@adsim/wordpress-mcp-server 4.6.0 → 5.1.0

package/src/tools/security.js

@@ -0,0 +1,590 @@
+// src/tools/security.js — security tools (6)
+// Definitions + handlers (v5.0.0 refactor Step B+C)
+
+import { json } from '../shared/utils.js';
+import { rt } from '../shared/context.js';
+
+export const definitions = [
+  { name: 'wp_audit_user_security', _category: 'security', description: 'Use to audit administrator accounts for security risks: default usernames, inactive accounts, generic emails, missing 2FA, enumerable display names. Read-only.',
+        inputSchema: { type: 'object', properties: { days: { type: 'number', description: 'default 90' }, include_generic_emails: { type: 'boolean', description: 'default true' }, check_2fa: { type: 'boolean', description: 'default true' } }}},
+  { name: 'wp_check_file_permissions', _category: 'security', description: 'Use to check critical WordPress file/directory permissions via companion mu-plugin. Reports permission issues with fix commands. Read-only.',
+        inputSchema: { type: 'object', properties: {} }},
+  { name: 'wp_list_recently_modified_files', _category: 'security', description: 'Use to list recently modified files in wp-content with suspicious file detection (random names, PHP in uploads, out-of-update-window changes). Read-only.',
+        inputSchema: { type: 'object', properties: { days: { type: 'number', description: 'default 7' }, paths: { type: 'array', items: { type: 'string' }, description: 'Paths relative to wp-content/ (default ["plugins","themes"])' }, extensions: { type: 'array', items: { type: 'string' }, description: 'File extensions to scan (default [".php",".js"])' }, exclude_legitimate: { type: 'boolean', description: 'default true' } }}},
+  { name: 'wp_audit_plugin_vulnerabilities', _category: 'security', description: 'Use to scan active plugins against WPScan vulnerability database. Returns CVEs with CVSS scores when WPSCAN_API_KEY is set; plugin list with versions otherwise. Read-only.',
+        inputSchema: { type: 'object', properties: { severity_filter: { type: 'string', enum: ['critical', 'high', 'medium', 'low', 'all'], description: 'default all' }, include_inactive: { type: 'boolean', description: 'default false' } }}},
+  { name: 'wp_check_ssl_certificate', _category: 'security', description: 'Use to check SSL/TLS certificate validity, expiration, security headers (HSTS, X-Content-Type-Options, X-Frame-Options, CSP), and compute a security grade (A+ to F). Read-only.',
+        inputSchema: { type: 'object', properties: { domain: { type: 'string', description: 'Domain to check (default: site hostname)' }, warn_days: { type: 'number', description: 'default 30' } }}},
+  { name: 'wp_audit_login_security', _category: 'security', description: 'Use to audit WordPress login security: XML-RPC exposure, user enumeration, login URL, 2FA plugins, brute force protection, admin username. Returns score /100 and grade. Read-only.',
+        inputSchema: { type: 'object', properties: {} }}
+];
+
+export const handlers = {};
+
+handlers['wp_audit_user_security'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, sanitizeParams, name } = rt;
+  const secDays = args.days || 90;
+  const secGenericEmails = args.include_generic_emails !== false;
+  const secCheck2fa = args.check_2fa !== false;
+  const genericDomains = ['gmail.com', 'yahoo.com', 'hotmail.com', 'outlook.com', 'aol.com', 'mail.com'];
+
+  // Fetch admin users
+  let admins;
+  try {
+    admins = await wpApiCall('/users?roles=administrator&per_page=100');
+  } catch (e) {
