Services / Security Hardening
Installing a security plugin and calling it done is the most dangerous thing you can do. It creates false confidence without closing the vulnerabilities that actually matter. Real hardening requires knowing what each attack vector looks like, where it enters your application stack, and how to close it at the correct layer.
Systematic
Attack surface reduction
NHS, Finance
Sectors served
GDPR, UK NCSC
Compliance frameworks
The gap
Security plugins are scanners and monitors. They detect known signatures, log login attempts, and alert you to problems that have already occurred. They do not close attack surfaces, they do not enforce authentication standards, and they do not configure your server to resist attack.
A genuinely hardened WordPress installation restricts what PHP can execute, removes information disclosure vectors, enforces strict Content Security Policy headers, disables functionality that exists for convenience but provides entry points for attackers, and limits privilege at the database level. These are configuration decisions, not plugin settings.
I have worked with NHS Scotland and financial sector clients where security posture is a compliance requirement, not a preference. The hardening methodology I apply reflects that standard, not a consumer-grade checklist.
One thing to understand about WordPress compromises: the most damaging ones show no obvious symptoms. A site operating as a link farm, serving spam to search engine crawlers while appearing clean to human visitors, can continue that way for months or years. The client in one of my case studies had been breached for eleven months before a routine audit caught it. The breach had not triggered a single alert. The security plugin had not reported anything unusual. The site was doing exactly what it looked like it was doing — serving normal pages — to anyone not specifically looking for the infection.
What is included
Every engagement begins with a security audit. I do not begin remediation until I understand the full attack surface. You receive a findings report with vulnerabilities ranked by severity and exploitability before any work is scoped.
A comprehensive inspection of your WordPress core, theme, plugins, file permissions, database user privileges, and server configuration. Vulnerabilities are ranked by actual severity and exploitability, not just CVE score. The audit covers authentication weaknesses, information disclosure vectors, injection vulnerabilities, and configuration failures, producing a prioritised findings report before any remediation is scoped.
Disabling file editing from wp-admin, blocking user enumeration, locking down XML-RPC, enforcing strong authentication, tightening Content Security Policy headers, configuring X-Frame-Options, X-Content-Type-Options, and Permissions-Policy, and restricting database user privileges to the minimum required. Every change is documented, explained, and reversible. Nothing is changed without you understanding what it does and why.
Forensic identification of every infected file, backdoor, and injected payload across your WordPress installation. This is not a scan-and-click process. I trace the infection vector to establish how the attacker entered, what they were able to access, and what persistence mechanisms they left behind, so re-infection does not happen. The engagement ends with a hardened installation, not just a cleaned one.
When your site has been compromised, speed matters. I work systematically to contain, clean, and harden under time pressure, with clear communication at every stage. I can access and repair WordPress installations via SSH, WP-CLI, or direct database connection even when the admin panel is inaccessible or the site is down. Google blacklisting, host account suspension, and search engine deindexation are all recoverable situations I have resolved.
Application-level firewall rules configured to block known WordPress attack patterns: XML-RPC abuse, wp-login.php credential stuffing, author enumeration, and injection attempts against common plugin endpoints. WAF configuration is tuned to your specific plugin and theme stack to avoid false positives that block legitimate traffic.
Scheduled security audits and vulnerability monitoring as part of a Technical Assurance Plan, so security debt does not silently accumulate between projects. Includes monitoring for newly disclosed vulnerabilities in your specific plugin versions and proactive hardening updates as the threat landscape evolves.
Who this is for
Your site has been compromised and you need it cleaned, hardened, and back online as quickly as possible.
You operate in a regulated sector, healthcare or finance, where a breach carries compliance and reputational consequences beyond the immediate disruption.
You have a security plugin installed and are not confident it is actually protecting you.
Your site has been blacklisted by Google or flagged by browsers as dangerous.
You are about to launch a campaign, product, or event and cannot afford a security incident at that moment.
You want an ongoing relationship with a specialist who monitors and maintains your security posture rather than a one-off scan.
11 months
Duration of silent breach
A professional services firm with an active client portal. Traffic was normal. No error messages. No defacements. No complaints. The site had been silently compromised for eleven months when a routine annual audit discovered the breach.
Database had grown from its expected size to 2.3GB — injected spam link data serving hidden content to Google's crawler while showing clean pages to human visitors.
A file manager backdoor providing unauthenticated remote access had been present for the entire duration. The infection vector was a form plugin vulnerability patched eight months earlier — after the attacker had already established persistence.
Full forensic remediation, hardening implementation, and a breach assessment for the client's UK GDPR regulatory obligations. No re-infection in eighteen months of subsequent monitoring.
FAQs
Hosting security and application security are different things. Your host is responsible for the infrastructure your site runs on. They are not responsible for your WordPress configuration, your plugin vulnerabilities, your file permissions, or your authentication practices. A hosting environment can be fully secure while the WordPress installation running on it is wide open.
A security plugin monitors and alerts. Hardening changes the configuration so there is less to monitor and fewer alerts to generate. Both have a role, but hardening is the foundation. A well-hardened WordPress installation running no security plugin is more secure than a weakly configured installation running multiple security plugins.
Many compromised sites show no obvious symptoms. Attackers routinely use compromised WordPress installations for email spam, SEO spam injection, credential phishing, and cryptomining, all without any visible disruption to the site itself. If you have not had a professional security audit in the past twelve months, you cannot assume your site is clean.
Yes. Google blacklisting is a consequence of detected malware or harmful content, not a permanent state. The recovery process involves removing all malicious content, hardening the installation to prevent re-infection, and submitting a reconsideration request through Google Search Console. Most sites are removed from the blacklist within 24 to 72 hours of a successful clean-up, provided the infection is fully resolved.
Yes. Ongoing security monitoring is available as part of a Technical Assurance Plan. This includes continuous uptime and malware monitoring, proactive vulnerability alerts for your specific plugin versions, scheduled security audits, and priority incident response if something does occur.
From the blog
A critical security flaw in the Burst Statistics WordPress plugin left more than 200,000 business websites exposed to complete administrative takeover,...
Slider Revolution is installed on millions of WordPress sites worldwide. If yours is among them, a recently disclosed security flaw means any logged-in...
Microsoft’s February 2026 Patch Tuesday fixed 58 security flaws across Windows and related software, six of which were already being used against real...
If you want an honest assessment of your current security posture before committing to any work, let's talk. I will tell you what I find.
