Service pillar 4 of 4 · Security
Hardening, monitoring, incident-ready WordPress.
So when you wake up to a Wordfence alert, the answer is "blocked at the firewall." Audit delivered in 5 business days.
What's in scope
Eight things every WordPress site should have.
The plugin sees the things in WordPress; the rest sits between WordPress and the world.
Hardening audit
With a prioritized fix list.
WAF / firewall configuration
Cloudflare, Wordfence Premium, or Patchstack.
Login protection
2FA, login throttling, custom login URL, IP allowlisting.
Malware & integrity monitoring
With same-day alert on compromise.
SSL / HSTS / security headers
CSP, X-Frame-Options, Permissions-Policy.
User & role audit
Least privilege, removing stale admins.
REST API / XML-RPC
Exposure review and lockdown.
Backup verification
Backups that aren't tested aren't backups.
What's NOT in scope
Honest about where my work ends.
For these you want a credentialed specialist — happy to refer.
Compliance
Formal penetration testing for compliance frameworks (SOC 2, ISO 27001, HIPAA)
DDoS
DDoS mitigation beyond Cloudflare's standard tier
Forensics
Forensic investigations for legal proceedings
Privacy law
Privacy / GDPR legal advice (technical implementation only)
Common questions
Security, specifically.
Is a security plugin enough?
It helps but it's not enough on its own. A typical WordPress hardening engagement also covers: WAF / firewall at the edge, file permissions, wp-config hardening, login URL changes, 2FA, role / user audit, and security header policy. The plugin sees the things in WordPress; the rest sits between WordPress and the world.
Do you do penetration testing?
I do offensive-style hardening reviews — checking for the vulnerabilities a real attacker would actually try (outdated plugins, weak admin auth, exposed XML-RPC, REST API leaks, file upload paths, etc). I do not do formal pentests for SOC 2 / ISO 27001 / HIPAA compliance — for that you need a credentialed third-party firm, and I'll happily refer you to one.
What if I'm currently hacked?
Stop here, go to Emergency Help. Recovery first, hardening after. Trying to harden a compromised site usually just locks the attacker in deeper.
Do you do GDPR / cookie compliance?
I configure cookie banners and basic GDPR-required disclosures (privacy page, data export/delete via WordPress core), but I am not a lawyer. For regulated industries, work with privacy counsel and use this as the technical implementation arm.
Related reading: 10 essential WordPress security tips for 2026
Get a security baseline before you need one.
Hardening costs less than recovery. Send your URL — security audit back within 5 business days.