| 开发者 |
sudowp
thewebcitizen |
|---|---|
| 更新时间 | 2026年7月13日 05:59 |
| PHP版本: | 8.1 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPL-2.0-or-later |
| 版权网址: | 版权信息 |
sudowp-radar directory to /wp-content/plugins/.No. The core audit rules work on WordPress 6.9 and higher. The five AI agent rules (AI prompt filter bypass, AI REST overexposure, AI missing version gate, hosting-injected ability, connector key in database) are silently skipped on sites running below 7.0 -- no errors, no noise. If you are running 7.0, those rules activate automatically.
The Abilities API, introduced in WordPress 6.9, is the layer that allows AI agents and MCP tools to interact with your site programmatically. Plugins register named abilities with permission callbacks and input schemas. When an AI agent connects to your site, it can call these abilities directly. A misconfigured ability is a direct entry point -- not a theoretical risk.
Possibly. Some hosting providers auto-install AI agent plugins on customer sites without explicit consent. If that plugin registers abilities with REST exposure, or stores an AI provider key in your database, it expands your AI attack surface without your knowledge. Run a Radar audit to check. The hosting-injected ability rule (premium) and connector key in database rule (free) are designed to catch exactly this scenario.
WordPress 7.0 introduces a Connectors API that lets plugins register AI provider integrations (OpenAI, Anthropic, Google, and others). If the API key for one of these connectors was entered through the WordPress admin UI rather than defined as an environment variable or PHP constant, it is stored as plaintext in your database. Any SQL injection vulnerability or object cache exposure on your site would expose that key directly. The finding tells you which connector is affected and how to move the key to a safer location.
A Critical finding is an ability or endpoint that any user -- in some cases an unauthenticated visitor -- can call directly. This is the highest severity level and should be addressed before anything else.
No. Radar is a read-only auditor. It reads the Abilities registry and reports findings. It does not modify any registered abilities, alter plugin settings, or write to the database other than storing the last audit report in your own user meta.
No. The audit runs on demand only, triggered by clicking Run Audit in the admin. It does not run automatically and has no effect on front-end performance.
Radar registers a sudowp-radar/audit ability via the WP Abilities API, allowing MCP-connected AI agents to trigger audits programmatically. REST exposure is disabled by default -- the ability is only reachable by MCP agents with the appropriate permission, not by unauthenticated REST callers.
PHP 8.1 or higher.
sudowp-radar/audit ability for MCP agent access.