claude-plugin-wordpress-manager 1.5.0 → 1.7.1

package/skills/wp-security/SKILL.md

@@ -0,0 +1,179 @@
+---
+name: wp-security
+description: "Use when hardening WordPress security: filesystem permissions, HTTP security headers, authentication hardening, REST/XML-RPC API restriction, user capabilities audit, wp-config security constants, and incident response procedures."
+compatibility: "Targets WordPress 6.9+ (PHP 7.2.24+). Filesystem-based agent with bash + node. Some workflows require WP-CLI and SSH access."
+version: 1.0.0
+source: "vinmor/wordpress-manager"
+---
+
+# WP Security
+
+## When to use
+
+Use this skill for security hardening and incident response:
+
+- Hardening a WordPress installation against common attack vectors
+- Fixing security vulnerabilities found in an audit or scan
+- Responding to a suspected or confirmed site compromise
+- Configuring HTTP security headers (CSP, HSTS, X-Frame-Options)
+- Restricting REST API and XML-RPC exposure
+- Auditing user accounts, roles, and capabilities
+- Securing `wp-config.php` constants and secrets
+- Implementing login protection (brute-force, 2FA)
+
+## Inputs required
+
+- **Site access**: SSH/SFTP credentials, WP-CLI availability, or hosting panel
+- **Hosting type**: shared, VPS, managed WordPress, or cloud
+- **Current security posture**: output from `wp-audit` skill or `security_inspect.mjs`
+- **Specific threat or vulnerability**: CVE, audit finding, or incident description
+
+## Procedure
+
+### 0) Security inspection
+
+Run the detection script to assess the current security posture:
+
+```bash
+node skills/wp-security/scripts/security_inspect.mjs --cwd=/path/to/wordpress
+```
+
+The script outputs JSON with:
+- `wpConfig` — security-related constants and their values
+- `filesystem` — file permissions and exposed sensitive files
+- `apiExposure` — XML-RPC and REST API exposure
+- `headers` — security headers found in `.htaccess`
+- `riskLevel` — overall risk assessment (low/medium/high/critical)
+- `findings[]` — specific issues with severity and recommended fixes
+
+Address findings in priority order: critical → high → medium → low.
+
+For a comprehensive initial assessment, run the `wp-audit` skill first. This skill focuses on **remediation** — the procedures to fix issues found during an audit.
+
+### 1) Filesystem hardening
+
+Set correct file permissions, prevent unauthorized file modification, and block PHP execution in upload directories.
+
+Key actions:
+- Files: `644`, Directories: `755`, wp-config.php: `440` or `400`
+- Add `DISALLOW_FILE_EDIT` to wp-config.php to disable the theme/plugin editor
+- Add `DISALLOW_FILE_MODS` to prevent all file modifications including updates
+- Block PHP execution in `wp-content/uploads/` via `.htaccess` or nginx rules
+- Protect `wp-config.php` and `.htaccess` from direct access
+
+Read: `references/filesystem-hardening.md`
+
+### 2) HTTP security headers
+
+Configure security headers to prevent clickjacking, XSS, MIME sniffing, and other browser-level attacks.
+
+Key headers:
+- `Content-Security-Policy` — control which resources the browser can load
+- `X-Frame-Options: SAMEORIGIN` — prevent clickjacking (WordPress sends this by default)
+- `X-Content-Type-Options: nosniff` — prevent MIME type sniffing
+- `Strict-Transport-Security` — enforce HTTPS connections
+- `Permissions-Policy` — restrict browser feature access
+- `Referrer-Policy: strict-origin-when-cross-origin` — control referrer information
+
+Implementation methods: `.htaccess` (Apache), `nginx.conf`, or PHP via `send_headers` action.
+
+Read: `references/http-headers.md`
+
+### 3) Authentication hardening
+
+Protect the login process against brute-force attacks, credential stuffing, and session hijacking.
+
+Key actions:
+- Limit failed login attempts (plugins: Limit Login Attempts Reloaded, or custom `wp_login_failed` hook)
+- Enable two-factor authentication (plugins: Two Factor, WP 2FA)
+- Enforce strong password policies via `user_profile_update_errors` filter
+- Configure session idle timeout and concurrent session limits
+- Use application passwords for REST API access instead of sharing main credentials
+- Block username enumeration via `?author=N` redirects
+
+Read: `references/authentication-hardening.md`
+
+### 4) API restriction
+
