WordPress security audit by a human.
43% of the web runs WordPress — and most attacks on it are automated, opportunistic, and entirely preventable. We audit your site by hand, find what the bots will find first, and tell you exactly how to close it.
What we test on a WordPress site
- Plugins & themes — known CVEs, abandoned plugins, and vulnerable versions (the #1 WordPress attack vector).
- Login & authentication — brute-force exposure, user enumeration, XML-RPC abuse, 2FA posture.
- User roles & access control — can a subscriber reach editor functionality? Can content leak between roles?
- Core configuration — file permissions, debug modes, exposed backups, directory listing, wp-config leakage.
- Security headers & TLS — CSP, HSTS, frame protection, cookie flags, certificate hygiene.
- Forms, checkout & custom code — injection, CSRF and logic flaws in the parts scanners don't understand.
- Compromise indicators — injected spam, rogue admin users, suspicious scheduled tasks.
Why manual testing matters for WordPress
Automated WordPress scanners are good at one thing: matching version numbers against CVE lists. They cannot tell you that your membership plugin lets logged-out users read paid content, that your checkout leaks order data, or that the admin account re-uses a password from a breach dump. Those are the issues that actually get small sites hacked — and they only surface when a person pokes at the logic. More on the difference here.
Every finding in your report is verified by hand. No 40-page false-positive dumps — just real issues, ranked by severity, each with a plain-English explanation and the exact fix.
How it works
- 1. Free check first. Enter your domain below — passive recon shows your exposure in seconds, free.
- 2. Prove you own it. Email, DNS, file or meta-tag verification plus a recorded Authorization to Test.
- 3. Human audit. A senior tester works through the WordPress checklist above, by hand.
- 4. Report & fixes. Written report with exact remediation steps — or on Signal, we fix the criticals with you and re-test.
Common questions
Do you need admin access to my WordPress site?
Will the audit break or slow down my site?
Is this just a WPScan run?
My WordPress site was already hacked — can you help?
What does it cost?
Keep reading
Check your WordPress site free
Passive check first — see what attackers see before spending a cent.