+    admins = await wpApiCall('/users?per_page=100');
+  }
+  if (!Array.isArray(admins)) admins = [];
+
+  // Try to get last activity from mu-plugin
+  let activityMap = {};
+  try {
+    const activity = await wpApiCall('/user-activity', { basePath: '/wp-json/mcp-diagnostics/v1' });
+    if (activity.users) {
+      for (const u of activity.users) {
+        activityMap[u.user_id] = u.last_login;
+      }
+    }
+  } catch (_e) { /* mu-plugin not installed */ }
+
+  // Check for 2FA plugin
+  let twoFactorPlugin = null;
+  if (secCheck2fa) {
+    try {
+      const plugins = await wpApiCall('/plugins', { basePath: '/wp-json/wp/v2' });
+      if (Array.isArray(plugins)) {
+        const tfaSlugs = ['wp-2fa', 'two-factor', 'wordfence', 'miniOrange-2-factor-authentication'];
+        for (const p of plugins) {
+          const pSlug = (p.plugin || '').split('/')[0];
+          if (tfaSlugs.some(s => pSlug.toLowerCase().includes(s.toLowerCase())) && p.status === 'active') {
+            twoFactorPlugin = pSlug;
+            break;
+          }
+        }
+      }
+    } catch (_e) { /* no plugin access */ }
+  }
+
+  const summary = { critical: 0, high: 0, medium: 0, low: 0, total_admins: admins.length };
+  const secUsers = admins.map(u => {
+    const risks = [];
+    const login = u.slug || u.username || u.name || '';
+    const email = u.email || '';
+    const displayName = u.name || '';
+    const registered = u.registered_date || u.date || null;
+    const lastLogin = activityMap[u.id] || null;
+
+    // CRITICAL: default username
+    if (login === 'admin' || login === 'administrator') {
+      risks.push({ level: 'critical', reason: `Default username "${login}"`, recommendation: 'Create a new admin account with a unique username and delete this one.' });
+      summary.critical++;
+    }
+
+    // HIGH: inactivity
+    if (lastLogin) {
+      const daysSince = Math.floor((Date.now() - new Date(lastLogin).getTime()) / 86400000);
+      if (daysSince > secDays) {
+        risks.push({ level: 'high', reason: `No activity for ${daysSince} days (threshold: ${secDays})`, recommendation: 'Review account necessity. Consider disabling or deleting inactive admin accounts.' });
+        summary.high++;
+      }
+    }
+
+    // HIGH: generic email
+    if (secGenericEmails && email) {
+      const domain = email.split('@')[1] || '';
+      if (genericDomains.includes(domain.toLowerCase())) {
+        risks.push({ level: 'high', reason: `Generic email provider (${domain}) on admin account`, recommendation: 'Use a professional/company email for administrator accounts.' });
+        summary.high++;
+      }
+    }
+
+    // MEDIUM: no 2FA
+    if (secCheck2fa && !twoFactorPlugin) {
+      risks.push({ level: 'medium', reason: 'No 2FA plugin detected', recommendation: 'Install and configure a 2FA plugin (WP 2FA, Two Factor, or Wordfence).' });
+      summary.medium++;
+    }
+
+    // LOW: display_name matches login
+    if (displayName && displayName === login) {
+      risks.push({ level: 'low', reason: 'Display name identical to login (user enumeration risk)', recommendation: 'Set a distinct display name different from the login username.' });
+      summary.low++;
+    }
+
+    const riskLevel = risks.some(r => r.level === 'critical') ? 'critical' : risks.some(r => r.level === 'high') ? 'high' : risks.some(r => r.level === 'medium') ? 'medium' : risks.some(r => r.level === 'low') ? 'low' : 'none';
+    return { id: u.id, login, email, display_name: displayName, registered, last_login: lastLogin, risk_level: riskLevel, risks };
