スキル wordpress-penetration-testing
🛡️

wordpress-penetration-testing

中リスク ⚡ スクリプトを含む⚙️ 外部コマンド🌐 ネットワークアクセス

Perform WordPress Security Assessments

WordPress sites face constant security threats from automated attacks and targeted exploits. This skill provides comprehensive penetration testing capabilities to identify and remediate vulnerabilities before attackers exploit them.

対応: Claude Codex Code(CC)
⚠️ 62 貧弱
1

スキルZIPをダウンロード

2

Claudeでアップロード

設定 → 機能 → スキル → スキルをアップロードへ移動

3

オンにして利用開始

テストする

「wordpress-penetration-testing」を使用しています。 Scan WordPress site for vulnerabilities

期待される結果:

  • WordPress Version: 6.4.2 (Latest)
  • Theme: Twenty Twenty-Four 1.0 (No known vulnerabilities)
  • Plugins Found: 5 (2 with known vulnerabilities)
  • - Contact Form 7 5.8.3 - CVE-2023-XXXXX (Medium)
  • - WooCommerce 8.5.0 (No known vulnerabilities)
  • Users Enumerated: 3 (admin, editor, author)
  • Recommendations: Update Contact Form 7, disable user enumeration

「wordpress-penetration-testing」を使用しています。 Test password strength for admin account

期待される結果:

  • Password Assessment Results:
  • Target: admin account
  • Passwords Tested: 10000
  • Result: Password NOT found in common wordlist
  • Strength: Strong (12+ characters, mixed case, numbers, symbols)
  • Recommendation: Enable two-factor authentication for additional protection

セキュリティ監査

中リスク
v1 • 2/25/2026

This WordPress penetration testing skill contains intentional security testing patterns including Metasploit, WPScan, nmap, and shell commands. All detected patterns are consistent with legitimate security assessment tools. The skill includes proper legal disclaimers requiring written authorization. Risk is elevated due to exploitation techniques and should include prominent warnings about legal requirements before publication.

1
スキャンされたファイル
491
解析された行数
8
検出結果
1
総監査数

高リスクの問題 (2)

SKILL.md:271-287SKILL.md:291-303
Metasploit Framework Integration
The skill includes Metasploit exploit modules for WordPress shell upload and plugin exploitation. These are legitimate penetration testing tools but require explicit authorization and should only be used in controlled environments.
SKILL.md:315
PHP Reverse Shell Code Execution
The skill demonstrates PHP reverse shell injection via theme editor with bash command execution. This technique could be misused for unauthorized system access.
中リスクの問題 (2)
SKILL.md:243-262
Credential Brute-Force Capabilities
The skill includes WPScan password attack functionality against WordPress login forms and XML-RPC endpoints. While legitimate for security testing, this could be misused for unauthorized access attempts.
SKILL.md:324-344
Malicious Plugin Creation
The skill demonstrates creating a malicious WordPress plugin with system command execution capabilities. This pattern could be repurposed for persistent backdoor installation.
低リスクの問題 (1)
SKILL.md:388-397
Proxy Configuration for Anonymity
The skill includes Tor and HTTP proxy configuration for anonymizing scan traffic. While useful for legitimate security testing, this could indicate intent to evade detection.

リスク要因

⚡ スクリプトを含む
特定の場所は記録されていません
⚙️ 外部コマンド (1)
SKILL.md:315
🌐 ネットワークアクセス (3)
SKILL.md:390 SKILL.md:393 SKILL.md:396

検出されたパターン

Shell Command ExecutionSystem Command Injection via HTTP
監査者: claude

品質スコア

38
アーキテクチャ
100
保守性
87
コンテンツ
50
コミュニティ
28
セキュリティ
100
仕様準拠

作れるもの

Security Consultant WordPress Audit

Perform comprehensive security assessments for clients running WordPress, delivering actionable findings and remediation guidance.

WordPress Developer Security Hardening

Test your own WordPress sites before deployment to identify and fix vulnerabilities before attackers discover them.

Bug Bounty WordPress Testing

Systematically test WordPress installations within bug bounty program scope to discover and report security vulnerabilities.

これらのプロンプトを試す

Basic WordPress Security Scan 
Perform a basic security scan of the WordPress site at [URL]. Enumerate the WordPress version, active themes, installed plugins, and exposed users. Document all findings in a structured report with risk ratings.
Comprehensive Vulnerability Assessment 
Conduct a comprehensive vulnerability assessment of [WordPress URL] using WPScan with API token. Test for vulnerable plugins, themes, user enumeration, and misconfigurations. Provide prioritized remediation steps for each finding.
Password Security Testing 
Test the password strength of WordPress user accounts at [URL] using authorized credentials list. Evaluate password policies, test for common weak passwords, and recommend password policy improvements.
Full Penetration Test Engagement 
Execute a full penetration test engagement against [WordPress URL] including reconnaissance, enumeration, vulnerability scanning, and authorized exploitation attempts. Document the attack chain and provide executive and technical reports.

ベストプラクティス

  • Always obtain written authorization before testing any WordPress site you do not own
  • Use a staging environment for exploitation testing rather than production systems
  • Document all testing activities with timestamps for audit trail purposes
  • Test during maintenance windows to minimize impact on legitimate users
  • Use rate limiting and throttling to avoid denial of service conditions

回避

  • Never test WordPress sites without explicit written authorization from the owner
  • Do not run aggressive scans against production sites during business hours
  • Avoid testing sites protected by WAF without understanding bypass implications
  • Do not exfiltrate or access real user data during security assessments

よくある質問

Is this skill legal to use?
This skill is legal when used on WordPress sites you own or have explicit written authorization to test. Unauthorized testing violates computer crime laws in most jurisdictions.
Do I need a WPScan API token?
A free WPScan API token is recommended for vulnerability database access. Without it, WPScan can still enumerate WordPress components but cannot identify known vulnerabilities.
Can this skill damage my WordPress site?
Aggressive scanning and exploitation testing can potentially cause service disruption. Always test in a staging environment first and avoid production systems during business hours.
What tools does this skill require?
This skill uses WPScan (WordPress scanner), Metasploit Framework, nmap, and standard tools like cURL. WPScan and nmap are pre-installed in Kali Linux.
How long does a WordPress security scan take?
Basic scans take 2-5 minutes. Comprehensive scans with vulnerability checking take 10-30 minutes. Password testing duration depends on wordlist size and rate limiting.
Can I use this for bug bounty hunting?
Yes, but only within the scope defined by the bug bounty program. Always verify the program allows automated scanning and follow all program rules.

開発者の詳細

作成者

sickn33

ライセンス

MIT

リポジトリ

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/wordpress-penetration-testing

参照

main

ファイル構成

📄 SKILL.md