Security service pillar
WordPress security audit
Security review without scare copy.
Send the site URL, hosting stack, plugin list, admin-access model, and current concern by email.
- Access admins, roles, 2FA
- Plugins risk, ownership, updates
- Backups restore test, retention
- Incidents logs, evidence, handoff
What I check
The audit covers user roles, admin accounts, plugin and theme provenance, update state, PHP and hosting configuration, backup quality, file integrity signals, WAF and headers, database exposure, form handling, and basic incident evidence.
What I avoid
I do not turn security into theatre. A useful audit does not promise that nothing bad can happen. It tells you which risks are real, which controls are missing, which fixes should happen first, and which findings are only noise.
How the output is useful
You receive a short executive summary, a technical findings list with severity, and a practical remediation queue. Critical items are separated from hardening work, so developers, owners, and hosting support can act without guessing.
Frequently asked questions
What is included in a WordPress security audit?
Access review, plugin and theme risk, update state, hosting configuration, backups, logs, malware indicators, hardening gaps, and a prioritised remediation list.
Do you remove malware?
Yes, when the scope includes remediation. Cleanup needs backup state, hosting access, file access, database access, and a clear decision on downtime or maintenance mode.
Is this the same as NIS2 or DORA readiness?
No. A security audit can feed NIS2 or DORA work, but compliance readiness needs a wider vendor, process, incident, and evidence review.
Can you audit WooCommerce?
Yes. WooCommerce audits add checkout, payment, order data, customer data, webhooks, fulfilment integrations, and admin workflows.
How often should a site be audited?
Business sites usually need a deeper audit at least yearly, with faster review after incidents, major plugin changes, new admin access, or hosting migration.
Explore other WordPress services and knowledge base
Strengthen your business with professional technical support in key areas of the WordPress ecosystem.
NIS2 and DORA scope mapping, supplier register, incident runbook.
Audit, hardening, and incident risk reduction.
WCAG 2.2, BFSG, EAA conformance report and remediation backlog.
Stability, updates, and post-launch support.
Custom WordPress engineering and architecture.
Headless WordPress, Sanity, Strapi, and Contentful with Astro or Next.js.
Supporting articles
CRA covers products with digital elements. NIS2 covers entities. DORA covers financial entities. When all three apply at once, headless WordPress sits at the intersection. I sketch what the joint evidence package looks like in 2026.
The NIS2 Directive (2022/2555) was to be transposed into national law by 2024-10-17. The DORA Regulation (2022/2554) applies directly from 2025-01-17. For a WordPress site operator this means specific obligations if the site relates to a regulated entity. We explain it without panic, with references to the texts of the acts.
Article 21 of Directive 2022/2555 lists ten risk-management measures every in-scope entity must implement. I map each one to a WordPress agency control, with the evidence file each one requires for audit.
Related security surfaces
Security work is clearer when audit, maintenance, compliance, and remediation are treated as separate scopes.
Scope security audit
Send the site URL, hosting stack, plugin list, admin-access model, and current concern by email.
Scope security audit