threatover Patrik Grobshäuser
Code review

Plugin & theme audit.

A manual source-code security review of a WordPress plugin or theme.

Submit code for review What I look for

fixed-price per codebase

What this is

Static source review.

I get a copy of your plugin or theme source and I read it. Function by function. Endpoint by endpoint. I look for the patterns that turn into compromises six months later — the ones a linter and a scanner miss because they're about intent, not syntax.

Then I write up what I found, how to reproduce each issue, and how to fix it without breaking the feature it sits inside.

Who books this

  • Plugin authors preparing a submission to the WordPress.org repo or a paid marketplace.
  • Developers shipping a custom integration to a specific customer who's asked for an audit.
  • Site owners who inherited a custom plugin or theme and don't trust it.
  • Agencies acquiring a plugin and wanting due diligence on the codebase before signing.

Coverage

What I look for

Capability checks

Every admin-only action verified for current_user_can() and the right capability — not just is_user_logged_in().

Nonces & CSRF

Every state-changing request verified for a valid, action-bound nonce. Easy to forget; common cause of CSRF-to-RCE chains.

Input handling

Sanitisation and validation of every user input — not just on save, but at every layer (REST, AJAX, shortcode, block, CLI command).

Output escaping

Every echo / printf / template variable wrapped in the right escaper (esc_html, esc_attr, esc_url, wp_kses). Reflected XSS is still the most common WordPress finding.

Database access

Prepared statements throughout. No string concatenation into $wpdb->query(). $wpdb->prepare() with the right format specifiers.

File operations

Upload handlers, file deletes, file reads — all checked for path traversal, type validation, and execution-prevention in upload directories.

Dangerous functions

Uses of eval, unserialize, system, exec, preg_replace /e, extract — flagged and reviewed in context.

Authentication flow

Custom login, password reset, OAuth, API token handling — any time the plugin moves identity around, I look closely.

Dependencies

Bundled libraries (jQuery, Composer packages, npm builds) checked for known vulnerable versions and any forks of upstream code.

Telemetry & egress

Any outbound HTTP request reviewed — what's sent, where, and whether the response is trusted blindly.

Update channel

If the plugin self-updates from a non-WordPress.org source, the update channel's integrity is reviewed end-to-end.

Multisite & roles

Network admin vs site admin separation, super-admin escalation paths, role-restricted actions across the network.

How it works

How the audit runs.

  1. Step 1

    Code handover

    Source (zip, git, or commit pin) with build context.

  2. Step 2

    Reading

    Line-by-line review. Findings with file:line references.

  3. Step 3

    Dynamic check

    Promising findings confirmed on a real install.

  4. Step 4

    Report & debrief

    Report, walk-through, and one re-test pass.

Pricing

Per codebase, fixed.

Quoted up front based on size and complexity. The numbers below are typical starting points; I send a fixed quote after seeing the code.

Small

Quoted

Up to ~3,000 lines of PHP

Single-purpose plugin or theme. Examples: form handler, custom post type, lightweight integration.

Discuss
Standard

Quoted

Up to ~10,000 lines

Multi-feature plugin or a complete custom theme. Includes JS / asset pipeline review.

Discuss
Large

Custom

10,000+ lines

Major plugin (WooCommerce extension, multilingual layer), platform-style codebase, or anything with a complex update channel and licensing layer.

Discuss

Frequently asked

Common questions

Is this just a scanner run?

No. Scanners are part of the workflow (I run them for fast triage), but every finding in the report has been read in context by a human. Scanners ship false positives — I don't.

Can you sign an NDA before I send code?

Yes. I have a standard mutual NDA, and I'm happy to use yours if you prefer. Code is deleted at the end of the engagement plus 30 days for re-test purposes.

Do you audit JavaScript and asset code too?

Yes for security-relevant JS — admin UI scripts, Gutenberg blocks, asset upload handlers. I don't review frontend code for bugs unrelated to security.

Will you sign off for marketplace submission?

I can issue a letter of audit confirmation suitable for marketplaces that ask for one. I won't certify that a codebase has zero bugs — nobody honest does.

Email [email protected] or use the contact form.