Before something
goes wrong.
Penetration testing, security audits, plugin and theme code review, and pre-launch checkups for WordPress. By people who clean compromised sites for a living — so we know exactly what to look for.
Two sides of the same work
We clean hacked sites. We also stop the next one.
Every cleanup teaches us something: which plugins get popped, which configurations leak, which deploy patterns fail under attacker pressure. We bring that experience back into proactive work — audits, pentests, and reviews — so your site doesn't end up on our cleanup list later.
Who hires us
- →Independent bloggers and shop owners who want a professional looking at their site once a year.
- →Agencies handing off a build and wanting a second pair of eyes on it before launch.
- →Plugin and theme developers who need a code audit for the WordPress.org repo, a marketplace, or a customer.
- →Companies whose insurer or contract requires an annual security review.
What we offer
Five services. Pick the one that fits.
WordPress penetration test
We attack your site the way a real attacker would — authenticated and unauthenticated. You get a written report with every finding, severity, and a clear fix.
Learn more →
Security audit
A structured top-to-bottom review of your WordPress install: configuration, plugins, themes, users, hosting, and the human processes around them.
Learn more →
Plugin & theme audit
Source-code review of a WordPress plugin or theme — marketplace, customer, or inherited code.
Learn more →
Security checkup
Friendly outside-only health check. No login needed. Short, plain-English report.
Learn more →
Pre-launch review
Catches the things agencies miss in the last week before launch — staging leaks, debug endpoints, admin accounts.
Learn more →
Not sure which to pick?
Pick by the question you're asking.
Still unsure? Tell us what you're worried about and we'll point at the right one. →
How an engagement works
Same process every time.
-
01
Scoping call
A short call to understand the site, your concerns, and what success looks like. Free of charge.
-
02
Written proposal
A short document with scope, deliverables, timeline, and a fixed price. No surprises later.
-
03
The work
We do the audit or test. You get one check-in halfway through with a draft of what we've found so far.
-
04
Report & debrief
A written report you can hand to a developer or an insurer, plus a 30-minute walk-through call to answer questions.
Frequently asked
Common questions
How is a penetration test different from a security audit?
An audit is a structured top-down review against a checklist. A pentest is adversarial — we actively try to break in, the way someone with bad intentions would. Audits find what's missing on a checklist; pentests find what your specific build does wrong that no checklist would catch. Most clients benefit from one of each over time.
Do you need admin access?
It depends on the service. Pentests can be black-box (no access) or grey-box (low-privileged user); audits and code reviews always need read access to files and the database. The scoping call settles this — and any access we get is revoked at the end of the engagement.
How long does a typical engagement take?
Security checkups: 2–3 days. Pre-launch reviews and plugin audits: a week. Security audits: one to two weeks. Pentests: one to three weeks depending on scope. The proposal gives you a firm date range before any work starts.
Can we run this on staging instead of production?
Yes, and we prefer it. A faithful staging clone (same plugins, same versions, same configuration) gives us room to test without risking your live site. We always discuss target choice during scoping.
Will you re-test after we've fixed the findings?
Every pentest and audit includes one re-test pass within 90 days: we verify each finding marked 'fixed' and update the report with the new status. Further re-test rounds are quoted separately.
Site compromis ? Démarrer une mission.
Send us what you know. You get a triage and a fixed quote in return — no obligation.