Hardening
Site configuration
wp-config salts, file editing disabled, /wp-admin restricted, XML-RPC controlled, user role audit, plugin and theme version pinned.
WordPress security servicefrom a senior security expertwho actually removes malware.
WordPress security service covering site hardening, WordPress malware removal, firewall setup, security audits, and emergency recovery. Hire a WordPress security expert who handles all four layers in one engagement. Fixed-scope from $750. Emergency recovery in 24-48 hours.
From $750 fixed-scope 24-48 hr emergency recovery Per-site hardening, no plugin defaults
Tell us who you are
Just your name and email. 30 seconds.
Executive Summary
What is WordPress security?
WordPress security is the practice of preventing, detecting, and responding to attacks against a WordPress site. Quality WordPress security services cover four layers: hardening (wp-config, file permissions, user roles, plugin audit), firewall (Cloudflare WAF or Wordfence blocking attacks at the edge), authentication (two-factor authentication, failed login limits, geo-blocking), and monitoring (daily integrity scans, malware detection, written reports). The output is a WordPress site that resists 99 percent of automated attacks and recovers fast from the rare manual breach.
Four security layers
Four layers that stop 99% of WordPress attacks.
WordPress security is not one fix; it is a stack. Each layer catches what the previous layer missed. A single security plugin covers parts of two layers; a real engagement covers all four.
Firewall
Web Application Firewall
Cloudflare WAF or Wordfence firewall blocking SQL injection, XSS, brute-force, and known exploit patterns at the edge.
Authentication
Login + access control
Two-factor authentication for admins, failed login limits, geo-blocking, application passwords for REST API, no shared accounts.
Monitoring
Detection + alerting
Daily file integrity scans, malware scanners, uptime monitoring, Search Console security alerts, weekly written reports.
What we cover
Twelve checks across four security layers.
Hardening, firewall, authentication, and monitoring. Every check is documented in the engagement changelog so future developers know what was changed and why.
01 Vulnerability scan via WPScan + plugin and theme version audit
02 wp-config.php hardening: salt rotation, file editing disabled, debug off
03 Login security: 2FA enforcement, failed login limits, /wp-admin lockdown
04 Database hardening: prefix change, user permission audit, query monitoring
05 File integrity baseline + daily scan via Wordfence or MalCare
06 Web Application Firewall: Cloudflare WAF or Wordfence Premium config
07 Malware scan: server-side, deep, with quarantine and clean process
08 XML-RPC restriction or full disable based on REST API requirements
09 User role audit: stale admins removed, role-based capability review
10 SSL / TLS configuration: HSTS, secure headers, CSP baseline
11 Backup verification: off-site daily backups tested for restore
12 Search Console security: Safe Browsing status + manual action review
Three tiers
Three WordPress security packages.
Each tier is fixed-scope. Recovery is priced per incident based on infection depth, with a $750 minimum and a 24-48 hour SLA from confirmation. For ongoing protection after a one-time hardening engagement, our WordPress care plan includes daily security monitoring, Wordfence management, and malware recovery at no additional charge.
Audit $750 3 business days
WordPress security audit only. Vulnerability scan, hardening checklist, malware screen, prioritised fix list. Take to any developer.
Fits
Book Audit Most chosen Standard $1,500 5-7 business days - Sites under 50 pages
- Pre-launch baseline
- Take-it-anywhere fix list
Full WordPress security hardening: audit plus implementation. Site hardening, malware scan, firewall setup, 2FA, monitoring baseline. 30-day post-launch monitoring included.
Fits
Book Standard Recovery From $750 24-48 hours - Sites under 200 pages
- Marketing sites
- First serious security sprint
Emergency WordPress malware removal and hacked site recovery. Server-side malware clean, file restoration, Search Console reconsideration request, post-incident hardening.
Fits
Book Recovery - Hacked or infected sites
- Google Safe Browsing flagged
- Manual action recovery
When you need it
Six signals your WordPress site needs security work.
Site flagged by Google Safe Browsing
If your WordPress site shows the red warning in Chrome or Search Console, you have malware or a phishing redirect. Recovery removes the infection and submits the reconsideration request.
Suspicious admin users you don't recognize
New admin accounts you didn't create are the most common sign of compromise. A WordPress security audit identifies the entry point and locks it down before more damage.
Site running 30+ active plugins
Every active plugin is an attack surface. WordPress sites with 30+ plugins have measurably higher breach rates because vulnerable plugins go unpatched. Hardening starts with a plugin audit.