+  });
+
+  result = json({ users: secUsers, summary, plugins_checked: { two_factor_plugin: twoFactorPlugin } });
+  auditLog({ tool: name, action: 'audit_user_security', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+  return result;
+};
+handlers['wp_check_file_permissions'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, sanitizeParams, name } = rt;
+  let fpFiles;
+  try {
+    const fpData = await wpApiCall('/file-permissions', { basePath: '/wp-json/mcp-diagnostics/v1' });
+    fpFiles = fpData.files || [];
+  } catch (e) {
+    result = json({ files: [], overall_status: 'unavailable', message: 'Companion mu-plugin not installed. Copy mcp-diagnostics.php to wp-content/mu-plugins/mcp-diagnostics.php' });
+    auditLog({ tool: name, action: 'check_file_permissions', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+    return result;
+  }
+
+  const permChecks = {
+    'wp-config.php': { recommended: '400', max_octal: 0o440 },
+    '.htaccess': { recommended: '644', max_octal: 0o644 },
+    'uploads': { recommended: '755', max_octal: 0o755 },
+    'wp-includes': { recommended: '755', max_octal: 0o755 },
+    'wp-admin': { recommended: '755', max_octal: 0o755 },
+  };
+
+  let overallStatus = 'secure';
+  const fpResult = fpFiles.map(f => {
+    const shortPath = f.path.replace(/^.*[/\\]/, '') || f.path;
+    const matchKey = Object.keys(permChecks).find(k => f.path.includes(k)) || shortPath;
+    const check = permChecks[matchKey] || { recommended: '755', max_octal: 0o755 };
+    const currentOctal = parseInt(f.permission_octal, 8);
+    const maxOctal = check.max_octal;
+
+    let status = 'ok';
+    let risk = 'none';
+    if (!f.exists) {
+      status = 'missing';
+      risk = 'info';
+    } else if (currentOctal > maxOctal) {
+      if (f.path.includes('wp-config') && currentOctal > 0o440) {
+        status = 'critical';
+        risk = 'critical';
+        overallStatus = 'critical';
+      } else if (f.permission_octal === '777') {
+        status = 'critical';
+        risk = 'critical';
+        overallStatus = 'critical';
+      } else {
+        status = 'warning';
+        risk = 'high';
+        if (overallStatus !== 'critical') overallStatus = 'warnings';
+      }
+    }
+
+    return {
+      path: f.path,
+      current_permission: f.permission_octal,
+      recommended: check.recommended,
+      status,
+      risk,
+      fix_command: status !== 'ok' && status !== 'missing' ? `chmod ${check.recommended} ${f.path}` : null
+    };
+  });
+
+  result = json({ files: fpResult, overall_status: overallStatus });
+  auditLog({ tool: name, action: 'check_file_permissions', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+  return result;
+};
+handlers['wp_list_recently_modified_files'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, sanitizeParams, name } = rt;
+  const rmfDays = args.days || 7;
+  const rmfPaths = args.paths || ['plugins', 'themes'];
+  const rmfExtensions = args.extensions || ['.php', '.js'];
+  const rmfExcludeLegitimate = args.exclude_legitimate !== false;
+
+  let modifiedFiles;
+  try {
+    const pathsParam = rmfPaths.join(',');
+    const extParam = rmfExtensions.join(',');
+    const rmfData = await wpApiCall(`/modified-files?days=${rmfDays}&paths=${encodeURIComponent(pathsParam)}&extensions=${encodeURIComponent(extParam)}`, { basePath: '/wp-json/mcp-diagnostics/v1' });
+    modifiedFiles = rmfData.files || [];
+  } catch (e) {
