aibuilder.sh
commandby jnealey88

Security Audit

Run comprehensive security audit for the WordPress plugin

Installs: 0
Used in: 1 repos
Updated: 2d ago
$npx ai-builder add command jnealey88/security-audit

Installs to .claude/commands/security-audit.md

Act as a senior WordPress plugin developer. Review the DesignSetGo WordPress plugin for best practices, security vulnerabilities, and performance optimization opportunities.

## Comprehensive Review Areas

### 1. **Security Audit** (Critical)

Analyze all PHP and JavaScript files for security vulnerabilities:

**PHP Security Issues:**
- [ ] SQL Injection vulnerabilities (improper use of $wpdb, missing prepare())
- [ ] XSS vulnerabilities (missing esc_html, esc_attr, esc_url, wp_kses)
- [ ] CSRF vulnerabilities (missing nonce verification)
- [ ] Arbitrary file inclusion (improper use of require/include)
- [ ] Path traversal vulnerabilities (missing realpath() checks)
- [ ] Capability checks on privileged operations
- [ ] REST API input validation and sanitization
- [ ] Direct file access checks (ABSPATH checks)

**JavaScript Security Issues:**
- [ ] XSS via innerHTML with unsanitized data
- [ ] URL validation (preventing javascript:, data: URLs)
- [ ] Data attribute sanitization before DOM manipulation
- [ ] Color/numeric value validation before use

**Check these critical files:**
- `includes/admin/class-global-styles.php` - REST API endpoints
- `includes/patterns/class-loader.php` - File inclusion
- `includes/class-assets.php` - Asset loading
- `src/extensions/*/frontend.js` - Frontend JavaScript
- Any file with `$_GET`, `$_POST`, `$_REQUEST`, `get_json_params()`

### 2. **Performance Analysis**

**Asset Loading:**
- [ ] Are assets loading from `build/` instead of `src/`?
- [ ] Conditional loading (only load when blocks present)?
- [ ] Asset file size optimization opportunities
- [ ] Unnecessary dependencies being loaded

**Database Performance:**
- [ ] Transient caching for expensive operations
- [ ] Block/pattern registration optimization
- [ ] Unnecessary queries on every page load

**Frontend Performance:**
- [ ] JavaScript bundle size and code splitting
- [ ] CSS optimization (remove unused rules, use CSS variables)
- [ ] Lazy loading for videos/images
- [ ] React performance (missing memoization, unnecessary re-renders)

### 3. **WordPress Coding Standards**

**PHP Standards:**
- [ ] Proper DocBlocks for all functions/methods
- [ ] Consistent namespacing
- [ ] Text domains on all translation functions
- [ ] Proper sanitization and escaping
- [ ] Error handling and logging

**JavaScript Standards:**
- [ ] ESLint compliance
- [ ] Proper JSDoc comments
- [ ] Modern ES6+ patterns
- [ ] WordPress-specific best practices

### 4. **Architecture Review**

**Code Quality:**
- [ ] Singleton pattern properly implemented
- [ ] Separation of concerns
- [ ] DRY principle (no code duplication)
- [ ] File organization and naming conventions
- [ ] No unused/commented code

**WordPress Integration:**
- [ ] Proper use of hooks and filters
- [ ] Block registration best practices
- [ ] Asset enqueuing best practices
- [ ] Admin page security

## Output Requirements

Generate a comprehensive **SECURITY-REVIEW.md** file containing:

### 1. Executive Summary
- Overall security status (🔴 Critical, 🟡 High, 🟢 Medium, 🔵 Low)
- Number of issues found by severity
- Quick assessment of production readiness

### 2. Critical Security Issues (🔴)
For each issue:
- File location with line numbers
- Clear description of the vulnerability
- Attack vector explanation
- Complete code fix with before/after
- Estimated fix time

### 3. High Priority Issues (🟡)
Same format as critical issues

### 4. Medium Priority - Performance (🟢)
- Optimization opportunities
- Expected performance gains
- Implementation recommendations

### 5. Low Priority - Code Quality (🔵)
- Coding standards violations
- Documentation improvements
- Refactoring suggestions

### 6. Action Plan
Organize issues by priority with time estimates:
- **Week 1:** Critical security fixes (must do before production)
- **Week 2:** High priority security & performance
- **Week 3:** Performance optimization
- **Week 4:** Code quality & standards

### 7. Security Checklist for Production
Clear checklist of security requirements before deployment

### 8. Things Done Well
Positive feedback on good practices to maintain

## Execution Steps

1. **Review Plugin Structure**
   - Read main plugin file
   - Identify all PHP classes in `includes/`
   - Identify all JavaScript files in `src/`

2. **Security Scan**
   - Search for vulnerable patterns:
     ```bash
     # PHP vulnerabilities
     grep -r "get_json_params\|require\|include\|\$_GET\|\$_POST" includes/ --include="*.php"
     grep -r "sanitize\|escape\|esc_html\|esc_attr\|wp_kses" includes/ --include="*.php"

     # JavaScript vulnerabilities
     grep -r "innerHTML\|getAttribute\|setAttribute" src/ --include="*.js"
     ```

3. **Analyze Each Vulnerability**
   - Read the full context of flagged files
   - Determine if vulnerability exists
   - Provide specific fix

4. **Performance Review**
   - Check asset loading strategy in `includes/class-assets.php`
   - Review build output sizes
   - Identify optimization opportunities

5. **Generate Report**
   - Create comprehensive markdown document
   - Include code examples for all fixes
   - Provide actionable recommendations

## Additional Checks

### Dependency Security
- [ ] Run `npm audit` for JavaScript vulnerabilities
- [ ] Run `npm run check-licenses` for GPL compatibility
- [ ] Check for outdated packages

### Build Configuration
- [ ] Verify webpack config is optimized
- [ ] Check that source maps are disabled in production
- [ ] Verify minification is enabled

### WordPress.org Readiness
- [ ] No hardcoded credentials or API keys
- [ ] Proper licensing headers
- [ ] No "phone home" functionality
- [ ] Follows WordPress.org guidelines

## Final Output Format

```markdown
# DesignSetGo Plugin - Security, Performance & Best Practices Review

**Review Date:** YYYY-MM-DD
**Plugin Version:** X.X.X
**Reviewer:** Senior WordPress Plugin Developer

## Executive Summary
[Status overview]

## 🔴 CRITICAL SECURITY ISSUES
[Numbered issues with fixes]

## 🟡 HIGH PRIORITY ISSUES
[Numbered issues with fixes]

## 🟢 MEDIUM PRIORITY - Performance
[Optimization opportunities]

## 🔵 LOW PRIORITY - Code Quality
[Standards and documentation]

## 📋 ACTION PLAN
[Week-by-week priority order]

## 🔒 Security Checklist for Production
[Pre-deployment checklist]

## ✅ THINGS YOU'RE DOING WELL
[Positive reinforcement]
```

**IMPORTANT:**
- Be thorough but constructive
- Provide complete, working code fixes
- Explain WHY each issue matters
- Prioritize by severity and impact
- Include time estimates for fixes
- End with clear next steps

Quick Install

$npx ai-builder add command jnealey88/security-audit

Details

Type
command
Author
jnealey88
Slug
jnealey88/security-audit
Created
6d ago

Tasks

Secure & Audit

Used In