TrustEdge Labs
All security services
EngagementWordPress

WordPress Security Review

WordPress sites and stores get a real read — not a plugin scan.

WordPress runs an absurd amount of the web, and most of its breaches come from the same handful of mistakes — outdated plugins, weak admin posture, dirty upload handlers, custom theme code that grew wild. We review both core posture and your custom layer with the same rigor as a custom web app.

Request this engagementSee a sample report

Scope

What we test.

  • Plugin and theme inventory — known vulnerabilities, abandoned packages, supply-chain risk
  • Custom theme and plugin code review (PHP, JS, hooks, shortcodes)
  • Admin posture — accounts, capabilities, brute-force surface, MFA
  • REST API exposure and authentication checks
  • File uploads, image processing, and arbitrary-write paths
  • Database injection paths through wpdb and custom queries
  • WooCommerce / payment plugin specifics where applicable
  • Hosting hardening — file permissions, secrets in config, debug exposure

Methodology

How we work.

Custom code over scanners

Plugin scanners catch known CVEs. Real WordPress problems live in the custom theme nobody touched in three years. We read the code.

Admin-side first

Most breaches come from the wp-admin surface, not the public site. We start there.

Hardening checklist

You leave the engagement with a concrete hardening checklist, not a list of CVEs.

Deliverables

What you get.

  • WordPress hardening report (admin posture, plugin/theme audit, custom code findings)
  • Concrete remediation steps with config snippets and patches
  • Plugin & theme inventory with risk grading
  • Optional re-test pass after remediation, scoped separately

Timeline

Typical engagement.

  1. Phase 01 · Week 0

    Scoping

    Site list, plugin/theme list, admin access scope, NDA.

  2. Phase 02 · 1–2 weeks

    Active review

    Plugin/theme audit, admin posture, custom code review.

  3. Phase 03 · 3–5 days

    Reporting

    Findings + remediation checklist.

Public references

We work against these.

Open standards we use as the floor for the engagement — not certifications we hold or issue. Findings are tied back to the relevant control IDs so your engineers can defend the remediation in technical reviews.

OWASP Top 10OWASP WSTGWPScan vulnerability database (informational)

Our reports are technical hardening guides — not formal audit evidence. Compliance certificates are issued by your accredited auditor, not by us.

Ready to scope it?

The request form takes about three minutes. We respond within one business day.

Request WordPress engagement

Other engagements

Web / SaaS

Web Application & SaaS Review

Read details

Desktop / Plugin

Desktop App & CAD Plugin Review

Read details

License & Activation

License & Activation Security

Read details

Mobile (basic)

Basic Mobile App Review

Read details