+Reduce the attack surface by restricting or disabling unnecessary API endpoints.
+
+Key actions:
+- Disable XML-RPC: `add_filter('xmlrpc_enabled', '__return_false')` plus `.htaccess` block
+- Restrict REST API to authenticated users via `rest_authentication_errors` filter
+- Block user enumeration via `/wp-json/wp/v2/users` endpoint
+- Remove REST API discovery link from HTML `<head>`
+- Rate-limit API endpoints at the server level
+
+Read: `references/api-restriction.md`
+
+### 5) User capabilities audit
+
+Review and tighten user accounts and permissions following the principle of least privilege.
+
+Key actions:
+- Audit all administrator accounts (should be 1-2 maximum)
+- Remove or downgrade dormant accounts (inactive > 90 days)
+- Verify no accounts use weak usernames ("admin", "test", "user")
+- Review custom capabilities and remove unnecessary elevated permissions
+- Use WP-CLI for bulk auditing: `wp user list --role=administrator`
+
+Read: `references/user-capabilities.md`
+
+### 6) wp-config.php security constants
+
+Secure WordPress configuration with appropriate constants and settings.
+
+Key actions:
+- Regenerate security keys and salts (use https://api.wordpress.org/secret-key/1.1/salt/)
+- Change the default table prefix from `wp_` (for new installations)
+- Set `WP_DEBUG` to `false` in production; disable `WP_DEBUG_LOG` and `WP_DEBUG_DISPLAY`
+- Enable `FORCE_SSL_ADMIN` for encrypted admin connections
+- Configure `WP_AUTO_UPDATE_CORE` for automatic security updates
+- Move `wp-config.php` one directory above the web root if hosting allows
+
+Read: `references/wp-config-security.md`
+
+### 7) Incident response
+
+If the site is suspected or confirmed to be compromised, follow a structured response process.
+
+Phases:
+1. **Containment** — change all passwords, revoke sessions, enable maintenance mode
+2. **Investigation** — verify core checksums (`wp core verify-checksums`), scan for malware, review access logs, check recently modified files
+3. **Remediation** — remove malicious code, update all components, reinstall WordPress core, review database for injected content
+4. **Recovery** — restore from clean backup if available, re-harden the site
+5. **Post-incident** — document the timeline, update security procedures, notify affected users if data was exposed
+
+Read: `references/incident-response.md`
+
+## Verification
+
+After hardening, verify the security posture:
+
+- Re-run `security_inspect.mjs` and confirm all critical/high findings are resolved
+- Test security headers with https://securityheaders.com
+- Verify file permissions: `find . -type f ! -perm 644` and `find . -type d ! -perm 755`
+- Confirm XML-RPC is disabled: `curl -X POST https://site.com/xmlrpc.php` returns 403 or empty
+- Confirm REST API user enumeration is blocked
+- Test login rate limiting by attempting multiple failed logins
+- Verify `wp-config.php` is not accessible via browser
+
+## Failure modes / debugging
+
+- **Headers not applying**: check `.htaccess` is being read (Apache `AllowOverride All`), or nginx config is included and reloaded
+- **CSP breaking admin UI**: WordPress admin requires `unsafe-inline` and `unsafe-eval` for scripts; use a relaxed policy for `/wp-admin/` and a strict one for the frontend
+- **Login lockout**: if rate limiting locks out the admin, access via WP-CLI (`wp user update admin --user_pass=newpassword`) or directly in the database
+- **REST API restriction breaks plugins**: some plugins (Jetpack, WooCommerce) require public REST API access; whitelist specific namespaces
+- **File permission errors after hardening**: ensure the web server user owns the files; use `chown -R www-data:www-data /path/to/wp`
+
+## Escalation
+
+- For sites actively under attack: involve the hosting provider's security team
+- For data breaches: follow legal notification requirements (GDPR, state laws)
+- For persistent malware: engage a professional WordPress security service (Sucuri, Wordfence)
+- For complex hosting configurations: consult the server administrator
+- For initial security assessment, use the `wp-audit` skill which provides checklists and scoring
+
+## Recommended Agent
+
+For implementing hardening fixes and incident response, use the **`wp-security-hardener`** agent. For read-only security audits, use the **`wp-security-auditor`** agent.

