t threatover
Code review

Read every line.
Find what hides.

A manual, line-by-line security review of a WordPress plugin or theme. By the same people who routinely find these issues during cleanup work.

Submit code for review → What we look for

From $590  ·  5–10 business days  ·  fixed-price per codebase

What this is

Static review, by hand.

We get a copy of your plugin or theme source and we read it. Function by function. Endpoint by endpoint. We look for the patterns that turn into compromises six months later — the ones a linter and a scanner miss because they're about intent, not syntax.

Then we write up what we found, how to reproduce each issue, and how to fix it without breaking the feature it sits inside.

Who books this

  • Plugin authors preparing a submission to the WordPress.org repo or a paid marketplace.
  • Developers shipping a custom integration to a specific customer who's asked for an audit.
  • Site owners who inherited a custom plugin or theme and don't trust it.
  • Agencies acquiring a plugin and wanting due diligence on the codebase before signing.

Coverage

What we look for

Capability checks

Every admin-only action verified for current_user_can() and the right capability — not just is_user_logged_in().

Nonces & CSRF

Every state-changing request verified for a valid, action-bound nonce. Easy to forget; common cause of CSRF-to-RCE chains.

Input handling

Sanitisation and validation of every user input — not just on save, but at every layer (REST, AJAX, shortcode, block, CLI command).

Output escaping

Every echo / printf / template variable wrapped in the right escaper (esc_html, esc_attr, esc_url, wp_kses). Reflected XSS is still the most common WordPress finding.

Database access

Prepared statements throughout. No string concatenation into $wpdb->query(). $wpdb->prepare() with the right format specifiers.

File operations

Upload handlers, file deletes, file reads — all checked for path traversal, type validation, and execution-prevention in upload directories.

Dangerous functions

Uses of eval, unserialize, system, exec, preg_replace /e, extract — flagged and reviewed in context.

Authentication flow

Custom login, password reset, OAuth, API token handling — any time the plugin moves identity around, we look closely.

Dependencies

Bundled libraries (jQuery, Composer packages, npm builds) checked for known vulnerable versions and any forks of upstream code.

Telemetry & egress

Any outbound HTTP request reviewed — what's sent, where, and whether the response is trusted blindly.

Update channel

If the plugin self-updates from a non-WordPress.org source, the update channel's integrity is reviewed end-to-end.

Multisite & roles

Network admin vs site admin separation, super-admin escalation paths, role-restricted actions across the network.

How it works

Five to ten business days.

  1. Step 1

    Code handover

    Source (zip, git, or commit pin) with build context.

  2. Step 2

    Reading

    Line-by-line review. Findings with file:line references.

  3. Step 3

    Dynamic check

    Promising findings confirmed on a real install.

  4. Step 4

    Report & debrief

    Report, walk-through, and one re-test pass.

Pricing

Per codebase, fixed.

Quoted up front based on size and complexity. The numbers below are typical starting points; we send a fixed quote after seeing the code.

Small

$590

Up to ~3,000 lines of PHP

Single-purpose plugin or theme. Examples: form handler, custom post type, lightweight integration.

Discuss →
Standard

$1,290

Up to ~10,000 lines

Multi-feature plugin or a complete custom theme. Includes JS / asset pipeline review.

Discuss →
Large

Custom

10,000+ lines

Major plugin (WooCommerce extension, multilingual layer), platform-style codebase, or anything with a complex update channel and licensing layer.

Discuss →

Frequently asked

Common questions

Is this just a scanner run?

No. Scanners are part of the workflow (we run them for fast triage), but every finding in the report has been read in context by a human. Scanners ship false positives — we don't.

Can you sign an NDA before we send code?

Yes. We have a standard mutual NDA, and we're happy to use yours if you prefer. Code is deleted at the end of the engagement plus 30 days for re-test purposes.

Do you audit JavaScript and asset code too?

Yes for security-relevant JS — admin UI scripts, Gutenberg blocks, asset upload handlers. We don't review frontend code for bugs unrelated to security.

Will you sign off for marketplace submission?

We can issue a letter of audit confirmation suitable for marketplaces that ask for one. We won't certify that a codebase has zero bugs — nobody honest does.

Site compromised? Let's talk.

Send us what you know. You get a triage and a fixed quote in return — no obligation.

Open intake form →