ['2024-1234'], url: ['https://example.com'] },
+              cvss: { score: 7.5 },
+              fixed_in: '5.8'
+            }]
+          }
+        })
+      });
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'contact-form-7/cf7.php', name: 'Contact Form 7', version: '5.7', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_plugin_vulnerabilities');
+    const d = parseResult(res);
+    expect(d.api_source).toBe('wpscan');
+    expect(d.vulnerable).toHaveLength(1);
+    expect(d.vulnerable[0].vulnerabilities[0].cve_id).toBe('CVE-2024-1234');
+    expect(d.vulnerable[0].vulnerabilities[0].severity).toBe('high');
+    expect(d.wpscan_quota_remaining).toBe(24);
+  });
+
+  it('returns plugin list without CVEs when WPSCAN_API_KEY absent', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'akismet/akismet.php', name: 'Akismet', version: '5.0', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_plugin_vulnerabilities');
+    const d = parseResult(res);
+    expect(d.api_source).toBe('none');
+    expect(d.message).toContain('WPSCAN_API_KEY');
+    expect(d.plugins).toHaveLength(1);
+    expect(d.plugins[0].slug).toBe('akismet');
+  });
+
+  it('respects severity_filter', async () => {
+    process.env.WPSCAN_API_KEY = 'test-key';
+    fetch.mockImplementation((u) => {
+      if (u.includes('wpscan.com')) return Promise.resolve({
+        ok: true, status: 200,
+        headers: { get: () => null },
+        json: () => Promise.resolve({
+          'vulnplugin': {
+            vulnerabilities: [
+              { title: 'Low vuln', cvss: { score: 2.0 }, fixed_in: '2.0', references: {} },
+              { title: 'Critical vuln', cvss: { score: 9.5 }, fixed_in: '2.0', references: {} }
+            ]
+          }
+        })
+      });
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'vulnplugin/vulnplugin.php', name: 'VulnPlugin', version: '1.0', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_plugin_vulnerabilities', { severity_filter: 'critical' });
+    const d = parseResult(res);
+    if (d.vulnerable.length > 0) {
+      expect(d.vulnerable[0].vulnerabilities.every(v => v.severity === 'critical')).toBe(true);
+    }
+  });
+
+  it('warns about rate limiting for >25 plugins', async () => {
+    process.env.WPSCAN_API_KEY = 'test-key';
+    const manyPlugins = Array.from({ length: 26 }, (_, i) => ({
+      plugin: `plugin-${i}/plugin-${i}.php`, name: `Plugin ${i}`, version: '1.0', status: 'active'
+    }));
+    fetch.mockImplementation((u) => {
+      if (u.includes('wpscan.com')) return Promise.resolve({
+        ok: true, status: 200,
+        headers: { get: () => null },
+        json: () => Promise.resolve({ 'unknown': { vulnerabilities: [] } })
+      });
+      if (u.includes('/plugins')) return mockFetchJson(manyPlugins);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_plugin_vulnerabilities');
+    const d = parseResult(res);
+    expect(d.plugins_scanned).toBe(26);
+    // Check that warn log was called about rate limiting
+    const warnCalls = consoleSpy.mock.calls.filter(c => c[0] && c[0].includes('Scanning 26 plugins'));
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_check_ssl_certificate
+// ════════════════════════════════════════════════════════════
+
+describe('wp_check_ssl_certificate', () => {
+  it('returns grade A+ with HSTS and all headers', async () => {
+    // Mock tls module via the handler's behavior
+    const futureDate = new Date(Date.now() + 365 * 86400000).toISOString();
+    fetch.mockImplementation((u) => {
+      if (u.startsWith('https://')) return Promise.resolve({
+        ok: true, status: 200,
+        headers: {
+          get: (h) => {
+            if (h === 'strict-transport-security') return 'max-age=31536000; includeSubDomains';
+            if (h === 'x-content-type-options') return 'nosniff';
+            if (h === 'x-frame-options') return 'DENY';
+            if (h === 'content-security-policy') return "default-src 'self'";
+            return null;
+          }
+        },
+        text: () => Promise.resolve('')
+      });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_ssl_certificate', { domain: 'example.com' });
+    const d = parseResult(res);
+    expect(d.domain).toBe('example.com');
+    expect(d.hsts.present).toBe(true);
+    expect(d.security_headers.x_content_type).toBe(true);
+    expect(d.security_headers.x_frame_options).toBe(true);
+    // Grade depends on TLS handshake which we can't fully mock here
+    expect(['A+', 'A', 'B', 'F']).toContain(d.grade);
+  });
+
