Skip to content

Add WordPress security scanning for vulnerabilities and PHP syntax #297

New issue
New issue
Open
💡 Idea / Suggestion
#303
Open
Add WordPress security scanning for vulnerabilities and PHP syntax#297
💡 Idea / Suggestion
#303
Assignees
claytoncollie
@claytoncollie

Description

@claytoncollie
claytoncollie
opened on Jul 17, 2025

Is your enhancement related to a problem? Please describe.

We need to add security scanning to our WordPress project to catch vulnerabilities and code issues before they reach production. This includes PHP syntax validation, virus scanning, and WordPress plugin/theme vulnerability detection.

This issue is to add the 10up WordPress Scanner Action to our CI/CD pipeline. This will perform PHP syntax checks to catch coding errors, scan for malicious code using ClamAV, and check our WordPress plugins and themes against known vulnerability databases from Wordfence, Patchstack, or WPScan.

Since we already have Composer dependencies set up in our existing workflow, we can integrate this scanner to run after our dependencies are installed. The scanner will use our current wp-content structure and can leverage the authentication token we're already using for Composer.

This automated security check will catch PHP syntax errors during development, detect any malicious code that might be introduced, and alert us to known vulnerabilities in our WordPress plugins and themes. It will help maintain our security standards and prevent vulnerable code from being deployed.

Here is an example from one of my current projects. This scans with the free version of Wordfence.

name: Virus Scanning

on:
  pull_request:

jobs:
  virus-scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: "8.3"
          coverage: none
          tools: composer:v2
      
      - name: PHP Version
        run: php -v

      - name: Install Composer dependencies
        run: composer install

      - name: Install classic theme dependencies
        run: |
          cd themes/10up-theme
          composer install

     - name: Install block theme dependencies
        run: |
          cd themes/10up-block-theme
          composer install

      - name: Install mu-plugin dependencies
        run: |
          cd mu-plugins/10up-plugin
          composer install

      - name: Virus Scanning
        uses: 10up/wp-scanner-action@v1
        with:
          content_dir: './'
          composer_build: 'false'

Designs

No response

Describe alternatives you've considered

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

💡 Idea / Suggestion

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions