A full look at
your WordPress.
Structured. Methodical. Boring in the best possible way. We walk the whole house — configuration, code, users, hosting, processes — and tell you what to fix first.
From $890 · 1–2 weeks · fixed-price engagement
Audit vs pentest
Structured, not adversarial.
An audit measures your site against a checklist of known good practices. It catches the things that are obviously off: outdated plugins, weak passwords, missing 2FA, exposed debug endpoints, hosting on shared infrastructure without proper isolation.
It's a great fit for: annual reviews, insurer requirements, due diligence before an acquisition, and "we built this two years ago and never looked back" sites.
When to pick this
- →You want a structured opinion on your site's overall security posture.
- →An insurer or a client is asking for an annual review.
- →You inherited a site and need to know what state it's in before touching it.
- →You're considering buying or selling a WordPress site and want due diligence.
The checklist
Seven layers, end-to-end.
WordPress core
Version, update channel, modified core files, dropped features, deprecated patterns still in use.
Plugin landscape
Every installed plugin reviewed for: version currency, known CVEs, maintainer activity, ownership changes, and whether you actually need it.
Theme code
Active theme reviewed for unsafe template patterns, inline scripts, third-party dependencies, and any code added "just for now" two years ago.
Users & roles
Admin accounts, dormant users, role assignments, password policy, 2FA adoption, session lifecycle, and what each role can actually do.
Configuration
wp-config secrets, file permissions, debug flags, file-edit lock, XML-RPC, REST API exposure, salts and auth keys.
Hosting & TLS
Web server config, PHP version, TLS configuration, security headers, DNS hygiene, certificate management, isolation from neighbours on shared hosting.
Backups & people
Backup strategy (and whether they actually restore), deploy process, who has access to what, incident response readiness.
WooCommerce or multisite layer
For shops or networks: payment surface review, order data exposure, customer account flow, network-level vs site-level admin separation.
How it works
One to two weeks. Step by step.
- Step 1
Kickoff
Half-hour call. Scope confirmation and access handover.
- Step 2
Walkthrough
Work through the seven layers. Findings logged as we go.
- Step 3
Draft review
Mid-engagement check-in. No surprises at the end.
- Step 4
Report & debrief
Final written report and 30-minute call.
Deliverable
A report you can act on.
Plain-English, prioritised, and structured so a developer or an insurer can both read it without needing a translator.
Includes:
- ✓Executive summary (one page, suitable for non-technical readers)
- ✓Findings by severity, each with reproduction steps and recommended fix
- ✓Plugin and theme inventory with risk notes
- ✓A prioritised "this week / this month / this quarter" action list
- ✓Configuration snapshots and recommended changes
Frequently asked
Common questions
Do you fix the findings, or do we?
The audit fee covers identification and reporting. Remediation is a separate engagement — we can do it, or you can hand the report to your developers. Most clients do a mix.
Will an audit catch everything a pentest would?
No. An audit catches misconfigurations and known issues. A pentest catches the bugs nobody knew were there. They complement each other — most clients do an audit first, then a pentest when the audit findings are cleared.
How often should we have one?
For a stable site: once a year. After a major change (new theme, large plugin swap, migration, acquisition): right after. After an incident: as part of the cleanup, not separately.
Do you do GDPR or PCI-DSS audits?
Not as a compliance certification. We're security people, not compliance auditors. But our audit will cover the security controls those frameworks expect — your compliance team can map our findings to their checklist.
Site compromised? Let's talk.
Send us what you know. You get a triage and a fixed quote in return — no obligation.