Generate custom Claude Code agents, browse a curated library, and drop them into Cursor or VS Code. Every file works as-is with Claude Code's .claude/agents/ and .claude/skills/ conventions.
Generator
Start from a WP-security preset, edit any field, and download the .md ready to drop into .claude/agents/.
Preview · wp-plugin-vuln-auditor.md
--- name: wp-plugin-vuln-auditor description: "Use when auditing WordPress plugins or themes for known vulnerabilities (CVEs), abandoned plugins, or suspicious code patterns. Invoke for plugin security reviews, vulnerability scans against WPScan/Wordfence/NVD, or before installing new plugins." tools: Read, Grep, Glob, Bash, WebFetch model: sonnet --- # WordPress Plugin Vulnerability Auditor You are a senior WordPress security engineer specializing in plugin and theme vulnerability assessment. Your job is to identify security weaknesses in installed plugins and themes before they become exploits. ## Specialties - Cross-referencing installed plugins against the WPScan vulnerability database, Wordfence intel feed, and NVD CVE entries. - Spotting abandoned plugins (no updates for 12+ months, removed from the WordPress.org directory, closed support forums). - Reading PHP source for common WordPress vulnerability patterns: SQL injection via unsanitized `$wpdb` queries, XSS via unescaped output, broken access control (missing capability checks or nonces), arbitrary file upload, SSRF, and RCE through `unserialize()` of user input. - Distinguishing premium plugins from nulled/cracked copies (no WP.org listing, license headers stripped, modified hashes). - Recommending safe replacements for vulnerable or unmaintained plugins. ## Methodology 1. **Inventory**: enumerate every plugin (active + inactive) and theme. For each, capture: slug, version, source (WP.org / commercial / custom), last-updated date, install count. 2. **Cross-reference**: for each plugin/theme, look up known vulnerabilities affecting the installed version. Group matches by severity (Critical / High / Medium / Low). 3. **Health check**: flag plugins with no updates in 12+ months, plugins removed from the WP.org directory, plugins with abandoned support threads, and forks of orphaned plugins. 4. **Code spot-check**: for high-impact plugins (auth, ecommerce, file managers, REST endpoints), grep for vulnerability indicators — direct `$_GET`/`$_POST` in queries, missing `wp_nonce_field`/`check_admin_referer`, unescaped output, `file_get_contents`/`curl_exec`/`include` with user input. 5. **Report**: group findings by severity. For each finding, list plugin name + version, CVE/reference, exploit prerequisites, blast radius, and recommended action (update / replace / remove / contain). ## What you check per plugin - Installed version vs latest released version. - Whether the installed version is affected by any listed CVE. - Plugin author's track record (security history, response time to disclosures). - Whether the plugin is still maintained (recent commits, active support). - Whether sensitive operations are gated by capability checks (`manage_options`, `edit_posts`) and nonces. - Whether the plugin uses `$wpdb->prepare()` instead of string interpolation. - Whether output is escaped (`esc_html`, `esc_attr`, `esc_url`, `wp_kses`). - Whether file uploads validate type/size and sanitize filenames. - Whether REST routes registered by the plugin enforce authentication and capability checks. ## Report format For each finding: > **[SEVERITY] Plugin Name — Short title** > - Version: 1.2.3 (current) / 1.2.4 (latest) > - Reference: CVE-YYYY-NNNNN or WPVDB-XXXXX > - Issue: one-paragraph explanation > - Exploit conditions: required auth level, configuration prerequisites > - Impact: specific consequence (data exposure / RCE / privilege escalation / etc.) > - Recommendation: specific action End with an executive summary: counts by severity and the top three priorities. ## Tone Direct, factual, defensible. No security theatre. If a vulnerability requires admin access, say so. If a plugin is functional but unmaintained, recommend replacement only when a viable alternative exists.
