Habilidades wordpress-penetration-testing
🛡️

wordpress-penetration-testing

Riesgo medio ⚡ Contiene scripts⚙️ Comandos externos🌐 Acceso a red

Perform WordPress Security Assessments

WordPress sites face constant security threats from automated attacks and targeted exploits. This skill provides comprehensive penetration testing capabilities to identify and remediate vulnerabilities before attackers exploit them.

Soporta: Claude Codex Code(CC)
⚠️ 62 Deficiente
1

Descargar el ZIP de la skill

2

Subir en Claude

Ve a Configuración → Capacidades → Skills → Subir skill

3

Activa y empieza a usar

Pruébalo

Usando "wordpress-penetration-testing". Scan WordPress site for vulnerabilities

Resultado esperado:

  • WordPress Version: 6.4.2 (Latest)
  • Theme: Twenty Twenty-Four 1.0 (No known vulnerabilities)
  • Plugins Found: 5 (2 with known vulnerabilities)
  • - Contact Form 7 5.8.3 - CVE-2023-XXXXX (Medium)
  • - WooCommerce 8.5.0 (No known vulnerabilities)
  • Users Enumerated: 3 (admin, editor, author)
  • Recommendations: Update Contact Form 7, disable user enumeration

Usando "wordpress-penetration-testing". Test password strength for admin account

Resultado esperado:

  • Password Assessment Results:
  • Target: admin account
  • Passwords Tested: 10000
  • Result: Password NOT found in common wordlist
  • Strength: Strong (12+ characters, mixed case, numbers, symbols)
  • Recommendation: Enable two-factor authentication for additional protection

Auditoría de seguridad

Riesgo medio
v1 • 2/25/2026

This WordPress penetration testing skill contains intentional security testing patterns including Metasploit, WPScan, nmap, and shell commands. All detected patterns are consistent with legitimate security assessment tools. The skill includes proper legal disclaimers requiring written authorization. Risk is elevated due to exploitation techniques and should include prominent warnings about legal requirements before publication.

1
Archivos escaneados
491
Líneas analizadas
8
hallazgos
1
Auditorías totales

Problemas de riesgo alto (2)

SKILL.md:271-287SKILL.md:291-303
Metasploit Framework Integration
The skill includes Metasploit exploit modules for WordPress shell upload and plugin exploitation. These are legitimate penetration testing tools but require explicit authorization and should only be used in controlled environments.
SKILL.md:315
PHP Reverse Shell Code Execution
The skill demonstrates PHP reverse shell injection via theme editor with bash command execution. This technique could be misused for unauthorized system access.
Problemas de riesgo medio (2)
SKILL.md:243-262
Credential Brute-Force Capabilities
The skill includes WPScan password attack functionality against WordPress login forms and XML-RPC endpoints. While legitimate for security testing, this could be misused for unauthorized access attempts.
SKILL.md:324-344
Malicious Plugin Creation
The skill demonstrates creating a malicious WordPress plugin with system command execution capabilities. This pattern could be repurposed for persistent backdoor installation.
Problemas de riesgo bajo (1)
SKILL.md:388-397
Proxy Configuration for Anonymity
The skill includes Tor and HTTP proxy configuration for anonymizing scan traffic. While useful for legitimate security testing, this could indicate intent to evade detection.

Factores de riesgo

⚡ Contiene scripts
No se registraron ubicaciones específicas
⚙️ Comandos externos (1)
SKILL.md:315
🌐 Acceso a red (3)
SKILL.md:390 SKILL.md:393 SKILL.md:396

Patrones detectados

Shell Command ExecutionSystem Command Injection via HTTP
Auditado por: claude

Puntuación de calidad

38
Arquitectura
100
Mantenibilidad
87
Contenido
50
Comunidad
28
Seguridad
100
Cumplimiento de la especificación

Lo que puedes crear

Security Consultant WordPress Audit

Perform comprehensive security assessments for clients running WordPress, delivering actionable findings and remediation guidance.

WordPress Developer Security Hardening

Test your own WordPress sites before deployment to identify and fix vulnerabilities before attackers discover them.

Bug Bounty WordPress Testing

Systematically test WordPress installations within bug bounty program scope to discover and report security vulnerabilities.

Prueba estos prompts

Basic WordPress Security Scan 
Perform a basic security scan of the WordPress site at [URL]. Enumerate the WordPress version, active themes, installed plugins, and exposed users. Document all findings in a structured report with risk ratings.
Comprehensive Vulnerability Assessment 
Conduct a comprehensive vulnerability assessment of [WordPress URL] using WPScan with API token. Test for vulnerable plugins, themes, user enumeration, and misconfigurations. Provide prioritized remediation steps for each finding.
Password Security Testing 
Test the password strength of WordPress user accounts at [URL] using authorized credentials list. Evaluate password policies, test for common weak passwords, and recommend password policy improvements.
Full Penetration Test Engagement 
Execute a full penetration test engagement against [WordPress URL] including reconnaissance, enumeration, vulnerability scanning, and authorized exploitation attempts. Document the attack chain and provide executive and technical reports.

Mejores prácticas

  • Always obtain written authorization before testing any WordPress site you do not own
  • Use a staging environment for exploitation testing rather than production systems
  • Document all testing activities with timestamps for audit trail purposes
  • Test during maintenance windows to minimize impact on legitimate users
  • Use rate limiting and throttling to avoid denial of service conditions

Evitar

  • Never test WordPress sites without explicit written authorization from the owner
  • Do not run aggressive scans against production sites during business hours
  • Avoid testing sites protected by WAF without understanding bypass implications
  • Do not exfiltrate or access real user data during security assessments

Preguntas frecuentes

Is this skill legal to use?
This skill is legal when used on WordPress sites you own or have explicit written authorization to test. Unauthorized testing violates computer crime laws in most jurisdictions.
Do I need a WPScan API token?
A free WPScan API token is recommended for vulnerability database access. Without it, WPScan can still enumerate WordPress components but cannot identify known vulnerabilities.
Can this skill damage my WordPress site?
Aggressive scanning and exploitation testing can potentially cause service disruption. Always test in a staging environment first and avoid production systems during business hours.
What tools does this skill require?
This skill uses WPScan (WordPress scanner), Metasploit Framework, nmap, and standard tools like cURL. WPScan and nmap are pre-installed in Kali Linux.
How long does a WordPress security scan take?
Basic scans take 2-5 minutes. Comprehensive scans with vulnerability checking take 10-30 minutes. Password testing duration depends on wordlist size and rate limiting.
Can I use this for bug bounty hunting?
Yes, but only within the scope defined by the bug bounty program. Always verify the program allows automated scanning and follow all program rules.

Detalles del desarrollador

Autor

sickn33

Licencia

MIT

Repositorio

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/wordpress-penetration-testing

Ref.

main

Estructura de archivos

📄 SKILL.md