+    result = json({ files: [], summary: { total_modified: 0, suspicious_count: 0, paths_scanned: rmfPaths }, alert: false, message: 'Companion mu-plugin not installed. Copy mcp-diagnostics.php to wp-content/mu-plugins/mcp-diagnostics.php' });
+    auditLog({ tool: name, action: 'list_recently_modified_files', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+    return result;
+  }
+
+  // Get plugin update timestamps for legitimate change detection
+  let pluginUpdates = {};
+  if (rmfExcludeLegitimate) {
+    try {
+      const plugins = await wpApiCall('/plugins', { basePath: '/wp-json/wp/v2' });
+      if (Array.isArray(plugins)) {
+        for (const p of plugins) {
+          const pDir = (p.plugin || '').split('/')[0];
+          if (pDir && p.status === 'active') {
+            pluginUpdates[pDir] = p.updated || p.last_updated || null;
+          }
+        }
+      }
+    } catch (_e) { /* no plugin access */ }
+  }
+
+  const randomNameRegex = /[a-f0-9]{8,}\.php$/;
+  let suspiciousCount = 0;
+
+  const rmfResult = modifiedFiles.map(f => {
+    let suspicious = false;
+    let reason = null;
+    let pluginContext = null;
+
+    // Check plugin context
+    const pathParts = f.path.split('/');
+    const pluginDirIdx = pathParts.indexOf('plugins');
+    if (pluginDirIdx >= 0 && pathParts.length > pluginDirIdx + 1) {
+      pluginContext = pathParts[pluginDirIdx + 1];
+    }
+
+    // Suspicious: PHP in uploads
+    if (f.path.includes('/uploads/') && f.extension === '.php') {
+      suspicious = true;
+      reason = 'PHP file in uploads directory';
+    }
+    // Suspicious: random filename
+    else if (randomNameRegex.test(f.path)) {
+      suspicious = true;
+      reason = 'Random hex filename pattern';
+    }
+    // Suspicious: out of update window
+    else if (rmfExcludeLegitimate && pluginContext && pluginUpdates[pluginContext]) {
+      const updateTime = new Date(pluginUpdates[pluginContext]).getTime();
+      const fileTime = new Date(f.modified_at).getTime();
+      const diffHours = Math.abs(fileTime - updateTime) / 3600000;
+      if (diffHours > 24) {
+        suspicious = true;
+        reason = `Modified ${Math.round(diffHours)}h outside plugin update window`;
+      }
+    } else if (rmfExcludeLegitimate && pluginContext && !pluginUpdates[pluginContext]) {
+      // Plugin not in update list — could be suspicious
+      suspicious = true;
+      reason = 'Plugin not found in active plugins list';
+    }
+
+    if (suspicious) suspiciousCount++;
+    return { path: f.path, modified_at: f.modified_at, size_bytes: f.size, extension: f.extension, suspicious, reason, plugin_context: pluginContext };
+  });
+
+  result = json({ files: rmfResult, summary: { total_modified: rmfResult.length, suspicious_count: suspiciousCount, paths_scanned: rmfPaths }, alert: suspiciousCount > 0 });
+  auditLog({ tool: name, action: 'list_recently_modified_files', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+  return result;
+};
+handlers['wp_audit_plugin_vulnerabilities'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, VERSION, log, fetch, auditLog, sanitizeParams, name } = rt;
+  const vulnSeverity = args.severity_filter || 'all';
+  const vulnInactive = args.include_inactive || false;
+  const wpscanKey = process.env.WPSCAN_API_KEY || null;
+
+  let plugins;
+  try {
+    plugins = await wpApiCall('/plugins', { basePath: '/wp-json/wp/v2' });
+  } catch (e) {
+    throw new Error('Cannot access /wp/v2/plugins. Administrator privileges required.');
+  }
+  if (!Array.isArray(plugins)) plugins = [];
+
+  // Filter by status
+  if (!vulnInactive) {
