Find the bugs before
someone else does.
We attack your WordPress site the way a real attacker would. Manually. Methodically. With the same playbook that's been working against ours for years.
From $1,490 · 1–3 weeks · fixed-price engagement · one re-test pass included
What this is
Adversarial, not theoretical.
A penetration test is not a scanner run. It's a focused, time-boxed engagement where someone with the skill and intent to compromise your site tries to compromise your site — within agreed rules — and documents exactly what worked.
We've cleaned a lot of WordPress sites. That experience tells us where to push first: outdated plugins, weak admin password policies, exposed XML-RPC, fragile WooCommerce checkout flows, custom code added in a hurry.
Three flavours
-
Black-box
No prior access. We're treated like any internet visitor. Best for measuring "how exposed are we from outside?"
-
Grey-box
Low-privileged account (subscriber, contributor, WooCommerce customer). Best for measuring impact of one compromised user account.
-
Authenticated
Admin or editor access provided. Best when the role itself can do damage (most builds with rich plugin permissions).
Scope coverage
What we look at
Every pentest is scoped to your specific site. The categories below are the default surface — we add or remove based on what you actually run.
Login flow, password reset, 2FA implementation, brute-force protection, session handling, role separation.
Known-vulnerable versions, custom plugins, premium plugins, abandoned plugins still installed but disabled.
What a subscriber, contributor, author, and editor can actually do — including privilege escalation paths between roles.
REST API endpoints, XML-RPC, AJAX handlers, custom API routes, and any GraphQL exposed by plugins.
Checkout, cart, account flows, coupon logic, payment gateway integration, customer data exposure.
Upload validation, EXIF / metadata injection, path traversal, executable content in uploads, media library permissions.
Forms, search, comment, contact, and any user-input field — XSS, SQL injection, SSRF, template injection.
Security headers, HSTS, CSP, cookie flags, TLS configuration, certificate chain, mixed content.
Debug endpoints, exposed .git or .env files, user enumeration, verbose error messages, leaked stack traces.
How it works
From kickoff to debrief.
- Step 1
Scoping
Targets, flavour, rules, timing.
- Step 2
Recon
Map the surface and integrations.
- Step 3
Exploitation
Break things by hand. Document every technique.
- Step 4
Report & debrief
Report, walk-through call, re-test pass.
Deliverable
The report you actually want.
Every pentest ships with a written report. It contains exactly what was tested, what was found, how to reproduce each finding, what the impact is, and a recommended fix that doesn't require buying a separate product.
Each finding includes:
- ✓Title and severity (critical, high, medium, low, informational)
- ✓Affected component (plugin name & version, endpoint, file path)
- ✓Steps to reproduce — the literal HTTP request, the curl one-liner, or the click-path
- ✓What an attacker could do with it (impact, not a CVSS lecture)
- ✓Specific remediation — for your codebase, not a generic OWASP link
- ✓References to relevant CVEs or research where they exist
Suitable for handing to a developer, an insurer, a compliance team, or a customer who's asked for evidence of testing.
Preise
Fixed-price engagements.
Quoted before any work starts. Includes the written report, the debrief call, and one re-test pass.
$1,490
1 week
Brochure or content site running stock WordPress + a handful of well-known plugins. Black or grey-box.
- ✓Up to 1 site / subdomain
- ✓Up to 15 installed plugins
- ✓Written report + debrief
- ✓One re-test pass (within 90 days)
$2,990
2 weeks
Business site with custom code, WooCommerce store with a moderate plugin set, or multilingual install. Authenticated testing included.
- ✓Up to 2 sites / subdomains
- ✓Up to 40 installed plugins
- ✓Authenticated paths included
- ✓Written report + debrief
- ✓One re-test pass (within 90 days)
Custom
2–3 weeks
Multisite networks, complex WooCommerce platforms, custom plugins shipping to thousands of sites, or sites under active compliance pressure.
- ✓Scoped per engagement
- ✓Source-code review included
- ✓Executive summary + technical report
- ✓Two re-test passes
Frequently asked
Common questions
Will the pentest take my site down?
Almost never. We don't run denial-of-service attacks, and we throttle our requests well below normal traffic levels. For most engagements we recommend staging, but we can test production on quiet windows with your sign-off.
Do I need to give you live customer data?
No. We prefer to test against a staging clone with synthetic data. Where production testing is required, we use accounts you create for us, and we don't access or retain customer data beyond what's strictly needed to demonstrate a finding.
Are you a registered penetration tester?
Yes — happy to share credentials, references, and a sample report (redacted) on a scoping call. The team is signing a mutual NDA before that conversation if you'd like.
We just want "a pentest" for an insurance form. Do we need this?
Depends on the form. Some insurers accept a security audit (cheaper, structured) instead of a pentest. The scoping call covers this — we'd rather sell you the right thing than the bigger thing.
What if you find nothing?
The report still documents everything we tried, with negative results explicitly stated. "We attempted X, Y, Z and found no issues" is itself a valuable artifact for insurers and for your own peace of mind.
Seite kompromittiert? Auftrag starten.
Send us what you know. You get a triage and a fixed quote in return — no obligation.