~ /home /services /wordpress-security
0 client breaches · all-time, under retainer
./wordpress-security --pricing

WordPress security
on a flat monthly fee.

Malware pulled, a real WAF in front, and pen testing against your actual build. Billed monthly, with no line items you can't read. Pick a tier; we start this week.

3 tiers · fixed fee 0 client breaches MTTA 00:01:24
OSCPOSCEGREMGXPN
The same operators who run our enterprise retainers run the WordPress tiers.
00:01:24median MTTA
0breaches
what "WordPress security" means here

A plugin isn't
a security program.

Most WordPress “protection” is one plugin and some optimism. We do the part that moves risk: break the site in a lab, clean out what’s already there, put a tuned WAF in front, and keep watching it.

Three tiers, same operators behind every one. The bench that runs our enterprise retainers runs these.

// what actually hits WordPress

The attacks we cover.

six vectors · one bench
every tier gets the responder
WP-T/01 persistence

Malware & backdoors

Injected web shells, rogue admin users, and droppers that survive a plugin update. We pull them out, sweep for persistence, and prove the site is clean.

severity
WP-T/02 access

Brute force & credential stuffing

Bots hammer /wp-login.php and XML-RPC with leaked passwords around the clock. We isolate login, kill XML-RPC abuse, and rate-limit the vector.

severity
WP-T/03 CVE

Vulnerable plugins & themes

Most WordPress breaches start with one out-of-date plugin CVE. We track your real plugin/theme surface and virtually patch what you cannot update in time.

severity
WP-T/04 availability

DDoS & layer-7 floods

L7 floods that look like real traffic take the site down at the worst possible moment. An anycast edge plus rate and bot policy absorb it before origin feels it.

severity
WP-T/05 e-commerce

Card skimmers (Magecart)

Checkout skimmers siphon card data from WooCommerce silently for months. We watch file integrity and the checkout path and catch the inject early.

severity
WP-T/06 reputation

SEO spam & defacement

Pharma spam, hidden redirect injects, and Google blacklisting that tanks your rankings overnight. We detect, clean, and file the review request.

severity
// what's in the work

Managed, not a plugin.

done by the operator
who finds the bug
01
Penetration testing

Manual exploit attempts on your build, not a scanner dump.

02
Website malware removal

Live cleanup, backdoor sweep, persistence audit.

03
Advanced DDoS mitigation

L3/L4 + L7, anycast edge, rate limit + bot policy.

04
Web application firewall

Tuned to your plugin/theme surface, not a generic ruleset.

05
Custom hardening scripts

wp-config flags, file perms, mu-plugin, login isolation.

06
24/7 incident support

Named responder, phone-and-pager, business contract.

./wordpress-security --pricing

Pick a tier. We start this week.

all prices USD · /mo · billed annually
no T&M · no line-item invoices
WP-PR/01 · ESSENTIALS

ESSENTIALS

One site that just needs to stop getting popped.

$190 /mo billed annually
what's in this tier
  • Penetration testing
  • Website malware removal
  • Advanced DDoS mitigation
  • Web application firewall
  • Custom hardening scripts
  • 24/7 incident support
coverage
3/6
Start hardening
WP-PR/02 · STANDARD

STANDARD

Sites that take payments and can't eat downtime.

$370 /mo billed annually
what's in this tier
  • Penetration testing
  • Website malware removal
  • Advanced DDoS mitigation
  • Web application firewall
  • Custom hardening scripts
  • 24/7 incident support
coverage
5/6
Start hardening

Common asks.

Q.01 My site's already infected. Which tier?

Any of them. Malware removal is in all three. Flag it on the form and we put infected sites at the front of the queue.

Q.02 Is this just a plugin you install?

No. Plugins are part of it. The work is ours: manual hardening, a WAF tuned to your build, and a person who reads the logs.

Q.03 Can I move between tiers?

Any time, prorated. No lock-in past the billing term you choose.

Q.04 What does support actually cover?

A human responder, not a bot. Premium is 24/7. Standard and Essentials are business hours.

./start --wordpress-security

Pick a tier.
We start this week.

Two minutes on the form. We confirm scope and have you covered inside the billing week.

Choose a package