+  it('returns grade B when HSTS absent', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.startsWith('https://')) return Promise.resolve({
+        ok: true, status: 200,
+        headers: { get: () => null },
+        text: () => Promise.resolve('')
+      });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_ssl_certificate', { domain: 'nohsts.com' });
+    const d = parseResult(res);
+    expect(d.hsts.present).toBe(false);
+    // Without TLS mock, grade depends on cert validity
+    expect(d.domain).toBe('nohsts.com');
+  });
+
+  it('flags expires_soon when certificate nearing expiry', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.startsWith('https://')) return Promise.resolve({
+        ok: true, status: 200,
+        headers: { get: () => null },
+        text: () => Promise.resolve('')
+      });
+      return mockFetchJson({});
+    });
+    const res = await call('wp_check_ssl_certificate', { domain: 'expiring.com', warn_days: 30 });
+    const d = parseResult(res);
+    expect(d.domain).toBe('expiring.com');
+    // Structure check
+    expect(d).toHaveProperty('grade');
+    expect(d).toHaveProperty('hsts');
+    expect(d).toHaveProperty('security_headers');
+  });
+
+  it('returns alert when grade is low', async () => {
+    fetch.mockImplementation(() => Promise.reject(new Error('connection refused')));
+    const res = await call('wp_check_ssl_certificate', { domain: 'invalid.test' });
+    const d = parseResult(res);
+    expect(d.grade).toBe('F');
+    expect(d.valid).toBe(false);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_audit_login_security
+// ════════════════════════════════════════════════════════════
+
+describe('wp_audit_login_security', () => {
+  it('returns score 100 when all checks pass', async () => {
+    fetch.mockImplementation((u, opts) => {
+      // xmlrpc.php blocked
+      if (u.includes('/xmlrpc.php')) return mockFetchJson({}, 403);
+      // user enum blocked
+      if (u.includes('/wp/v2/users') && !opts?.headers?.Authorization) return mockFetchJson({}, 403);
+      if (u.includes('/wp/v2/users')) return mockFetchJson([{ id: 1, slug: 'myadmin' }]);
+      // login URL hidden
+      if (u.includes('/wp-login.php')) return mockFetchText('', 404);
+      // plugins with 2FA and brute force
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'wordfence/wordfence.php', status: 'active' },
+        { plugin: 'limit-login-attempts-reloaded/llar.php', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_login_security');
+    const d = parseResult(res);
+    expect(d.score).toBe(100);
+    expect(d.grade).toBe('A');
+    expect(d.checks).toHaveLength(6);
+    expect(d.checks.every(c => c.passed)).toBe(true);
+  });
+
+  it('deducts 20 for vulnerable XML-RPC', async () => {
+    fetch.mockImplementation((u, opts) => {
+      if (u.includes('/xmlrpc.php')) return mockFetchText('XML-RPC server accepts POST requests only.', 405);
+      if (u.includes('/wp/v2/users') && !opts?.headers?.Authorization) return mockFetchJson({}, 403);
+      if (u.includes('/wp/v2/users')) return mockFetchJson([{ id: 1, slug: 'safeuser' }]);
+      if (u.includes('/wp-login.php')) return mockFetchText('', 404);
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'wordfence/wordfence.php', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_login_security');
+    const d = parseResult(res);
+    const xmlrpcCheck = d.checks.find(c => c.name === 'xmlrpc_disabled');
+    expect(xmlrpcCheck.passed).toBe(false);
+    expect(xmlrpcCheck.score_awarded).toBe(0);
+    expect(d.score).toBeLessThanOrEqual(80);
+  });
+
+  it('deducts 20 for open user enumeration', async () => {
+    fetch.mockImplementation((u, opts) => {
+      if (u.includes('/xmlrpc.php')) return mockFetchJson({}, 403);
+      // User enum open — returns 200 with data
+      if (u.includes('/wp/v2/users')) return mockFetchJson([{ id: 1, slug: 'safeuser' }]);
+      if (u.includes('/wp-login.php')) return mockFetchText('', 404);
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'wordfence/wordfence.php', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_login_security');
+    const d = parseResult(res);
+    const enumCheck = d.checks.find(c => c.name === 'user_enumeration_blocked');
+    expect(enumCheck.passed).toBe(false);
+  });
+
+  it('returns grade F when score < 40', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/xmlrpc.php')) return mockFetchText('XML-RPC', 200);
+      if (u.includes('/wp/v2/users')) return mockFetchJson([{ id: 1, slug: 'admin' }]);
+      if (u.includes('/wp-login.php')) return mockFetchText('<html>', 200);
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_login_security');
