Confident Clean a Hacked Site Workshop Join me July 16th for this 90 Minute Workshop  Claim your spot

WordPress Secure Code Reviews

WordPress code reviews, to help protect you and your customers from bad actors

Hi I’m Tim, a WordPress security consultant who helps organisations like yours stay protected online.

I provide a range of security focus services, one of which is my secure code review which is a review of custom code be it a plugin, theme or indeed anything else you or someone else has written on your behalf.

The secure code review is aimed at developers who are selling commercial plugins and themes to a wide audience. It is not exclusive and I’m as happy looking at code made specifically for your inhouse projects as well. The secure code review is a mix of automated and manual reviews, the automated includes using code sniffing and static analysis (where possible) to identify issues, as well as actual testing the functionality as a bad actor would with automated tools. The second part of the review is a line by line review of the code base, this manual review flags up where logic might not work as intended. Think of me as the second pair of eyes, but one that hasn’t been staring at this project for weeks on end so I’m coming in fresh and with a new perspective. This is a security review, but vulnerabilities are often derived from bugs, so where I spot issues that are not security related I tend to jot them down as well.


How does it work?

Code reviews are designed to be as painless as possible, it starts by getting in touch and then we will do a quick discovery call to get a little bit of a background about yourselves, your site and what your hopes and reasons for the review are.

After the call I will ask for a copy of the code base as part of that I will send a copy of our NDA (or sign yours if you have one) so you know your code is not going anywhere. I need the code base to generate the quote, the cost is determined on the size and complexity of the code base, but for most plugins and themes it is £1950 some codebases might be more expensive.

If you are happy with the quote then there is some paperwork to be done in the form of a contract.

The final step before getting started is the invoice, which is also when we book in the date for the review. The review normally takes 3 days on average and you can expect the report within 4-5 working days. But I will go through specifics with you at the time.

With all the paperwork done I will ask for an up to date version of the codebase. Testing is done on my own specially designed VM (virtual machine), it allows me to do much more aggressive testing but in a very controlled environment, where all my automated tools are preconfigured.

When the report is ready, its sent over and contains:

  • A summary of what was found
  • A Traffic light based report highlighting priority issues, with each item an explanation of what the issue is as well as a recommendation on how to fix it.
  • Next step recommendations for what to do to take the site security even further.

The last step is organising a meeting to go through the report, this is an opportunity for me to explain and highlight items and you to ask lots of questions about the review and recommendations.


A bit about me

I’m an experienced security professional, but I didn’t start my career in IT as one, my background is in building payment systems which led me to run a small development agency with some pretty big clients you have heard of. I went on to help manage the security of thousands of WordPress sites at one of the UK largest web hosts.

This means I am in a fairly unique position of not just being able to identify issues and problems but also provide genuine recommendations, walk you through why I’m recommending certain actions and why I think it’s suitable for you. My background in development allows me to do the manual review and to engage with you to help implement any recommendations. The review themselves, don’t stop at finding a potential issue but end when we have found the solution.

“Our team have built countless WooCommerce sites but this was our first foray into releasing a product and we wanted to be sure on the code quality, scalability and security of our code. Tim was thorough, detailed and exceptional at walking us through the issues in our code. For me what was more important though, was that he did so in a very kind and insightful way that motivated the team, improved the plugin but also helped us implement tools and processes into our workflow that has benefitted us across the board in all work we do. I could not recommend this service more highly and I wish we’d done it sooner!”

Phil Morrow
Phil Morrow
Director Happy Kite Ltd

Ready to get started

Let’s grab some details and I will be in touch

Let’s chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)

Or email hello AT timnash.co.uk for all enquiries

Frequently asked questions

How long does a review take?

Reviews are dependent on the size and complexity of the codebase and a range of factors around how everything interacts. Typically from sign-off I aim to complete the review within 3-4 days and have the report to you within 5 working days. When I start the review I normally can give you a much firmer timeline.

How much will it cost?

Secure code reviews start at £1950 and that is a typical price for the average plugin or a theme to review. When quoting a price code features & complexity along with how hard it will be to run automated tools are factored in.