+    plugins = plugins.filter(p => p.status === 'active');
+  }
+
+  const pluginCount = plugins.length;
+  const vulnerable = [];
+  let cleanCount = 0;
+  let quotaRemaining = null;
+
+  if (wpscanKey) {
+    if (pluginCount > 25) {
+      log.warn(`Scanning ${pluginCount} plugins against WPScan API. May take ${Math.round(pluginCount * 2.5)}s due to rate limiting.`);
+    }
+
+    for (let i = 0; i < plugins.length; i++) {
+      const p = plugins[i];
+      const pSlug = (p.plugin || '').split('/')[0];
+      if (!pSlug) { cleanCount++; continue; }
+      const pVersion = (p.version || '').trim();
+
+      try {
+        const controller = new AbortController();
+        const tid = setTimeout(() => controller.abort(), 15000);
+        const wpscanResp = await fetch(`https://wpscan.com/api/v3/plugins/${pSlug}`, {
+          headers: { 'Authorization': `Token token=${wpscanKey}`, 'User-Agent': `WordPress-MCP-Server/${VERSION}` },
+          signal: controller.signal
+        });
+        clearTimeout(tid);
+
+        if (wpscanResp.headers.get('x-ratelimit-remaining')) {
+          quotaRemaining = parseInt(wpscanResp.headers.get('x-ratelimit-remaining'), 10);
+        }
+
+        if (!wpscanResp.ok) { cleanCount++; continue; }
+        const wpscanData = await wpscanResp.json();
+        const pluginData = wpscanData[pSlug];
+        if (!pluginData || !pluginData.vulnerabilities || pluginData.vulnerabilities.length === 0) {
+          cleanCount++;
+          continue;
+        }
+
+        const vulns = pluginData.vulnerabilities
+          .filter(v => {
+            if (v.fixed_in && pVersion && v.fixed_in <= pVersion) return false;
+            if (vulnSeverity === 'all') return true;
+            const severityOrder = { critical: 4, high: 3, medium: 2, low: 1 };
+            const vSev = v.cvss ? (v.cvss.score >= 9 ? 'critical' : v.cvss.score >= 7 ? 'high' : v.cvss.score >= 4 ? 'medium' : 'low') : 'medium';
+            return (severityOrder[vSev] || 0) >= (severityOrder[vulnSeverity] || 0);
+          })
+          .map(v => ({
+            title: v.title,
+            cve_id: v.references?.cve?.[0] ? `CVE-${v.references.cve[0]}` : null,
+            cvss_score: v.cvss?.score || null,
+            severity: v.cvss ? (v.cvss.score >= 9 ? 'critical' : v.cvss.score >= 7 ? 'high' : v.cvss.score >= 4 ? 'medium' : 'low') : 'unknown',
+            fixed_in_version: v.fixed_in || null,
+            patched: !!(v.fixed_in && pVersion && v.fixed_in <= pVersion),
+            references: v.references?.url || []
+          }));
+
+        if (vulns.length > 0) {
+          vulnerable.push({ slug: pSlug, name: p.name || pSlug, version: pVersion, vulnerabilities: vulns });
+        } else {
+          cleanCount++;
+        }
+
+        // Rate limiting: 2.5s between requests for free plan
+        if (i < plugins.length - 1) {
+          await new Promise(r => setTimeout(r, 2500));
+        }
+      } catch (_e) {
+        cleanCount++;
+      }
+    }
+  } else {
+    cleanCount = pluginCount;
+  }
+
+  const resultData = {
+    plugins_scanned: pluginCount,
+    vulnerable,
+    clean_count: cleanCount,
+    api_source: wpscanKey ? 'wpscan' : 'none'
+  };
+  if (!wpscanKey) {
+    resultData.message = 'Add WPSCAN_API_KEY to .env for vulnerability scanning. Free API key: https://wpscan.com/register';
+    resultData.plugins = plugins.map(p => ({ slug: (p.plugin || '').split('/')[0], name: p.name, version: p.version, status: p.status }));
+  }
+  if (quotaRemaining !== null) resultData.wpscan_quota_remaining = quotaRemaining;
