Services / Security Hardening
Installing a security plugin and calling it done is the most dangerous thing you can do. It creates false confidence without closing the vulnerabilities that actually matter. Real hardening requires knowing what each attack vector looks like, where it enters your application stack, and how to close it at the correct layer.
Systematic
Attack surface reduction
NHS, Finance
Sectors served
GDPR, UK NCSC
Compliance frameworks
The gap
Security plugins are scanners and monitors. They detect known signatures, log login attempts, and alert you to problems that have already occurred. They do not close attack surfaces, they do not enforce authentication standards, and they do not configure your server to resist attack.
A genuinely hardened WordPress installation restricts what PHP can execute, removes information disclosure vectors, enforces strict Content Security Policy headers, disables functionality that exists for convenience but provides entry points for attackers, and limits privilege at the database level. These are configuration decisions, not plugin settings.
I have worked with NHS Scotland and financial sector clients where security posture is a compliance requirement, not a preference. The hardening methodology I apply reflects that standard, not a consumer-grade checklist.
One thing to understand about WordPress compromises: the most damaging ones show no obvious symptoms. A site operating as a link farm, serving spam to search engine crawlers while appearing clean to human visitors, can continue that way for months or years. The client in one of my case studies had been breached for eleven months before a routine audit caught it. The breach had not triggered a single alert. The security plugin had not reported anything unusual. The site was doing exactly what it looked like it was doing — serving normal pages — to anyone not specifically looking for the infection.
What is included
Every engagement begins with a security audit. I do not begin remediation until I understand the full attack surface. You receive a findings report with vulnerabilities ranked by severity and exploitability before any work is scoped.
A comprehensive inspection of your WordPress core, theme, plugins, file permissions, database user privileges, and server configuration. Vulnerabilities are ranked by actual severity and exploitability, not just CVE score. The audit covers authentication weaknesses, information disclosure vectors, injection vulnerabilities, and configuration failures, producing a prioritised findings report before any remediation is scoped.
Disabling file editing from wp-admin, blocking user enumeration, locking down XML-RPC, enforcing strong authentication, tightening Content Security Policy headers, configuring X-Frame-Options, X-Content-Type-Options, and Permissions-Policy, and restricting database user privileges to the minimum required. Every change is documented, explained, and reversible. Nothing is changed without you understanding what it does and why.
Forensic identification of every infected file, backdoor, and injected payload across your WordPress installation. This is not a scan-and-click process. I trace the infection vector to establish how the attacker entered, what they were able to access, and what persistence mechanisms they left behind, so re-infection does not happen. The engagement ends with a hardened installation, not just a cleaned one.
When your site has been compromised, speed matters. I work systematically to contain, clean, and harden under time pressure, with clear communication at every stage. I can access and repair WordPress installations via SSH, WP-CLI, or direct database connection even when the admin panel is inaccessible or the site is down. Google blacklisting, host account suspension, and search engine deindexation are all recoverable situations I have resolved.
Application-level firewall rules configured to block known WordPress attack patterns: XML-RPC abuse, wp-login.php credential stuffing, author enumeration, and injection attempts against common plugin endpoints. WAF configuration is tuned to your specific plugin and theme stack to avoid false positives that block legitimate traffic.
Scheduled security audits and vulnerability monitoring as part of a Care Plan, so security debt does not silently accumulate between projects. Includes monitoring for newly disclosed vulnerabilities in your specific plugin versions and proactive hardening updates as the threat landscape evolves.
Who this is for
Your site has been compromised and you need it cleaned, hardened, and back online as quickly as possible.
You operate in a regulated sector, healthcare or finance, where a breach carries compliance and reputational consequences beyond the immediate disruption.
You have a security plugin installed and are not confident it is actually protecting you.
Your site has been blacklisted by Google or flagged by browsers as dangerous.
You are about to launch a campaign, product, or event and cannot afford a security incident at that moment.
You want an ongoing relationship with a specialist who monitors and maintains your security posture rather than a one-off scan.
From the field
A SaaS provider's enterprise contract was blocked at due diligence stage after a US technology firm's security audit flagged Content Security Policy weaknesses and XSS exposure. The audit was passed and the deal was secured.
Read the full case studyEnterprise security audit
Contract status
Complete asset mapping of every script, stylesheet, and external resource loading on the platform — nothing assumed safe, everything verified against its source.
Strict Content Security Policy implemented on a zero-trust model — deployed in Report-Only mode first, then switched to Enforce once all violations were resolved.
The US technology firm's requirements were satisfied. The contract negotiation proceeded. Security compliance was the difference between winning and losing the deal.
FAQs
Hosting security and application security are different things. Your host is responsible for the infrastructure your site runs on. They are not responsible for your WordPress configuration, your plugin vulnerabilities, your file permissions, or your authentication practices. A hosting environment can be fully secure while the WordPress installation running on it is wide open.
A security plugin monitors and alerts. Hardening changes the configuration so there is less to monitor and fewer alerts to generate. Both have a role, but hardening is the foundation. A well-hardened WordPress installation running no security plugin is more secure than a weakly configured installation running multiple security plugins.
Many compromised sites show no obvious symptoms. Attackers routinely use compromised WordPress installations for email spam, SEO spam injection, credential phishing, and cryptomining, all without any visible disruption to the site itself. If you have not had a professional security audit in the past twelve months, you cannot assume your site is clean.
Yes. Google blacklisting is a consequence of detected malware or harmful content, not a permanent state. The recovery process involves removing all malicious content, hardening the installation to prevent re-infection, and submitting a reconsideration request through Google Search Console. Most sites are removed from the blacklist within 24 to 72 hours of a successful clean-up, provided the infection is fully resolved.
Yes. Ongoing security monitoring is available as part of a Care Plan. This includes continuous uptime and malware monitoring, proactive vulnerability alerts for your specific plugin versions, scheduled security audits, and priority incident response if something does occur.
From the blog
One hundred new WordPress vulnerabilities were disclosed in a single week. Spanning 87 plugins and one theme and affecting roughly 11.9 million active
WordPress powers approximately 43% of all websites globally. That concentration makes it an attractive target, and attackers need nothing more than a
If your site runs LiteSpeed Cache and the plugin version is below 7.8, an attacker can exploit a known vulnerability to gain elevated access to your
If you want an honest assessment of your current security posture before committing to any work, let's talk. I will tell you what I find.
