Catch the things
the last week hides.
A targeted review of a WordPress site that's about to go live. We look for the security issues that pile up in the final week, when everyone's racing the launch deadline.
From $390 · 3–5 business days · fixed-price engagement
Why this is its own service
Launches fail in specific ways.
A pre-launch site has a different threat profile than a mature one. The development team has been moving fast. Staging credentials are everywhere. The "we'll clean up after launch" list is long. Admin accounts that should have been removed weeks ago are still there.
We've watched a lot of sites get compromised in their first month — not from sophisticated attackers, from leftover artefacts of the build process. This review is designed to catch them before the site is publicly indexed.
Who books this
- →Agencies handing a build off to a client and wanting a second pair of eyes first.
- →In-house teams about to migrate from a staging environment to production.
- →Clients receiving a finished site who want to verify what they're inheriting.
- →Anyone replatforming from Squarespace, Wix, or another CMS to WordPress.
The launch checklist
What we catch
Dev / agency / contractor accounts that shouldn't ship to production. The classic "admin / password123" still set up for testing.
Old staging.example.com or example.com.staging.host still public, indexed, and serving an unpatched copy of the same site.
WP_DEBUG left on. /wp-admin/install.php reachable. /debug.php or similar one-offs accidentally committed.
.env, .git, README.md, deploy logs, or backup files (sql, zip) accessible at a URL.
Sample posts, Hello World, the default "admin" user, Akismet placeholder, sample plugin pages still public.
Contact forms without anti-spam, login pages without brute-force protection, comment forms without CAPTCHA or hashcash.
Plugins installed-but-deactivated (still on disk, still attackable). Trial versions, beta channels, plugins from sketchy sources.
File-edit lock, XML-RPC, REST API user-enumeration, salts, secure cookie flags, HSTS, security headers — all checked against current best practice.
"Discourage search engines" left on, or off when it shouldn't be. robots.txt, sitemap.xml, canonical URLs all sanity-checked.
Timing
When to book.
Best
Two weeks before launch
Plenty of time to fix findings without delaying the launch. We can do a re-test pass before go-live.
Good
One week before
Still enough room for fixes. Re-test depends on how big the findings are.
Tight
Within 48 hours
Rush slot — possible but priced differently. Worth doing anyway: catching one critical issue saves a much worse incident a week later.
Frequently asked
Common questions
Is this a full security audit?
No — it's focused. A full audit (from $890) covers more ground, including process and configuration depth. The pre-launch review targets the specific failure modes of a new-site launch.
Can you also do the fixes?
Findings are written so your developer or agency can act on them. For agency clients, we can also push small fixes ourselves if you'd rather — quoted on top of the review.
What if you find nothing serious?
Great. The report still documents what we checked, with a "ready to launch" verdict. Useful for client handover and for the agency's own records.
Can we run this as a yearly thing?
Not really — once launched, the threat profile changes. After launch, the right cadence is one security audit a year, plus a pentest after any major change.
Site compromised? Let's talk.
Send us what you know. You get a triage and a fixed quote in return — no obligation.