+
+  result = json(resultData);
+  auditLog({ tool: name, action: 'audit_plugin_vulnerabilities', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+  return result;
+};
+handlers['wp_check_ssl_certificate'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { getActiveAuth, VERSION, fetch, auditLog, name } = rt;
+  const { url: siteUrl } = getActiveAuth();
+  const sslDomain = args.domain || new URL(siteUrl).hostname;
+  const sslWarnDays = args.warn_days || 30;
+
+  // Step 1: TLS handshake via Node.js tls module
+  let certInfo = {};
+  let sslValid = false;
+  let sslGrade = 'F';
+  try {
+    const tls = await import('tls');
+    const certData = await new Promise((resolve, reject) => {
+      const sock = tls.connect(443, sslDomain, { servername: sslDomain, rejectUnauthorized: false }, () => {
+        const cert = sock.getPeerCertificate();
+        const authorized = sock.authorized;
+        sock.end();
+        resolve({ cert, authorized });
+      });
+      sock.on('error', reject);
+      setTimeout(() => { sock.destroy(); reject(new Error('TLS timeout')); }, 10000);
+    });
+
+    const cert = certData.cert;
+    const notBefore = cert.valid_from ? new Date(cert.valid_from).toISOString() : null;
+    const notAfter = cert.valid_to ? new Date(cert.valid_to).toISOString() : null;
+    const daysUntilExpiry = notAfter ? Math.floor((new Date(notAfter).getTime() - Date.now()) / 86400000) : null;
+    const selfSigned = cert.issuer && cert.subject && JSON.stringify(cert.issuer) === JSON.stringify(cert.subject);
+    const isWildcard = (cert.subject?.CN || '').startsWith('*.');
+
+    sslValid = certData.authorized && daysUntilExpiry > 0;
+    certInfo = {
+      domain: sslDomain,
+      valid: sslValid,
+      issuer: cert.issuer ? `${cert.issuer.O || ''} ${cert.issuer.CN || ''}`.trim() : null,
+      subject: cert.subject?.CN || null,
+      san: cert.subjectaltname || null,
+      not_before: notBefore,
+      not_after: notAfter,
+      days_until_expiry: daysUntilExpiry,
+      expires_soon: daysUntilExpiry !== null && daysUntilExpiry < sslWarnDays,
+      self_signed: selfSigned,
+      wildcard: isWildcard
+    };
+  } catch (e) {
+    certInfo = { domain: sslDomain, valid: false, error: e.message, days_until_expiry: null, expires_soon: false, self_signed: false };
+  }
+
+  // Step 2: Security headers
+  let hstsInfo = { present: false, max_age: 0, includeSubDomains: false };
+  let securityHeaders = { x_content_type: false, x_frame_options: false, csp: false };
+  try {
+    const controller = new AbortController();
+    const tid = setTimeout(() => controller.abort(), 10000);
+    const headerResp = await fetch(`https://${sslDomain}`, {
+      headers: { 'User-Agent': `WordPress-MCP-Server/${VERSION}` },
+      signal: controller.signal,
+      redirect: 'follow'
+    });
+    clearTimeout(tid);
+
+    const hsts = headerResp.headers.get('strict-transport-security') || '';
+    if (hsts) {
+      hstsInfo.present = true;
+      const maxAgeMatch = hsts.match(/max-age=(\d+)/);
+      if (maxAgeMatch) hstsInfo.max_age = parseInt(maxAgeMatch[1], 10);
+      hstsInfo.includeSubDomains = hsts.includes('includeSubDomains');
+    }
+    securityHeaders.x_content_type = !!(headerResp.headers.get('x-content-type-options'));
+    securityHeaders.x_frame_options = !!(headerResp.headers.get('x-frame-options'));
+    securityHeaders.csp = !!(headerResp.headers.get('content-security-policy'));
+  } catch (_e) { /* headers unavailable */ }
+
+  // Grade calculation
