Comprehensive review

Security audit.

A structured review of configuration, code, users, hosting, and process, with a prioritised fix list.

fixed-price engagement

Audit vs pentest

Structured review.

An audit measures your site against a checklist of known good practices. It catches the things that are obviously off: outdated plugins, weak passwords, missing 2FA, exposed debug endpoints, hosting on shared infrastructure without proper isolation.

It's a great fit for: annual reviews, insurer requirements, due diligence before an acquisition, and "we built this two years ago and never looked back" sites.

When to pick this

You want a structured opinion on your site's overall security posture.
An insurer or a client is asking for an annual review.
You inherited a site and need to know what state it's in before touching it.
You're considering buying or selling a WordPress site and want due diligence.

The checklist

Seven layers, end-to-end.

Core

WordPress core

Version, update channel, modified core files, dropped features, deprecated patterns still in use.

Plugins

Plugin landscape

Every installed plugin reviewed for: version currency, known CVEs, maintainer activity, ownership changes, and whether you actually need it.

Themes

Theme code

Active theme reviewed for unsafe template patterns, inline scripts, third-party dependencies, and any code added "just for now" two years ago.

Users

Users & roles

Admin accounts, dormant users, role assignments, password policy, 2FA adoption, session lifecycle, and what each role can actually do.

Config

Configuration

wp-config secrets, file permissions, debug flags, file-edit lock, XML-RPC, REST API exposure, salts and auth keys.

Hosting

Hosting & TLS

Web server config, PHP version, TLS configuration, security headers, DNS hygiene, certificate management, isolation from neighbours on shared hosting.

Processes

Backups & people

Backup strategy (and whether they actually restore), deploy process, who has access to what, incident response readiness.

Optional add-on

WooCommerce or multisite layer

For shops or networks: payment surface review, order data exposure, customer account flow, network-level vs site-level admin separation.

How it works

Step by step.

Step 1
Kickoff
Half-hour call. Scope confirmation and access handover.
Step 2
Walkthrough
Work through the seven layers. Findings logged as I go.
Step 3
Draft review
Mid-engagement check-in. No surprises at the end.
Step 4
Report & debrief
Final written report and 30-minute call.

Deliverable

The report.

Plain-English, prioritised, and structured so a developer or an insurer can both read it without needing a translator.

Includes:

Executive summary (one page, suitable for non-technical readers)
Findings by severity, each with reproduction steps and recommended fix
Plugin and theme inventory with risk notes
A prioritised "this week / this month / this quarter" action list
Configuration snapshots and recommended changes

Frequently asked

Common questions

Do you fix the findings, or do we?

The audit fee covers identification and reporting. Remediation is a separate engagement — I can do it, or you can hand the report to your developers. Most clients do a mix.

Will an audit catch everything a pentest would?

No. An audit catches misconfigurations and known issues. A pentest catches the bugs nobody knew were there. They complement each other — most clients do an audit first, then a pentest when the audit findings are cleared.

How often should we have one?

For a stable site: once a year. After a major change (new theme, large plugin swap, migration, acquisition): right after. After an incident: as part of the cleanup, not separately.