Wordpress Security Audits.

We recommend Wordpress for most of our client's CMS needs because they find it easy to use and it's a great platform for developers to extend and customize. The core application is very secure, but some things (like plugins, themes and hosting environments) are out of their control, and there are also some things that they don't do because of the tradeoffs between security and convenience, or because it only makes sense for a minority of users. That's why we recommend adding extra security when appropriate.

We offer packages with increasing levels of protection to meet the needs of various types of websites:

 

Level 1 Level 2 Level 3
$300 $700 $1100
For high-traffic personal websites For income-generating websites For mission-critical websites
  • Automated database backups
  • Password audit
  • Wordpress core upgraded
  • wp-config.php review
  • Security plugin setup
  • Renamed admin account
  • Proper directory and file permissions set
  • Everything in Level 1
  • Automated file backups
  • Renamed database table prefix
  • wp-config.php moved outside web root
  • robots.txt setup
  • Login error message details suppressed
  • HTTP access to wp-content and wp-includes restricted
  • Plugins and themes upgraded
  • PHP display_errors turned off
  • Apache directory browsing disabled
  • Everything in Levels 1 and 2
  • Each Wordpress installation given it's own database and user
  • Unncessary MySQL user permissions removed
  • Plugins and themes checked for vulnerabilities and infection
  • 5G Blacklist setup
  • HTTPS forced for /wp-admin
  • FTP disabled and SFTP enabled
  • Hosting company reviewed
  • Additional scanning plugins ran
Sign Up Sign Up Sign Up

 


For each level there are some things that you'll need to do and be aware of:
  • Level 1
    • We'll need the usernames/passwords for the hosting control panel, FTP site, and all WP accounts (except subscribers) so that we can access the site and audit the passwords.
    • You'll need to tell us if you've made any modifications to the Wordpress core files
    • If you allow comments on posts and your site generates income, you'll need to purchase an Akismet API key, which starts at $5 /month.
  • Level 2
    • You'll need to sign up for an Amazon S3 account so we can backup files off-site. It's a monthly cost which varies based on how big your database and file system are, but it's typically less than $5 /month.
    • You'll need to ask you web host to purchase and install an SSL certificate for your site. The cost varies by host, but is typically around $75-125 /year.
  • Level 3
    • If your web host doesn't have a good reputation for providing adequate security then we'll recommend that you switch to a different one, but the package doesn't include actually making the switch. Often the new host will make the switch for free, though. 
There's also some general information and additional details that you'll want to know:
  • No security audit or preventative measures can ever guarantee that a site won't be hacked, but each item we perform makes a tangible improvement in security and overall will significantly reduce the risk of a successful attack. If the site does get hacked, we'll be able to restore it from backups in most cases.
  • This is designed to protect against the most common attacks and will be enough protection for the majority of users, but let us know if you have reason to believe that a talented hacker is targeting you personally so that we can recommend additional steps.
  • This doesn't include on-going upgrades to Wordpress, plugins or themes.
  • Some of the items listed may not be possible in every hosting environment or compatible with every plugin/theme, etc, but each of them will work in the majority of cases.
  • There's a chance that upgrading Wordpress, plugins or themes can break some functionality, but we'll make a best effort to anticipate whether it will or not. It's crucial that you tell us if you've made any custom modifications to the Wordpress core, plugins or themes. If there is a break, we'll be able to repair it, replace it, or revert to the old version, but all of those will cost extra based on the time required.
If you're interested in any of our plans please contact us and we'll be happy to help you out.