WordPress security audits.
WordPress-specific audits: penetration test, security audit, plugin and theme review, checkup, and pre-launch review.
Stack other than WordPress? See the penetration testing service
Two sides of the same work
Find issues before they are exploited.
Every cleanup teaches me something: which plugins get popped, which configurations leak, which deploy patterns fail under attacker pressure. That experience goes back into proactive work — audits, pentests, and reviews — so your site doesn't end up on the cleanup list later.
Who hires me
- Independent bloggers and shop owners who want a professional looking at their site once a year.
- Agencies handing off a build and wanting a second pair of eyes on it before launch.
- Plugin and theme developers who need a code audit for the WordPress.org repo, a marketplace, or a customer.
- Companies whose insurer or contract requires an annual security review.
What I offer
Five audit types.
WordPress penetration test
An adversarial test of your site, authenticated and unauthenticated. Written report with every finding, severity, and a fix.
Learn more
Security audit
A structured top-to-bottom review of your WordPress install: configuration, plugins, themes, users, hosting, and the human processes around them.
Learn more
Plugin & theme audit
Source-code review of a WordPress plugin or theme — marketplace, customer, or inherited code.
Learn more
Security checkup
Friendly outside-only health check. No login needed. Short, plain-English report.
Learn more
Pre-launch review
Catches the things agencies miss in the last week before launch — staging leaks, debug endpoints, admin accounts.
Learn more
Not sure which to pick?
Choose by question.
Still unsure? Tell me what you're worried about and I'll point at the right one.
How an engagement works
Same process every time.
-
01
Scoping call
A short call to understand the site, your concerns, and what success looks like. Free of charge.
-
02
Written proposal
A short document with scope, deliverables, timeline, and a fixed price. No surprises later.
-
03
The work
The audit or test runs. You get one check-in halfway through with a draft of what I've found so far.
-
04
Report & debrief
A written report you can hand to a developer or an insurer, plus a 30-minute walk-through call to answer questions.
Frequently asked
Common questions
How is a penetration test different from a security audit?
An audit is a structured top-down review against a checklist. A pentest is adversarial — I actively try to break in, the way someone with bad intentions would. Audits find what's missing on a checklist; pentests find what your specific build does wrong that no checklist would catch. Most clients benefit from one of each over time.
Do you need admin access?
It depends on the service. Pentests can be black-box (no access) or grey-box (low-privileged user); audits and code reviews always need read access to files and the database. The scoping call settles this — and any access I get is revoked at the end of the engagement.
How long does a typical engagement take?
Security checkups: 2–3 days. Pre-launch reviews and plugin audits: a week. Security audits: one to two weeks. Pentests: one to three weeks depending on scope. The proposal gives you a firm date range before any work starts.
Can we run this on staging instead of production?
Yes, and staging is preferred. A faithful staging clone (same plugins, same versions, same configuration) leaves room to test without risking your live site. Target choice is always discussed during scoping.
Will you re-test after we've fixed the findings?
Every pentest and audit includes one re-test pass within 90 days: I verify each finding marked 'fixed' and update the report with the new status. Further re-test rounds are quoted separately.
Email [email protected] or use the contact form.