+  if (!certInfo.valid || certInfo.self_signed) {
+    sslGrade = 'F';
+  } else if (certInfo.expires_soon) {
+    sslGrade = 'C';
+  } else if (hstsInfo.present && hstsInfo.max_age >= 31536000 && securityHeaders.x_content_type && securityHeaders.x_frame_options) {
+    sslGrade = 'A+';
+  } else if (hstsInfo.present) {
+    sslGrade = 'A';
+  } else {
+    sslGrade = 'B';
+  }
+
+  result = json({
+    ...certInfo,
+    grade: sslGrade,
+    hsts: hstsInfo,
+    security_headers: securityHeaders,
+    alert: sslGrade > 'B' || certInfo.expires_soon
+  });
+  auditLog({ tool: name, action: 'check_ssl_certificate', status: 'success', latency_ms: Date.now() - t0, params: { domain: sslDomain } });
+  return result;
+};
+handlers['wp_audit_login_security'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, getActiveAuth, VERSION, fetch, auditLog, sanitizeParams, name } = rt;
+  const { url: loginSiteUrl } = getActiveAuth();
+  const siteHostUrl = loginSiteUrl.replace(/\/wp-json.*$/, '').replace(/\/$/, '');
+  let totalScore = 0;
+  const checks = [];
+
+  // [20pts] XML-RPC disabled
+  let xmlrpcPassed = false;
+  try {
+    const controller = new AbortController();
+    const tid = setTimeout(() => controller.abort(), 10000);
+    const xmlrpcResp = await fetch(`${siteHostUrl}/xmlrpc.php`, {
+      method: 'GET',
+      headers: { 'User-Agent': `WordPress-MCP-Server/${VERSION}` },
+      signal: controller.signal,
+      redirect: 'follow'
+    });
+    clearTimeout(tid);
+    xmlrpcPassed = xmlrpcResp.status === 403 || xmlrpcResp.status === 404;
+  } catch (_e) { xmlrpcPassed = true; }
+  checks.push({ name: 'xmlrpc_disabled', passed: xmlrpcPassed, score_awarded: xmlrpcPassed ? 20 : 0, detail: xmlrpcPassed ? 'XML-RPC is disabled or blocked' : 'XML-RPC is accessible (brute force vector)', recommendation: xmlrpcPassed ? null : 'Disable XML-RPC via .htaccess, plugin, or web server config.' });
+  totalScore += xmlrpcPassed ? 20 : 0;
+
+  // [20pts] User enumeration blocked
+  let enumPassed = false;
+  try {
+    const controller = new AbortController();
+    const tid = setTimeout(() => controller.abort(), 10000);
+    const enumResp = await fetch(`${siteHostUrl}/wp-json/wp/v2/users`, {
+      headers: { 'User-Agent': `WordPress-MCP-Server/${VERSION}` },
+      signal: controller.signal
+    });
+    clearTimeout(tid);
+    enumPassed = enumResp.status === 401 || enumResp.status === 403;
+  } catch (_e) { enumPassed = true; }
+  checks.push({ name: 'user_enumeration_blocked', passed: enumPassed, score_awarded: enumPassed ? 20 : 0, detail: enumPassed ? 'User enumeration is blocked' : 'User list is publicly accessible', recommendation: enumPassed ? null : 'Restrict /wp-json/wp/v2/users to authenticated requests only.' });
+  totalScore += enumPassed ? 20 : 0;
+
+  // [15pts] Login URL changed
+  let loginUrlPassed = false;
+  try {
+    const controller = new AbortController();
+    const tid = setTimeout(() => controller.abort(), 10000);
+    const loginResp = await fetch(`${siteHostUrl}/wp-login.php`, {
+      method: 'GET',
+      headers: { 'User-Agent': `WordPress-MCP-Server/${VERSION}` },
+      signal: controller.signal,
+      redirect: 'manual'
+    });
+    clearTimeout(tid);
+    loginUrlPassed = loginResp.status === 404;
+  } catch (_e) { loginUrlPassed = false; }
+  checks.push({ name: 'login_url_changed', passed: loginUrlPassed, score_awarded: loginUrlPassed ? 15 : 0, detail: loginUrlPassed ? 'Default login URL is hidden (security plugin active)' : 'Standard wp-login.php is accessible', recommendation: loginUrlPassed ? null : 'Consider using a login URL plugin (WPS Hide Login, iThemes Security).' });
