Confident Clean a Hacked Site Workshop Join me July 16th for this 90 Minute Workshop  Claim your spot

WordPress Website Security Reviews

WordPress site reviews, to help protect you and your customers from bad actors

Hi I’m Tim, a WordPress security consultant who helps organisations like yours stay protected online.

I provide a range of security focus services, one of which is my secure website review (which I tend to shorten to site review when talking to folks).

The site review is a clearbox test, which means you give me access to your site and codebase and I go through and look for issues. How I do this is combining reviewing the plugins and themes on the site, how the site is setup and what processes you have in place. I also attempt to gain access to the site using techniques which a bad actor might use to see if they will work. This is sometimes called a pentest or penetration test. The review is a combination of manual and automated testing, and roughly follows the OWASP (an organisation devoted to helping secure the web) web security testing guidelines but modified to suit WordPress more specifically.


How does it work?

Site reviews are designed to be as painless as possible, it starts by getting in touch and then we will do a quick discovery call to get a little bit of a background about yourselves, your site and what your hopes and reasons for the review are.

After the call you will get a very quick questionnaire that grabs some basic details, and a quote is generated. Website reviews start at £1950 but a typical site is £2250.

If you are happy with the quote then there is some paperwork to be done, a contract and importantly a scope document that says you give me permission to do the testing as defined in the document. This way you know what I will be testing and what I won’t.

The final step before getting started is setting the invoice, which is also when we confirm the date for the review. The review normally takes 3 days on average and you can expect the report within 4-5 working days afterwards. But I will go through specifics with you at the time.

With all the paperwork done I will need access to your codebase and either your staging (preferred) or live site where possible I like to do as much testing on my own specially designed VM (virtual machine) as opposed to your sites, it allows me to do much more aggressive testing but in a very controlled environment.

When the report is ready, its sent over and contains:

  • A summary of what was found
  • A Traffic light based report highlighting priority issues, with each item an explanation of what the issue is as well as a recommendation on how to fix it.
  • A summary of risk evaluation for individual plugins
  • Next step recommendations for what to do to take the site security even further.

The last step is organising a meeting to go through the report, this is an opportunity for me to explain and highlight items and you to ask lots of questions about the review and recommendations.


A bit about me

I’m an experienced security professional, but I didn’t start my career in IT as one, my background is in building payment systems which led me to run a small development agency with some pretty big clients you have heard of. I went on to help manage the security of thousands of WordPress sites at one of the UK largest web hosts.

This means I am in a fairly unique position of not just being able to identify issues and problems but also provide genuine recommendations, walk you through why I’m recommending certain actions and why I think it’s suitable for you. As every organisation is different and a solution for one, might not be the same for yours. Most traditional security tests tend to leave the recommendations vague or left out at all, where I can pool knowledge from my background to help work out a fix for you.

“Our team have built countless WooCommerce sites but this was our first foray into releasing a product and we wanted to be sure on the code quality, scalability and security of our code. Tim was thorough, detailed and exceptional at walking us through the issues in our code. For me what was more important though, was that he did so in a very kind and insightful way that motivated the team, improved the plugin but also helped us implement tools and processes into our workflow that has benefitted us across the board in all work we do. I could not recommend this service more highly and I wish we’d done it sooner!”

Phil Morrow
Phil Morrow
Director Happy Kite Ltd

Ready to get started

Let’s grab some details and I will be in touch

Let’s chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)

Or email hello AT timnash.co.uk for all enquiries

Frequently asked questions

What is a clearbox testing or indeed a penetration test?

Clearbox testing is when I have access to the site and codebase and therefore are able to see issues from the inside. It’s called clearbox as well, everything is transparent to the tester. This allows me to identify areas to focus on and provide the most value report without making guesses and assumptions on how things work. An opaque sometimes called blackbox test is where the person is approaching with no access. In these tests the tester is simulating what a bad actor might see.

Penetration testing often referred to as pentesting is when a tester simulates the method a bad actor uses to try and gain access to your site.

How long does a review take?

Reviews are dependent on the size of the site, the number of plugins, the complexity of the site and a range of factors around how everything interacts. Typically from sign-off I aim to complete the review within 3-4 days and have the report to you within 4-5 working days after that. When I start the review I normally can give you a much firmer timeline.

How much will it cost?

Website reviews start at £1950 but a typical review is £2250, when quoting a price site features & complexity along with how hard it will be to get the site setup on the testing rig all are factored in. As a general rule if you have any form of e-commerce, membership, user login or custom code then you will be looking at least £2250.