WP-CLI Auditor: Triage Wordfence RSS Advisories Against Installed Plugins
Source: Dev.to
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';I built a WordPress plugin that adds the wp wordfence-audit plugins command and flags installed plugins that match vulnerability signals from the current Wordfence blog RSS feed. The goal is quick triage from existing RSS workflows, not a replacement for full vulnerability databases.
The Problem
Security teams often receive Wordfence weekly advisories first, but they still need a fast way to answer:
“Do we run any of these plugins, and is our installed version inside an affected range?”
Without CLI automation, this becomes manual spreadsheet work across many sites.
The Solution
The plugin:
- Fetches the Wordfence RSS feed.
- Parses each item’s HTML content.
- Extracts plugin slugs from
wordpress.org/plugins//URLs. - Parses version constraints (e.g., “up to”, “≤”, “less than”).
- Loads installed plugins via WP‑CLI.
- Compares versions with PHP’s
version_compare(). - Outputs the result as a table, JSON, or CSV.
flowchart LR
A[wp wordfence-audit plugins] --> B[Fetch Wordfence RSS feed]
B --> C[Parse item HTML content]
C --> D[Extract plugin slug from wordpress.org URLs]
D --> E[Parse version constraints\nup to, F[Load installed plugins via WP‑CLI]
F --> G[version_compare matching]
G --> H[CLI output: table / json / csv]Tech Stack
| Component | Technology | Why |
|---|---|---|
| Platform | WordPress plugin + WP‑CLI command | Runs on any WP site with CLI access |
| Signal source | Wordfence blog RSS feed | Lightweight, no API key needed |
| Slug extraction | Regex on wordpress.org/plugins// | Reliable canonical URLs |
| Version matching | PHP version_compare() | Built‑in, handles semver correctly |
| Output | Table, JSON, CSV | Fits any downstream tool |
💡 Tip: RSS as a Lightweight Signal Source
RSS is useful when an API isn’t available yet. The Wordfence feed provides actionable signals without authentication, rate limits, or API keys. For production‑grade coverage, pair RSS triage with a full vulnerability database.
⚠️ Caution: Version Parsing Needs Normalization
Version strings like 2.1.3. vs 2.1.3 cause false mismatches with version_compare(). The normalizeVersionToken helper strips trailing dots and handles edge cases. Without it, you will miss real matches.
// src/WordfenceRssClient.php
// Extract plugin slugs from WordPress.org links in RSS HTML
preg_match_all('#https?://wordpress.org/plugins/([a-z0-9-]+)/?#i', $html, $matches);// src/WordfenceRssClient.php
// Parse version constraints from advisory text
if (preg_match_all(
'/versions?\s*(?:up to| 'max_inclusive',
'max' => $this->normalizeVersionToken($maxVersion)
];
}// src/SignalMatcher.php
// Compare installed version against advisory constraint
if ($type === 'max_inclusive' && isset($constraint['max'])) {
if (version_compare($installedVersion, (string) $constraint['max'], '# Table output (default)
wp wordfence-audit plugins
# JSON for scripting
wp wordfence-audit plugins --format=json
# CSV for spreadsheets
wp wordfence-audit plugins --format=csv > audit.csvArchitecture Breakdown
| Component | Responsibility |
|---|---|
WordfenceRssClient | Download RSS and extract slugs, severity, version constraints |
SignalMatcher | Compare constraints against installed versions with version_compare |
AuditCommand | Expose wp wordfence-audit plugins and format output |
Related reading
Why This Matters for Drupal and WordPress
WordPress sites running dozens of plugins face constant exposure to newly disclosed vulnerabilities. This WP‑CLI auditor lets agencies and site maintainers automate weekly triage against Wordfence advisories without manual spreadsheet work.
For multisite networks or managed‑hosting fleets, piping the JSON output into a dashboard gives immediate visibility into which sites need patching.
Drupal teams can apply the same RSS‑to‑CLI pattern using Drush commands to cross‑reference security advisories from drupal.org against installed modules.
What I Learned
- RSS can be a useful, lightweight signal source when an API isn’t available.
- Slug extraction from canonical
wordpress.org/plugins//URLs is reliable for fast matching. - Version parsing needs normalization (
2.1.3.vs2.1.3) or you risk false mismatches. - For production‑grade coverage, pair RSS triage with a full database/API scanner.
References
- View Code on GitHub
- Wordfence Blog RSS Feed
- WP Vulnerability Plugin
- Fullworks Scanner – WordPress Plugin
Looking for an Architect who doesn’t just write code, but builds the AI systems that multiply your team’s output? View my enterprise CMS case studies at victorjimenezdev.github.io or connect with me on LinkedIn.
Originally published at VictorStack AI — Drupal & WordPress Reference