Pre-launch or post-redesign hardening
Before going live with a new WordPress site, harden it. Default WordPress installs ship with several settings that are convenient for setup but risky for production. Hardening takes 4 hours, costs $750, prevents most common breaches.
Strange redirects or popups appearing
Visitors landing on your homepage but redirected to spam, gambling, or pharma sites means injected JavaScript or .htaccess malware. Server-side malware scan and clean is the only fix; security plugins miss this.
Inheriting a WordPress site
If you took over a WordPress site from another developer or agency, run a security audit. Old admin accounts, weak passwords, outdated plugins, and unmonitored backups are the norm, not the exception.
Paid service vs free WordPress security plugin
What a paid security engagement covers that a free WordPress security plugin skips.
| Security area | Free security plugin | Paid engagement |
|---|---|---|
| Vulnerability scanning | Plugin scans local file changes only | WPScan API + manual code review of plugins, themes, and core |
| Malware removal | Plugin quarantines flagged files, breaks the site | Server-side scan, surgical clean, database injection removal, integrity verification |
| Hardening configuration | Generic toggle list | Per-site hardening: wp-config, .htaccess, file permissions, user roles, capability audit |
| Firewall configuration | Plugin firewall (server-bypassable) | Cloudflare WAF + Wordfence firewall in tandem, custom rules per site type |
| Hacked site recovery | Plugin support tells you to pay for premium | 24-48 hour incident response with reconsideration request and post-incident audit |
| Ongoing monitoring | Free tier = email alerts, paid tier = real monitoring | Daily file integrity, uptime, vulnerability database checks, weekly written report |
WordPress security FAQ
Seven questions before you book.
01 What is WordPress security?
WordPress security is the practice of preventing, detecting, and responding to attacks against a WordPress site. Quality WordPress security covers four layers: hardening (wp-config, file permissions, user roles, plugin audit), firewall (Cloudflare WAF or Wordfence blocking attacks at the edge), authentication (2FA, failed login limits, geo-blocking), and monitoring (daily integrity scans, malware detection, written reports). The output is a site that resists 99 percent of automated attacks and recovers fast from the rare manual breach.
02 How much does WordPress security cost?
Quality WordPress security services run $750 to $5,000+ depending on site complexity. A WordPress security audit alone runs $750 for sites under 50 pages. Standard hardening (audit plus implementation) runs $1,500. Emergency hacked site recovery runs $750 to $2,500 depending on infection depth. Ongoing monitoring runs $150 to $500/mo via care plans. Hourly WordPress security expert rates run $80 to $250/hr.
03 Can a free WordPress security plugin replace a security service?
Free WordPress security plugins (Wordfence Free, iThemes Security, All In One WP Security) handle 40 to 60 percent of the work. They scan for known malware signatures, log failed logins, and warn about outdated plugins. They do not perform per-site hardening, configure server-level firewalls, audit user roles for capability creep, or recover hacked sites. Free plugins are useful as a baseline but not a substitute for a real security engagement.
04 How do I know if my WordPress site is hacked?
Common signs of a hacked WordPress site include: Google Safe Browsing flag in Search Console, unfamiliar admin users in /wp-admin, strange redirects to spam or pharma sites, popups or ads you did not add, search results showing Japanese or pharma keywords for your domain, sudden traffic drop in Search Console, and unfamiliar files in /wp-content/uploads with .php extensions. If any of these match, do not just install a plugin. Get a real security audit and recovery.
05 How long does WordPress malware removal take?
Standard WordPress malware removal takes 24 to 48 hours from kickoff to clean confirmation. Simple infections (single injection, recent breach) clean in 4 to 8 hours. Deep infections (months of compromise, multiple backdoors, database injection) take 48 hours and may require a partial site rebuild. Google Safe Browsing reconsideration adds 1 to 14 days for Google to re-crawl and clear the warning, which is outside our control.
06 Will hardening my WordPress site break it?
Done correctly, hardening will not break a WordPress site. Done badly (generic security plugins applying every toggle), hardening can break image uploads, REST API features, page builders, and WooCommerce checkout flows. The difference is per-site testing: every hardening rule we apply is verified on staging before production. The Standard package includes a written changelog so you can revert any specific change if it conflicts with future development.
07 Do you offer ongoing WordPress security monitoring?
Yes. The Pro and WooCommerce care plans include daily security monitoring: file integrity scans, malware checks, uptime monitoring, vulnerability database alerts, and weekly written reports. The Essential care plan covers basic monitoring without security focus. Standalone monitoring without a care plan is available at $150/mo with a 12-month minimum. Most clients bundle security with care plans for cost efficiency.