Confirm successful installation by checking the skill directory location:
.cursor/skills/wordpress-security-validation
Restart Cursor to activate wordpress-security-validation. Access via /wordpress-security-validation in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Security is not optional in WordPress developmentβit's fundamental. This skill teaches the three-layer security model that prevents XSS, CSRF, SQL injection, and other common web vulnerabilities through proper input sanitization, business logic validation, and output escaping.
The Golden Rule: "Sanitize on input, validate for logic, escape on output."
Why This Matters
Every year, thousands of WordPress sites are compromised due to security vulnerabilities in plugins and themes. Most of these attacks exploit one of three weaknesses:
XSS (Cross-Site Scripting): Malicious JavaScript injected through unsanitized output
CSRF (Cross-Site Request Forgery): Unauthorized actions performed on behalf of authenticated users
SQL Injection: Database manipulation through unsanitized database queries
This skill provides complete, production-ready patterns for preventing all three attack vectors.
The Three-Layer Security Model
WordPress security follows a defense-in-depth strategy with three distinct layers:
User Input β [1. SANITIZE] β [2. VALIDATE] β Process β [3. ESCAPE] β Output
Layer 1: Sanitization (Input Cleaning)
Purpose: Remove dangerous characters and normalize data format
When: Immediately upon receiving user input
Example:sanitize_text_field($_POST['username'])
Layer 2: Validation (Logic Checks)
Purpose: Ensure data meets business requirements
When: After sanitization, before processing
Example:if (!is_email($email)) { /* error */ }
Layer 3: Escaping (Output Protection)
Purpose: Prevent XSS by encoding special characters
When: Every time you output data to browser
Example:echo esc_html($user_input);
Critical Distinction:
Sanitization removes/transforms invalid data (changes the value)
Validation checks if data is acceptable (returns true/false)
Escaping makes data safe for display (context-specific encoding)
1. Nonces: CSRF Protection
What Are Nonces?
Nonces (Numbers Used Once) are cryptographic tokens that verify a request originated from your site, not a malicious external source. They prevent Cross-Site Request Forgery (CSRF) attacks.
How CSRF Attacks Work:
<!-- Attacker's malicious site: evil.com --><imgsrc="https://yoursite.com/wp-admin/admin.php?action=delete_user&id=1"><!-- If user is logged into yoursite.com, this executes! -->
How Nonces Prevent CSRF:
<!-- Legitimate request with nonce --><formaction="admin.php?action=delete_user&id=1"method="POST"><?php wp_nonce_field('delete_user_1', 'delete_nonce'); ?><button>Delete User</button></form><!-- Attacker cannot generate valid nonce (tied to user session) -->
Nonce Implementation Patterns
Pattern 1: Form Nonces (Most Common)
BEFORE (Vulnerable):
// Vulnerable form processingif(isset($_POST['submit'])){$user_id=absint($_POST['user_id']);delete_user($user_id);// β οΈ CSRF vulnerable!}
AFTER (Secure):
// Generate nonce in form
<formmethod="post"action=""><?phpwp_nonce_field('delete_user_action','delete_user_nonce');?><inputtype="hidden"name="user_id"value="42"><buttontype="submit"name="submit">Delete User</button></form>// Verify nonce on submission
if (isset($_POST['submit'])) {
// Security check #1: Verify nonce
if (!isset($_POST['delete_user_nonce']) ||
!wp_verify_nonce($_POST['delete_user_nonce'], 'delete_user_action')) {
wp_die('Security check failed: Invalid nonce');
}
// Security check #2: Capability check
if (!current_user_can('delete_users')) {
wp_die('You do not have permission to delete users');
}
// Now safe to process
$user_id = absint($_POST['user_id']);
wp_delete_user($user_id);
}
Key Functions:
wp_nonce_field($action, $name) - Generates hidden nonce field
add_action('wp_enqueue_scripts','enqueue_ajax_script');functionenqueue_ajax_script(){wp_enqueue_script('my-ajax-script',plugin_dir_url(__FILE__).'js/ajax.js',['jquery'],'1.0.0',true);// Pass nonce and AJAX URL to JavaScriptwp_localize_script('my-ajax-script','myAjax',['ajaxurl'=>admin_url('admin-ajax.php'),
β
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
βΊAccess to product documentation and roadmap tools (Jira, Notion, etc.)
βΊUnderstanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
βΊStakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team
Common Pitfalls
β Not validating competitive researchβverify facts before sharing
β Accepting user stories without involving engineering team
β Over-relying on frameworks without qualitative judgment
β Not customizing outputs to company culture and communication style
β Skipping stakeholder validation of generated requirements
Best Practices
β Do
+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition
β Don't
βDon't publish competitive analysis without fact-checking
βDon't finalize user stories without engineering review
βDon't make prioritization decisions solely on AI scoring
βDon't skip customer validation of generated requirements
βDon't ignore company-specific context and culture
π‘ Pro Tips
β Provide context: company goals, constraints, customer feedback
β Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
β Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
β Use skill for 70% generation + 30% customization to company needs
When to Use This
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
1Basic: user stories, feature specs, status updates
