Skip to main content

wp-to-static

Converts WordPress sites to static sites for Cloudflare Pages, optimizing performance and reducing hosting costs.

Install this skill

or
0/100

Security score

The wp-to-static skill was audited on Feb 16, 2026 and we found 18 security issues across 2 threat categories, including 3 critical. Review the findings below before installing.

Categories Tested

Security Issues

high line 151

Path traversal pattern

SourceSKILL.md
151- `wp-content/uploads/` → `../../`
high line 152

Path traversal pattern

SourceSKILL.md
152- `wp-content/themes/` → `../../themes/`
high line 153

Path traversal pattern

SourceSKILL.md
153- `wp-includes/` → `../../../wp-includes/`
low line 23

Access to hidden dotfiles in home directory

SourceSKILL.md
23ssh-add ~/.ssh/your_wp_key
medium line 25

Access to hidden dotfiles in home directory

SourceSKILL.md
254. **Server host key verified:** The user should have connected to the server at least once and accepted the host key, so it exists in `~/.ssh/known_hosts`.
medium line 33

Access to hidden dotfiles in home directory

SourceSKILL.md
33- `WP_SSH_KEY` — Path to SSH private key file (e.g., `~/.ssh/wp_key`). Key must have `chmod 600` permissions.
medium line 44

Access to hidden dotfiles in home directory

SourceSKILL.md
44- SSH host key verification is ENABLED (no `StrictHostKeyChecking=no`) — the server must already be in `~/.ssh/known_hosts`
high line 23

Access to SSH directory

SourceSKILL.md
23ssh-add ~/.ssh/your_wp_key
critical line 25

Access to SSH directory

SourceSKILL.md
254. **Server host key verified:** The user should have connected to the server at least once and accepted the host key, so it exists in `~/.ssh/known_hosts`.
critical line 33

Access to SSH directory

SourceSKILL.md
33- `WP_SSH_KEY` — Path to SSH private key file (e.g., `~/.ssh/wp_key`). Key must have `chmod 600` permissions.
critical line 44

Access to SSH directory

SourceSKILL.md
44- SSH host key verification is ENABLED (no `StrictHostKeyChecking=no`) — the server must already be in `~/.ssh/known_hosts`
low line 114

Access to .env file

SourceSKILL.md
114RSYNC_EXCLUDE="--exclude='*.php' --exclude='wp-config*' --exclude='.htaccess' --exclude='*.sql' --exclude='*.log' --exclude='debug.log' --exclude='error_log' --exclude='.env' --exclude='*.bak' --exclu
low line 125

Access to .env file

SourceSKILL.md
125find ./build/site -name '*.php' -o -name 'wp-config*' -o -name '.htaccess' -o -name '.env' | head -20
low line 191

Access to .env file

SourceSKILL.md
191find ./public -name '*.php' -o -name 'wp-config*' -o -name '.htaccess' -o -name '.env'
medium line 206

Access to .env file

SourceSKILL.md
206- NEVER commit credentials to git (.gitignore must exclude .env, *.key, *.pem)
medium line 211

Access to .env file

SourceSKILL.md
211- NEVER rsync PHP files, wp-config, .htaccess, .env, or SQL dumps from the server
low line 34

External URL reference

SourceSKILL.md
34- `WP_SITE_URL` — WordPress site URL (e.g., `https://example.com`)
low line 160

External URL reference

SourceSKILL.md
160- `<link rel="https://api.w.org/"...>`, `<link rel="shortlink"...>`
Scanned on Feb 16, 2026
View Security Dashboard
Installation guide →
GitHub Stars 2.2K
Rate this skill
Categorydevelopment
UpdatedApril 10, 2026
openclawbackendfrontend-developerbackend-developerdevops-sreproduct-managergrowth-pmgithubdevelopmentproduct
openclaw/skills