+    const d = parseResult(res);
+    expect(d.score).toBeLessThan(40);
+    expect(d.grade).toBe('F');
+  });
+
+  it('lists detected security plugins', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/xmlrpc.php')) return mockFetchJson({}, 403);
+      if (u.includes('/wp/v2/users')) return mockFetchJson([{ id: 1, slug: 'admin' }], 403);
+      if (u.includes('/wp-login.php')) return mockFetchText('', 404);
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'wordfence/wordfence.php', status: 'active' },
+        { plugin: 'sucuri-scanner/sucuri.php', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_login_security');
+    const d = parseResult(res);
+    expect(d.plugins_detected.security_plugins.length).toBeGreaterThanOrEqual(1);
+  });
+
+  it('includes recommendations for failed checks', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/xmlrpc.php')) return mockFetchText('', 200);
+      if (u.includes('/wp/v2/users')) return mockFetchJson([{ id: 1, slug: 'admin' }]);
+      if (u.includes('/wp-login.php')) return mockFetchText('<html>', 200);
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_login_security');
+    const d = parseResult(res);
+    const failedChecks = d.checks.filter(c => !c.passed);
+    expect(failedChecks.length).toBeGreaterThan(0);
+    failedChecks.forEach(c => expect(c.recommendation).toBeTruthy());
+  });
+
+  it('awards 15pts for brute force protection', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/xmlrpc.php')) return mockFetchJson({}, 403);
+      if (u.includes('/wp/v2/users') && !u.includes('per_page')) return mockFetchJson([], 403);
+      if (u.includes('/wp/v2/users')) return mockFetchJson([{ id: 1, slug: 'safeadmin' }]);
+      if (u.includes('/wp-login.php')) return mockFetchText('', 404);
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'limit-login-attempts-reloaded/llar.php', status: 'active' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_login_security');
+    const d = parseResult(res);
+    const bfCheck = d.checks.find(c => c.name === 'brute_force_protection');
+    expect(bfCheck.passed).toBe(true);
+    expect(bfCheck.score_awarded).toBe(15);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// Additional coverage
+// ════════════════════════════════════════════════════════════
+
+describe('wp_audit_user_security — additional', () => {
+  it('respects include_generic_emails=false', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 10, slug: 'testuser', email: 'test@gmail.com', name: 'Test', registered_date: '2022-01-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([{ plugin: 'wp-2fa/wp-2fa.php', status: 'active' }]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security', { include_generic_emails: false });
+    const d = parseResult(res);
+    expect(d.users[0].risks.find(r => r.reason.includes('Generic email'))).toBeUndefined();
+  });
+
+  it('respects check_2fa=false', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 11, slug: 'nocheckuser', email: 'user@company.com', name: 'NoCheck', registered_date: '2022-01-01' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security', { check_2fa: false });
+    const d = parseResult(res);
+    expect(d.users[0].risks.find(r => r.reason.includes('2FA'))).toBeUndefined();
+  });
+
+  it('returns total_admins count', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/users')) return mockFetchJson([
+        { id: 20, slug: 'a1', email: 'a@co.com', name: 'A1' },
+        { id: 21, slug: 'a2', email: 'b@co.com', name: 'A2' },
+        { id: 22, slug: 'a3', email: 'c@co.com', name: 'A3' }
+      ]);
+      if (u.includes('/user-activity')) return mockFetchJson({ users: [] });
+      if (u.includes('/plugins')) return mockFetchJson([{ plugin: 'two-factor/two-factor.php', status: 'active' }]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_user_security');
+    const d = parseResult(res);
+    expect(d.summary.total_admins).toBe(3);
+  });
+});
+
+describe('wp_audit_plugin_vulnerabilities — additional', () => {
+  it('excludes inactive plugins by default', async () => {
+    fetch.mockImplementation((u) => {
+      if (u.includes('/plugins')) return mockFetchJson([
+        { plugin: 'active-plugin/active.php', name: 'Active', version: '1.0', status: 'active' },
+        { plugin: 'inactive-plugin/inactive.php', name: 'Inactive', version: '1.0', status: 'inactive' }
+      ]);
+      return mockFetchJson({});
+    });
+    const res = await call('wp_audit_plugin_vulnerabilities');
+    const d = parseResult(res);
+    expect(d.plugins_scanned).toBe(1);
+  });
+});