Skip to main content

WP-CLI Auditor: Triage Wordfence RSS Advisories Against Installed Plugins

· 4 min read
Victor Jimenez
Victor Jimenez
Software Engineer & AI Agent Builder

I built a WordPress plugin that adds wp wordfence-audit plugins and flags installed plugins that match vulnerability signals from the current Wordfence blog RSS feed. The goal is quick triage from existing RSS workflows, not replacing full vulnerability databases.

The Problem

Security teams often receive Wordfence weekly advisories first, but still need a fast way to answer: "Do we run any of these plugins, and is our installed version inside an affected range?" Without CLI automation, this becomes manual spreadsheet work across many sites.

The Solution

The plugin fetches RSS items, extracts plugin slugs from WordPress.org links, parses version constraints, and compares against installed plugin versions.

Tech Stack

ComponentTechnologyWhy
PlatformWordPress plugin + WP-CLI commandRuns on any WP site with CLI access
Signal sourceWordfence blog RSS feedLightweight, no API key needed
Slug extractionRegex on wordpress.org/plugins/<slug>/Reliable canonical URLs
Version matchingPHP version_compare()Built-in, handles semver correctly
OutputTable, JSON, CSVWhatever downstream tools need
RSS as a Lightweight Signal Source

RSS is useful when API integration is not available yet. The Wordfence feed provides actionable signals without authentication, rate limits, or API keys. For production-grade coverage, pair RSS triage with a full vulnerability database.

Version Parsing Needs Normalization

Version strings like 2.1.3. vs 2.1.3 cause false mismatches with version_compare(). The normalizeVersionToken helper strips trailing dots and handles edge cases. Without it, you will miss real matches.

src/WordfenceRssClient.php
// Extract plugin slugs from WordPress.org links in RSS HTML
preg_match_all('#https?://wordpress\.org/plugins/([a-z0-9-]+)/?#i', $html, $matches);
src/WordfenceRssClient.php
// Parse version constraints from advisory text
if (preg_match_all('/versions?\s*(?:up to|<=|less than or equal to)\s*v?([0-9][0-9a-zA-Z.\-+]*)/i', $text, $maxMatches)) {
$constraints[] = ['type' => 'max_inclusive', 'max' => $this->normalizeVersionToken($maxVersion)];
}
Architecture breakdown
ComponentResponsibility
WordfenceRssClientDownload RSS and extract slugs, severity, version constraints
SignalMatcherCompare constraints against installed versions with version_compare
AuditCommandExpose wp wordfence-audit plugins and format output

Related reading:

Why this matters for Drupal and WordPress

WordPress sites running dozens of plugins face constant exposure to newly disclosed vulnerabilities. This WP-CLI auditor lets WordPress agencies and site maintainers automate weekly triage against Wordfence advisories without manual spreadsheet work. For multisite networks or managed hosting fleets, piping the JSON output into a dashboard gives immediate visibility into which sites need patching. Drupal teams can apply the same RSS-to-CLI pattern using Drush commands to cross-reference security advisories from drupal.org against installed modules.

What I Learned

  • RSS can be useful as a lightweight signal source when API integration is not available yet.
  • Slug extraction from canonical wordpress.org/plugins/<slug>/ links is reliable for fast matching.
  • Version parsing needs normalization (2.1.3. vs 2.1.3) or risk false mismatches.
  • For production-grade coverage, pair RSS triage with full database/API scanners.

References

Looking for an Architect who doesn't just write code, but builds the AI systems that multiply your team's output? View my enterprise CMS case studies at victorjimenezdev.github.io or connect with me on LinkedIn.