+  totalScore += loginUrlPassed ? 15 : 0;
+
+  // [15pts] 2FA active
+  let tfaPassed = false;
+  let securityPlugins = [];
+  try {
+    const plugins = await wpApiCall('/plugins', { basePath: '/wp-json/wp/v2' });
+    if (Array.isArray(plugins)) {
+      const secSlugs = { 'wp-2fa': '2FA', 'two-factor': '2FA', 'wordfence': 'Wordfence', 'miniOrange-2-factor-authentication': '2FA', 'limit-login-attempts-reloaded': 'Brute Force', 'jetpack': 'Jetpack', 'all-in-one-wp-security-and-firewall': 'Security', 'better-wp-security': 'iThemes Security', 'sucuri-scanner': 'Sucuri' };
+      for (const p of plugins) {
+        if (p.status !== 'active') continue;
+        const pSlug = (p.plugin || '').split('/')[0];
+        for (const [slug, label] of Object.entries(secSlugs)) {
+          if (pSlug.toLowerCase().includes(slug.toLowerCase())) {
+            securityPlugins.push(pSlug);
+            if (['wp-2fa', 'two-factor', 'wordfence', 'miniOrange-2-factor-authentication'].some(s => pSlug.toLowerCase().includes(s.toLowerCase()))) {
+              tfaPassed = true;
+            }
+          }
+        }
+      }
+    }
+  } catch (_e) { /* no access */ }
+  checks.push({ name: 'two_factor_active', passed: tfaPassed, score_awarded: tfaPassed ? 15 : 0, detail: tfaPassed ? '2FA plugin is active' : 'No 2FA plugin detected', recommendation: tfaPassed ? null : 'Install a 2FA plugin (WP 2FA, Two Factor, or Wordfence).' });
+  totalScore += tfaPassed ? 15 : 0;
+
+  // [15pts] Brute force protection
+  const bfSlugs = ['limit-login-attempts-reloaded', 'wordfence', 'jetpack', 'all-in-one-wp-security', 'better-wp-security', 'sucuri-scanner'];
+  const bfPassed = securityPlugins.some(p => bfSlugs.some(s => p.toLowerCase().includes(s.toLowerCase())));
+  checks.push({ name: 'brute_force_protection', passed: bfPassed, score_awarded: bfPassed ? 15 : 0, detail: bfPassed ? 'Brute force protection plugin detected' : 'No brute force protection detected', recommendation: bfPassed ? null : 'Install Limit Login Attempts Reloaded, Wordfence, or a similar plugin.' });
+  totalScore += bfPassed ? 15 : 0;
+
+  // [15pts] Admin username clean
+  let adminClean = true;
+  try {
+    const users = await wpApiCall('/users?per_page=100');
+    if (Array.isArray(users)) {
+      for (const u of users) {
+        const uSlug = u.slug || u.username || '';
+        if (uSlug === 'admin' || uSlug === 'administrator') { adminClean = false; break; }
+      }
+    }
+  } catch (_e) { /* no access */ }
+  checks.push({ name: 'admin_username_clean', passed: adminClean, score_awarded: adminClean ? 15 : 0, detail: adminClean ? 'No default admin/administrator username found' : 'Default "admin" or "administrator" username detected', recommendation: adminClean ? null : 'Rename or replace the default admin account.' });
+  totalScore += adminClean ? 15 : 0;
+
+  const loginGrade = totalScore >= 80 ? 'A' : totalScore >= 60 ? 'B' : totalScore >= 40 ? 'C' : 'F';
+  const criticalIssues = checks.filter(c => !c.passed && c.score_awarded === 0 && (c.name === 'xmlrpc_disabled' || c.name === 'user_enumeration_blocked' || c.name === 'admin_username_clean')).map(c => c.detail);
+
+  result = json({ score: totalScore, grade: loginGrade, checks, critical_issues: criticalIssues, plugins_detected: { security_plugins: [...new Set(securityPlugins)] } });
+  auditLog({ tool: name, action: 'audit_login_security', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+  return result;
+};