package/skills/wp-security/references/api-restriction.md

@@ -0,0 +1,147 @@
+# API Restriction
+
+Use this file when restricting WordPress API exposure (XML-RPC, REST API).
+
+## Disable XML-RPC
+
+XML-RPC is rarely needed and is a common brute-force target.
+
+### Via filter (recommended)
+
+```php
+// Completely disable XML-RPC
+add_filter('xmlrpc_enabled', '__return_false');
+
+// Also remove the HTTP header advertising it
+add_filter('wp_headers', function($headers) {
+    unset($headers['X-Pingback']);
+    return $headers;
+});
+```
+
+### Via .htaccess (blocks at server level)
+
+```apache
+<Files xmlrpc.php>
+    order deny,allow
+    deny from all
+</Files>
+```
+
+### Via nginx
+
+```nginx
+location = /xmlrpc.php {
+    deny all;
+}
+```
+
+## Restrict REST API to authenticated users
+
+```php
+add_filter('rest_authentication_errors', function($result) {
+    if (true === $result || is_wp_error($result)) {
+        return $result;
+    }
+    if (!is_user_logged_in()) {
+        return new WP_Error(
+            'rest_not_logged_in',
+            __('You are not currently logged in.'),
+            ['status' => 401]
+        );
+    }
+    return $result;
+});
+```
+
+**Warning**: this breaks any public-facing REST API usage. Whitelist specific namespaces if needed:
+
+```php
+add_filter('rest_authentication_errors', function($result) {
+    if (true === $result || is_wp_error($result)) {
+        return $result;
+    }
+    $request_uri = $_SERVER['REQUEST_URI'] ?? '';
+    // Allow public access to specific namespaces
+    $public = ['/wp-json/wp/v2/posts', '/wp-json/wp/v2/pages', '/wp-json/oembed/'];
+    foreach ($public as $path) {
+        if (str_contains($request_uri, $path)) {
+            return $result;
+        }
+    }
+    if (!is_user_logged_in()) {
+        return new WP_Error('rest_not_logged_in', 'Authentication required.', ['status' => 401]);
+    }
+    return $result;
+});
+```
+
+## Block user enumeration via REST
+
+```php
+add_filter('rest_endpoints', function($endpoints) {
+    if (isset($endpoints['/wp/v2/users'])) {
+        unset($endpoints['/wp/v2/users']);
+    }
+    if (isset($endpoints['/wp/v2/users/(?P<id>[\d]+)'])) {
+        unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
+    }
+    return $endpoints;
+});
+```
+
+## Remove REST API discovery links
+
+```php
+// Remove from HTML <head>
+remove_action('wp_head', 'rest_output_link_wp_head');
+// Remove from HTTP headers
+remove_action('template_redirect', 'rest_output_link_header', 11);
+```
+
+## Disable file editing and modifications
+
+```php
+// Disable theme/plugin editor in admin
+define('DISALLOW_FILE_EDIT', true);
+
+// Disable all file modifications (includes updates)
+define('DISALLOW_FILE_MODS', true);
+```
+
+## Rate limiting
+
+Server-level rate limiting is more effective than PHP-based:
+
+### Nginx
+```nginx
+limit_req_zone $binary_remote_addr zone=wp_api:10m rate=10r/s;
+location /wp-json/ {
+    limit_req zone=wp_api burst=20 nodelay;
+    # ... rest of config
+}
+```
+
+### Apache (mod_ratelimit)
+```apache
+<Location /wp-json/>
+    SetOutputFilter RATE_LIMIT
+    SetEnv rate-limit 10
+</Location>
+```
+
+## Verification
+
+```bash
+# Test XML-RPC is disabled
+curl -X POST https://site.com/xmlrpc.php
+# Should return 403 or connection refused
+
+# Test REST API user enumeration
+curl https://site.com/wp-json/wp/v2/users
+# Should return 401 or 404
+
+# Test author enumeration
+curl -s -o /dev/null -w "%{redirect_url}" "https://site.com/?author=1"
+# Should redirect to homepage, not author archive
+```

