Manual testing — not a scanner

WordPress security audit by a human.

43% of the web runs WordPress — and most attacks on it are automated, opportunistic, and entirely preventable. We audit your site by hand, find what the bots will find first, and tell you exactly how to close it.

What is a WordPress security audit? A structured review of everything attackers target on a WordPress site: outdated or vulnerable plugins and themes, weak login and user-role configuration, missing security headers, exposed files and endpoints, and signs of existing compromise. Bug Circuit performs it manually — a human engineer, not just a scanner — and delivers a written report with exact fixes, from $49.

What we test on a WordPress site

  • Plugins & themes — known CVEs, abandoned plugins, and vulnerable versions (the #1 WordPress attack vector).
  • Login & authentication — brute-force exposure, user enumeration, XML-RPC abuse, 2FA posture.
  • User roles & access control — can a subscriber reach editor functionality? Can content leak between roles?
  • Core configuration — file permissions, debug modes, exposed backups, directory listing, wp-config leakage.
  • Security headers & TLS — CSP, HSTS, frame protection, cookie flags, certificate hygiene.
  • Forms, checkout & custom code — injection, CSRF and logic flaws in the parts scanners don't understand.
  • Compromise indicators — injected spam, rogue admin users, suspicious scheduled tasks.

Why manual testing matters for WordPress

Automated WordPress scanners are good at one thing: matching version numbers against CVE lists. They cannot tell you that your membership plugin lets logged-out users read paid content, that your checkout leaks order data, or that the admin account re-uses a password from a breach dump. Those are the issues that actually get small sites hacked — and they only surface when a person pokes at the logic. More on the difference here.

Every finding in your report is verified by hand. No 40-page false-positive dumps — just real issues, ranked by severity, each with a plain-English explanation and the exact fix.

How it works

  • 1. Free check first. Enter your domain below — passive recon shows your exposure in seconds, free.
  • 2. Prove you own it. Email, DNS, file or meta-tag verification plus a recorded Authorization to Test.
  • 3. Human audit. A senior tester works through the WordPress checklist above, by hand.
  • 4. Report & fixes. Written report with exact remediation steps — or on Signal, we fix the criticals with you and re-test.

Common questions

Do you need admin access to my WordPress site?
Not for the core audit — we test from the outside, the way an attacker would. If you grant a low-privilege test account we can additionally check role escalation and authenticated attack paths, which we recommend but never require.
Will the audit break or slow down my site?
No. Testing is rate-limited and non-destructive, and anything active only happens after you verify domain ownership and authorize testing. We never test sites you don’t own.
Is this just a WPScan run?
No — automated WordPress scanners are one input, but the value is the human pass: broken access control between roles, insecure plugin configurations, business-logic flaws in your forms and checkout, and verification that every reported issue is real (no false-positive dumps).
My WordPress site was already hacked — can you help?
Yes. The audit identifies how attackers likely got in and what to close first; the report gives you an ordered cleanup plan. On the Signal plan we work through the critical fixes with you and re-test afterwards.
What does it cost?
A yes/no critical-bug check is free. The full manual audit with a written report is $49 one-time. Audit plus fixes plus 3 months of monitoring is $299 — transparent pricing, no quote calls.

Keep reading

Check your WordPress site free

Passive check first — see what attackers see before spending a cent.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →