WordPress Security Review Skill

Overview

Systematic security code review for WordPress themes, plugins, and custom code. Core principle: Scan for critical vulnerabilities first (SQL injection, XSS, authentication bypass), then authorization issues, then hardening opportunities. Report with line numbers and severity levels.

When to Use

Use when:

• Reviewing PR/code for WordPress theme or plugin security
• User reports suspected hack, malware, or security breach
• Auditing before public release or security certification
• Checking authentication, authorization, or capability checks
• Investigating suspicious code or backdoors

Don't use for:

• Performance-only reviews (use wp-performance-review)
• General PHP code review not specific to WordPress
• Server/infrastructure security (focus is on code)