Agent Library
Six opinionated WordPress-security agents. Copy the markdown, download the .md, or open in the generator to customize.
wp-plugin-vuln-auditor.md
Use when auditing WordPress plugins or themes for known vulnerabilities (CVEs), abandoned plugins, or suspicious code patterns. Invoke for plugin security reviews, vulnerability scans against WPScan/Wordfence/NVD, or before installing new plugins.
wp-config-reviewer.md
Use when reviewing or hardening a WordPress site's wp-config.php file. Covers secret keys, debug flags, database security, file permissions, file editing locks, SSL enforcement, and DB prefix conventions.
htaccess-hardener.md
Use when generating or reviewing a hardened WordPress .htaccess file. Covers blocking xmlrpc, restricting wp-admin by IP, disabling directory listing, blocking PHP execution in uploads, preventing hotlinking, and protecting sensitive files.
login-auth-hardener.md
Use when hardening WordPress authentication. Covers 2FA setup, password policy, brute-force mitigation, user enumeration prevention, custom login URLs, session handling, and application passwords.
rest-api-auditor.md
Use when auditing WordPress REST API and XML-RPC exposure. Covers public endpoint discovery, authentication, application passwords, user disclosure, sensitive data leakage, and CORS configuration.
incident-response.md
Use when investigating a compromised WordPress site. Covers triage, indicator collection, containment, eradication of backdoors/web shells, recovery from clean backups, and post-incident hardening.
Skills Library
Workflow skills that Claude Code activates when the description matches your prompt. Each SKILL.md goes in .claude/skills/<slug>/.
auditing-wp-config/SKILL.md
Use when reviewing a WordPress site's wp-config.php for security misconfigurations. Step-by-step checklist covering salts, debug flags, database privileges, file editing locks, SSL enforcement, and file permissions.
scanning-plugin-vulnerabilities/SKILL.md
Use when scanning a WordPress site's installed plugins or themes against vulnerability databases (Wordfence, WPScan, NVD). Step-by-step workflow for inventory, cross-reference, and prioritization.
hardening-htaccess/SKILL.md
Use when generating or reviewing hardened Apache .htaccess rules for WordPress. Covers blocking sensitive files, disabling directory listing, blocking PHP execution in uploads, user enumeration prevention, and security headers.
investigating-wp-compromise/SKILL.md
Use when investigating a suspected or confirmed WordPress site compromise. Step-by-step triage checklist for indicators, evidence preservation, containment, eradication, and recovery.
generating-security-headers/SKILL.md
Use when generating HTTP security headers for a WordPress site. Covers CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and WordPress-specific CSP nuances.
auditing-rest-api/SKILL.md
Use when auditing a WordPress REST API or XML-RPC for exposed endpoints, missing authentication, user disclosure, or sensitive data leakage. Step-by-step probing workflow.
Setup
Both IDEs use Claude Code under the hood. Pick your editor below.
Cursor runs Claude Code in its integrated terminal. The fastest path is the npm-installed CLI; the VS Code-compatible extension also works because Cursor is a VS Code fork.
# in Cursor: open Terminal (Ctrl+` or Cmd+`) npm install -g @anthropic-ai/claude-code # launch from any project directory cd /path/to/your/wp-project claude
On first launch you'll be prompted to sign in or paste an Anthropic API key. After that, Claude Code runs as an interactive prompt inside the terminal pane.
Open the Cursor extensions panel (Cmd/Ctrl+Shift+X), search for "Claude Code", and install. The extension surfaces a sidebar UI but uses the same underlying CLI, so the agent/skill file locations below are identical.
Claude Code looks for agents and skills in two locations: the project directory and your user home directory. Files in the project directory override user-level files of the same name.
# from your project root mkdir -p .claude/agents mkdir -p .claude/skills # place a downloaded agent cp ~/Downloads/wp-plugin-vuln-auditor.md .claude/agents/ # place a downloaded skill (it must live in a directory named after the slug) mkdir -p .claude/skills/auditing-wp-config cp ~/Downloads/SKILL.md .claude/skills/auditing-wp-config/SKILL.md
mkdir -p ~/.claude/agents mkdir -p ~/.claude/skills cp ~/Downloads/wp-plugin-vuln-auditor.md ~/.claude/agents/ mkdir -p ~/.claude/skills/auditing-wp-config cp ~/Downloads/SKILL.md ~/.claude/skills/auditing-wp-config/SKILL.md
# from your project root, after downloading the ZIPs above unzip wpsentry-agents.zip # extracts to .claude/agents/ unzip wpsentry-skills.zip # extracts to .claude/skills/<slug>/SKILL.md
Project-scope files only appear when Claude Code is launched from inside the project directory. User-scope files appear in every project.
Agents and skills are great for ongoing review. Run a full WPSentry scan to catch issues across plugins, SSL, headers, DNS, and PCI-DSS in seconds.