threatover Patrik Grobshäuser
Penetration testing

Penetration testing.

An adversarial, manual test of your WordPress site, authenticated and unauthenticated, within agreed rules.

Discuss a pentest What's in scope

1–3 weeks  ·  fixed-price engagement  ·  one re-test pass included

What this is

Adversarial test.

A penetration test is not a scanner run. It's a focused, time-boxed engagement where someone with the skill and intent to compromise your site tries to compromise your site — within agreed rules — and documents exactly what worked.

I've cleaned a lot of WordPress sites. That experience tells me where to push first: outdated plugins, weak admin password policies, exposed XML-RPC, fragile WooCommerce checkout flows, custom code added in a hurry.

Three flavours

  • Black-box

    No prior access. I'm treated like any internet visitor. Best for measuring "how exposed are we from outside?"

  • Grey-box

    Low-privileged account (subscriber, contributor, WooCommerce customer). Best for measuring impact of one compromised user account.

  • Authenticated

    Admin or editor access provided. Best when the role itself can do damage (most builds with rich plugin permissions).

Scope coverage

What I look at

Every pentest is scoped to your specific site. The categories below are the default surface — I add or remove based on what you actually run.

Authentication

Login flow, password reset, 2FA implementation, brute-force protection, session handling, role separation.

Plugins & themes

Known-vulnerable versions, custom plugins, premium plugins, abandoned plugins still installed but disabled.

Permissions

What a subscriber, contributor, author, and editor can actually do — including privilege escalation paths between roles.

API surface

REST API endpoints, XML-RPC, AJAX handlers, custom API routes, and any GraphQL exposed by plugins.

WooCommerce

Checkout, cart, account flows, coupon logic, payment gateway integration, customer data exposure.

File handling

Upload validation, EXIF / metadata injection, path traversal, executable content in uploads, media library permissions.

Input validation

Forms, search, comment, contact, and any user-input field — XSS, SQL injection, SSRF, template injection.

Headers & TLS

Security headers, HSTS, CSP, cookie flags, TLS configuration, certificate chain, mixed content.

Information leakage

Debug endpoints, exposed .git or .env files, user enumeration, verbose error messages, leaked stack traces.

How it works

From kickoff to debrief.

  1. Step 1

    Scoping

    Targets, flavour, rules, timing.

  2. Step 2

    Recon

    Map the surface and integrations.

  3. Step 3

    Exploitation

    Break things methodically. Document every technique.

  4. Step 4

    Report & debrief

    Report, walk-through call, re-test pass.

Deliverable

The report.

Every pentest ships with a written report. It contains exactly what was tested, what was found, how to reproduce each finding, what the impact is, and a recommended fix that doesn't require buying a separate product.

Each finding includes:

  • Title and severity (critical, high, medium, low, informational)
  • Affected component (plugin name & version, endpoint, file path)
  • Steps to reproduce — the literal HTTP request, the curl one-liner, or the click-path
  • What an attacker could do with it — impact framed in your business terms
  • Specific remediation tied to your codebase — file, line, fix
  • References to relevant CVEs or research where they exist

Suitable for handing to a developer, an insurer, a compliance team, or a customer who's asked for evidence of testing.

Pricing

Fixed-price engagements.

Quoted before any work starts. Includes the written report, the debrief call, and one re-test pass.

Essential

Quoted

1 week

Brochure or content site running stock WordPress + a handful of well-known plugins. Black or grey-box.

  • Up to 1 site / subdomain
  • Up to 15 installed plugins
  • Written report + debrief
  • One re-test pass (within 90 days)
Discuss this tier
Standard

Quoted

2 weeks

Business site with custom code, WooCommerce store with a moderate plugin set, or multilingual install. Authenticated testing included.

  • Up to 2 sites / subdomains
  • Up to 40 installed plugins
  • Authenticated paths included
  • Written report + debrief
  • One re-test pass (within 90 days)
Discuss this tier
In-depth

Custom

2–3 weeks

Multisite networks, complex WooCommerce platforms, custom plugins shipping to thousands of sites, or sites under active compliance pressure.

  • Scoped per engagement
  • Source-code review included
  • Executive summary + technical report
  • Two re-test passes
Discuss this tier

Frequently asked

Common questions

Will the pentest take my site down?

Almost never. I don't run denial-of-service attacks, and I throttle my requests well below normal traffic levels. For most engagements I recommend staging, but I can test production on quiet windows with your sign-off.

Do I need to give you live customer data?

No. I prefer to test against a staging clone with synthetic data. Where production testing is required, I use accounts you create for me, and I don't access or retain customer data beyond what's strictly needed to demonstrate a finding.

Are you a registered penetration tester?

Yes — happy to share credentials, references, and a sample report (redacted) on a scoping call. The team is signing a mutual NDA before that conversation if you'd like.

We just want "a pentest" for an insurance form. Do I need this?

Depends on the form. Some insurers accept a security audit (cheaper, structured) instead of a pentest. The scoping call covers this — I'd rather sell you the right thing than the bigger thing.

What if you find nothing?

The report still documents everything I tried, with negative results explicitly stated. "Attempted X, Y, Z and found no issues" is itself a valuable artifact for insurers and for your own peace of mind.

Email [email protected] or use the contact form.