A fixed-price WordPress security audit across three layers — server, application, and account. Ranked findings report plus the hardening done. From $390, most finished in 5 business days.
Most WordPress sites don’t get hacked through some exotic zero-day. They get hacked through an outdated plugin, a reused admin password, or a file-permission mistake nobody checked. A WordPress security audit finds those holes before someone else does, and then we close them.
We’ve cleaned up enough hacked WordPress sites to spot the pattern. The first sign is rarely the breach itself. It’s the SEO spam injection, the WP_DEBUG left on in production for three months, or the wp-config.php that ended up in /backups/wp-config-old.txt and got crawled by a scanner. The breach was already invited. The attacker just walked in.
We look at three layers, because that’s where the problems actually live.
File permissions, PHP version, exposed services, SSL config, and whether your host isolates accounts.
WordPress core, every plugin and theme, the database, the upload directory, and leftover staging files.
Admin users, password hygiene, two-factor, and the login endpoint itself.
In our incident work, most plugin breaches sit on the account and application layers. The checklist articles on page one of Google lump those together. We don't, because the fix is different for each one. Server issues need root or hosting-panel access. Application issues need WP-CLI or admin. Account issues need a policy change the client actually has to follow. Mix all three on one checklist and the report is easy to ignore.
We run the full scope on every audit. There's no "basic scan" that upsells you to a "real scan" later. Each item below is a separate pass. They overlap on purpose, because a real attacker will chain a permission leak with a weak password, and the categories don't help them stop.
You get a plain-English findings report, ranked by how likely each issue is to get you hacked. With it comes a fix list you can hand to any developer, or hand back to us. On the hardening tier we also apply the fixes: 2FA, login protection, security headers, permission corrections, and WAF rules. Every audit ends with a short call to walk through the report. No jargon, no upsell theatre.
Ranked by likelihood, scored by impact, written in English a non-developer can act on.
Hand it to any developer, or hand it back to us — your call.
2FA, login protection, security headers, permission corrections, and WAF rules.
Re-verified before signoff on the hardening tier.
A short call to walk through the report. No jargon, no upsell theatre.
A working document you keep, not a one-off PDF dump.
Five business days from kickoff to a hardened site, with a clear handoff in the middle so you know what we found before any code changes.
You give us SFTP and admin access, and we take a full backup before touching anything.
Same dayWe run the three-layer scan and then review by hand. The hand review is the part automated scanners miss.
2–3 business daysRanked findings, delivered as a document plus a walkthrough call.
Day fourOn the hardening tier, we apply the fixes and re-scan to confirm.
Day fiveThe audit-only tier is $390. That covers the three-layer scan, the ranked findings report, and the walkthrough call. You take the fixes from there: your developer applies them, or you come back to us later.
Audit plus hardening is $690. We apply the fixes ourselves, re-scan to confirm, and sign off the site. Most clients pick this one, because applying the fixes is the part they don’t want to schedule and retest themselves.
If you’re already hacked, an audit is the wrong starting point. You need cleanup first, which is our compromise-recovery work and starts with restoration.
We don’t sell WordPress security as a monthly subscription you can’t cancel. Pay for the audit, walk away with a hardened site and a checklist. If you want ongoing monitoring afterwards we offer it — but that’s your call, not a condition of the audit.
This is one part of our website security services, and we run it across the whole stack: not just WordPress but the server and hosting underneath it. If you want the platform view first, start with our WordPress support overview. If your site sits on a panel like CyberPanel or behind Cloudflare, we tune the audit to that setup. And if you’re already compromised, the audit folds into a restoration and recovery plan, because there’s no point hardening a site that’s still infected.
We use the same three-layer pattern on OpenCart and Drupal sites. The scan tooling differs, but the risk model is the same. If you run a few of these on one hosting stack, ask about the bundle price.
If you are adding an AI chatbot to the same site, our AI chatbot install for WordPress includes an API-key safety check that often catches misconfigurations a separate security audit would flag.
For sites that also send transactional mail from the same server, our mail server SPF/DKIM/DMARC setup closes the email-side hardening gap.
If the site is also slow and you want speed and security in one engagement, see the WordPress Performance Pack for a fixed-price companion bundle.
We'll triage the same day. Send context, screenshots, error messages — whatever you have. No sales calls, no chatbots.