Audit the site
before it hacks itself.
40-point full-stack review. What Wordfence can't see. Written report, prioritized fixes, hardening playbook. Usable by any future developer.
What's in the audit
Core & code
- → WordPress core version + patch status
- → Plugin CVE history (every installed plugin)
- → Theme audit for backdoors
- → wp-config hardening (salts, DB prefix, file-edit disable)
Users & access
- → Admin / editor account review
- → Weak or reused passwords
- → 2FA coverage
- → Session and cookie hardening
Server & transport
- → File permissions across wp-content
- → .htaccess / nginx.conf review
- → SSL cert + HSTS + security headers
- → xmlrpc and REST API exposure
Database & content
- → wp_options sweep (siteurl, home, custom keys)
- → wp_posts injection scan
- → wp_users unknown-account scan
- → Suspicious cron entries
Backups & recovery
- → Backup existence + off-site storage
- → Restore drill (actually tested)
- → Retention policy vs threat model
- → Encryption at rest
Monitoring
- → File integrity monitoring
- → Uptime + status checks
- → Search Console security alerts
- → Log retention + review cadence
“A firewall stops the opportunists. An audit finds the door that's already open.”
FAQ
How is a security audit different from installing Wordfence?
Wordfence is a firewall. One layer. A real audit reviews everything that firewall can't see. Outdated plugins with known CVEs. Admin accounts you forgot about. Weak salts in wp-config. World-writable file permissions. Exposed xmlrpc.php. Database backdoors from a previous infection. Monitoring gaps. Firewalls stop opportunistic attacks. Audits find the door that's already open.
Do I need one if my site isn't ecommerce?
Yes. Non-ecommerce WordPress sites get hacked for three reasons that don't need your customer data. One, SEO cloaking or pharma injection to hijack your search rankings. Two, crypto miners exploiting your server. Three, becoming a spam relay. All three are silent. You won't notice until Google Safe Browsing flags you.
What does the audit actually cover?
The full 40-point stack. WordPress core version and patch status. Every active plugin's CVE history. Theme audit for backdoors. Admin and editor user review. wp-config hardening (salts, DB prefix, disallow file edit, secure keys). File permissions across wp-content. .htaccess review. xmlrpc and REST API exposure. Database sweep for suspicious options, users, and post_content. SSL plus HSTS plus security headers. Backup and restore verification. Monitoring gap analysis.
How is this different from your malware removal service?
This is proactive. Before infection. Malware removal is reactive. After infection. Sites that book the audit tend not to need the removal. Sites that skip the audit almost always need it eventually.
How long does it take?
Three to five business days. Day one and two are the full audit and scans. Day three is the written report with prioritized fixes. Days four and five are optional remediation of critical and high findings, if you want me to do them (not just report them). Emergency 48-hour audits are available.
What do I actually receive?
A written PDF report, usually 15 to 30 pages. Executive summary, risk score, findings prioritized by severity, screenshots and evidence, exact remediation steps, and a hardening playbook. Plus a 45-minute walkthrough call. Everything documented, usable by you, a future developer, or a compliance auditor.
Cost?
Standard audit is $850 for content sites, $1,400 for WooCommerce or membership sites, $2,200 for high-value sites with six-figure monthly revenue or sensitive data. Remediation of findings is billed separately, quoted after the audit. You're not committed to anything beyond the audit itself.
Where to go next
WordPress malware removal
Already infected? Skip the audit and start the reactive playbook here.
Read →ADA compliance
Security and accessibility often surface together in legal review. Audit both.
Read →Ongoing maintenance
The audit is the snapshot. The maintenance plan keeps you clean month over month.
Read →