package/skills/wp-security/references/authentication-hardening.md

@@ -0,0 +1,105 @@
+# Authentication Hardening
+
+Use this file when securing the WordPress login process and user sessions.
+
+## Limit login attempts
+
+### Via plugin (recommended)
+Install "Limit Login Attempts Reloaded" or "WP Limit Login Attempts" for a ready-made solution.
+
+### Custom implementation
+
+```php
+add_action('wp_login_failed', function($username) {
+    $ip = $_SERVER['REMOTE_ADDR'];
+    $key = 'login_attempts_' . md5($ip);
+    $attempts = (int) get_transient($key);
+    set_transient($key, $attempts + 1, 15 * MINUTE_IN_SECONDS);
+});
+
+add_filter('authenticate', function($user, $username, $password) {
+    $ip = $_SERVER['REMOTE_ADDR'];
+    $key = 'login_attempts_' . md5($ip);
+    $attempts = (int) get_transient($key);
+    if ($attempts >= 5) {
+        return new WP_Error('too_many_attempts',
+            __('Too many login attempts. Please try again in 15 minutes.'));
+    }
+    return $user;
+}, 30, 3);
+```
+
+## Two-factor authentication
+
+Recommended plugins:
+- **Two Factor** (WordPress.org) — supports TOTP, email, FIDO U2F
+- **WP 2FA** — user-friendly with grace periods
+
+Enable for all administrator accounts at minimum.
+
+## Password policies
+
+```php
+add_action('user_profile_update_errors', function($errors, $update, $user) {
+    if (strlen($user->user_pass) < 12) {
+        $errors->add('weak_password', __('Password must be at least 12 characters.'));
+    }
+}, 10, 3);
+```
+
+WordPress 4.3+ includes a password strength meter. Enforce "strong" passwords for privileged roles.
+
+## Session management
+
+List active sessions:
+```bash
+wp user session list <user_id>
+```
+
+Destroy all sessions for a user:
+```bash
+wp user session destroy <user_id> --all
+```
+
+Limit concurrent sessions in PHP:
+```php
+add_filter('attach_session_information', function($info) {
+    $manager = WP_Session_Tokens::get_instance(get_current_user_id());
+    $sessions = $manager->get_all();
+    if (count($sessions) > 2) {
+        $oldest = array_key_first($sessions);
+        $manager->destroy($oldest);
+    }
+    return $info;
+});
+```
+
+## Application passwords
+
+WordPress 5.6+ includes application passwords for REST API authentication:
+- Created in Users → Profile → Application Passwords
+- Use Basic Auth: `Authorization: Basic base64(username:app_password)`
+- Each app password has its own revocation control
+- Better than sharing main credentials
+
+## Block username enumeration
+
+Prevent `?author=1` from revealing usernames:
+
+```php
+add_filter('redirect_canonical', function($redirect, $request) {
+    if (preg_match('/\?author=\d+/', $request)) {
+        return home_url('/');
+    }
+    return $redirect;
+}, 10, 2);
+```
+
+Also block via REST API (see `references/api-restriction.md`).
+
+## Login URL considerations
+
+Plugins like "WPS Hide Login" can change the login URL. Trade-offs:
+- **Pro**: reduces automated bot traffic to `wp-login.php`
+- **Con**: security through obscurity; doesn't stop targeted attacks
+- **Verdict**: useful as a supplementary measure, not a primary defense

package/skills/wp-security/references/filesystem-hardening.md

@@ -0,0 +1,105 @@
+# Filesystem Hardening
+
+Use this file when securing WordPress file and directory permissions.
+
+## Standard permissions
+
+| Target | Permission | Meaning |
+|--------|-----------|---------|
+| Files (general) | `644` | Owner read/write, group+others read |
+| Directories | `755` | Owner full, group+others read/execute |
+| `wp-config.php` | `440` or `400` | Owner read only (most secure) |
+| `.htaccess` | `644` | Owner read/write, others read |
+
+Set recursively:
+```bash
+find /var/www/html -type f -exec chmod 644 {} \;
+find /var/www/html -type d -exec chmod 755 {} \;
+chmod 440 /var/www/html/wp-config.php
+```
+
+## Ownership
+
+The web server user (usually `www-data` on Debian/Ubuntu, `nginx` on RHEL) should own files:
+
+```bash
+chown -R www-data:www-data /var/www/html
+```
+
+On shared hosting, use your user account and ensure the web server can read files.
+
+## Disable file editing
+
+Add to `wp-config.php` to disable the theme/plugin editor:
+
+```php
+define('DISALLOW_FILE_EDIT', true);
+```
+
+To also prevent plugin/theme installation and updates via admin:
+
+```php
+define('DISALLOW_FILE_MODS', true);
+```
+
+## Block PHP execution in uploads
+
+Uploads directory should never execute PHP. Create `wp-content/uploads/.htaccess`:
+
+```apache
+# Block PHP execution
+<Files *.php>
+    deny from all
+</Files>
+```
+
+For nginx:
+```nginx
+location ~* /wp-content/uploads/.*\.php$ {
+    deny all;
+}
+```
+
+## Protect sensitive files
+
+In the root `.htaccess`:
+
+```apache
+# Protect wp-config.php
+<Files wp-config.php>
+    order allow,deny
+    deny from all
+</Files>
+
+# Protect .htaccess itself
+<Files .htaccess>
+    order allow,deny
+    deny from all
+</Files>
+
+# Block access to wp-includes
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteBase /
+    RewriteRule ^wp-admin/includes/ - [F,L]
+    RewriteRule !^wp-includes/ - [S=3]
+    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
+    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
+    RewriteRule ^wp-includes/theme-compat/ - [F,L]
+</IfModule>
+```
+
+## Verification
+
+```bash
+# Find files with wrong permissions
+find /var/www/html -type f ! -perm 644 -ls
+find /var/www/html -type d ! -perm 755 -ls
+
+# Check wp-config permissions
+stat -c '%a %n' /var/www/html/wp-config.php
+
+# Verify uploads PHP block
+curl -s -o /dev/null -w "%{http_code}" https://site.com/wp-content/uploads/test.php
+# Should return 403
+```

package/skills/wp-security/references/http-headers.md

@@ -0,0 +1,105 @@
+# HTTP Security Headers
+
+Use this file when configuring HTTP security headers for a WordPress site.
+
+## Recommended headers
+
+### Content-Security-Policy
+
+WordPress admin requires `unsafe-inline` and `unsafe-eval`. Use a relaxed policy for admin, strict for frontend:
+
+```apache
+# Frontend (strict)
+Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; frame-ancestors 'self'"
+```
+
+For sites using inline scripts/styles (common with plugins):
+```apache
+Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data: https:; frame-ancestors 'self'"
+```
+
+### X-Frame-Options
+
+Prevents clickjacking. WordPress sends this by default via `send_frame_options_header()`:
+
+```apache
+Header always set X-Frame-Options "SAMEORIGIN"
+```
+
+### X-Content-Type-Options
+
+Prevents MIME type sniffing:
+
+```apache
+Header always set X-Content-Type-Options "nosniff"
+```
+
+### Strict-Transport-Security (HSTS)
+
+Enforces HTTPS. Only enable if SSL is fully configured:
+
+```apache
+Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+```
+
+### Permissions-Policy
+
+Restricts browser features:
+
+```apache
+Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
+```
+
+### Referrer-Policy
+
+Controls referrer information:
+
+```apache
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+```
+
+## Implementation methods
+
+### Apache (.htaccess)
+
+```apache
+<IfModule mod_headers.c>
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+</IfModule>
+```
+
+### Nginx
+
+```nginx
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+```
+
+### PHP (via WordPress hook)
+
+```php
+add_action('send_headers', function() {
+    header('X-Content-Type-Options: nosniff');
+    header('Referrer-Policy: strict-origin-when-cross-origin');
+    header('Permissions-Policy: camera=(), microphone=(), geolocation=()');
+});
+```
+
+## Testing
+
+- Use https://securityheaders.com to scan headers
+- Use browser DevTools → Network tab → click request → Headers
+- Use `curl -I https://site.com` to view response headers
+
+## Common issues
+
+- **CSP breaks admin**: exclude `/wp-admin/` from strict CSP rules or add `unsafe-inline`/`unsafe-eval`
+- **HSTS lockout**: if SSL breaks, users can't access the site; start with a short `max-age` (3600) and increase gradually
+- **Headers not applying**: verify Apache `mod_headers` is enabled; verify nginx config is included and reloaded