Tier-laddered WordPress security and hardening: an audit from $1,375, a $2,750–$8,250 audit + remediation engagement, or a $1,375/mo hardening retainer. The audit + remediation engagement is the one to book before something happens. The retainer is the one that keeps the hardening from rotting six months later.

Recent security-relevant WordPress work: Sherwin-Williams · M.L. Campbell Training Centre · Sayerlack · national news network, 2011–2012 platform migration

Book the 20-minute discovery call See full pricing and scope

The problem you’re solving

Most WordPress sites get compromised through a small number of well-documented doors: weak admin credentials, an outdated plugin with a known CVE, a left-behind user account with administrator rights, or a misconfigured file-upload field. None of those are exotic. Almost none of them get fixed until after the site is already shipping pharmacy spam from the footer.

The hardening engagement closes the doors before someone walks through them. Three days, fixed scope, written report you can hand to your insurer or your security committee.

What a security engagement costs

Security and hardening engagements ladder in three shapes. The full pricing matrix — including the audit-credit-forward policy — lives on the canonical Security & Hardening service page. The shape of the buyer choice:

Security audit, report only ($1,375–$2,750): A written findings report organized by severity (critical / high / medium / low) with reproduction steps and recommended fixes. The audit IS the deliverable.
Audit + remediation ($2,750–$8,250): If the audit converts to remediation, the audit fee credits forward against the engagement. Critical and high findings get implemented; you receive the diff, not just the advice.
Ongoing hardening retainer ($1,375/mo): Post-update reviews, new-plugin audits before install, quarterly re-scans against the original findings list. Cancel any month with 30 days notice.

If your site is currently under active attack or already compromised, this is the wrong engagement — email me directly. Incident response is hourly at $275 CAD/hr and starts the same day.

What you get

A hardening pass. Login URL, file permissions, salts and keys, disable file editing, restrict XML-RPC where appropriate, secure wp-config.php, lock down the upload pipeline, set HTTP security headers.
User and role audit. Every account reviewed. Stale admins removed, role assignments cleaned up, capability creep documented and reset.
Two-factor authentication for administrators. Configured, tested, and documented for your team. App-based by default; backup-code procedure included.
Web application firewall configuration. Either at the host level (if your host provides one) or via a plugin layer. Rules tuned for WordPress, not generic.
Malware scan. File-system and database scan, with quarantine recommendations on anything suspect. If the scan finds an active compromise, the engagement pauses and converts to incident response (separate hourly engagement; you will not be silently up-billed).
Written remediation report. What I did, what I found, what is left to do, and the priority order. The document survives a security committee review.

Hardening rots over time as new plugins get installed, new users get added, and new vulnerabilities get disclosed. A Security Retainer (from $1,375 CAD per month) keeps the hardening current with a monthly review, plugin update strategy, monitoring, and a quarterly written status. The retainer is optional and the FAQ below covers when it makes sense.

What this is not

Not incident response. If your site is currently compromised, defaced, sending spam, or actively under attack, this is the wrong engagement. Email me directly; incident response is hourly and starts the same day.
Not a penetration test. The hardening pass is preventive, not adversarial. If you need a full pentest with a written attestation, I will refer you to specialists.
Not a one-time vaccine. Without ongoing review, the hardening you pay for in May is partially gone by October. The retainer exists for exactly this reason.
Not “we’ll just install Wordfence.” Wordfence is a fine tool inside a real hardening strategy and a useless tool by itself.

Who this is for

Fit. Operating WordPress sites that hold customer data, take payments, or whose downtime would cost real money.
Fit. Organizations whose insurance carrier or compliance program is asking for documented security posture.
Fit. Teams who have inherited a WordPress site from a previous developer and have no idea what was done to lock it down (likely answer: very little).
Not fit. Sites currently under active attack. That is incident response.
Not fit. Buyers looking for the price below the audit-tier floor of $1,375. There is no honest cheaper version of this work; what looks cheaper is usually a security plugin install and a confidence-trick report.

The three-day hardening engagement, day by day

Day 1. Access provisioned. User and role audit. Plugin and theme inventory. File-system and database scan.
Day 2. Hardening pass. 2FA configured. WAF tuned. HTTP headers set. Login surface locked down.
Day 3. Verification, written report, and a 30-minute walkthrough call to hand off to your team.

Why work with me on this specifically

WordPress development since 2007. Security work has been part of the job since well before WordPress security was an industry of its own.
Engagements with Sherwin-Williams (M.L. Campbell Training Centre, Sayerlack), prior portfolio work for one of Canada’s largest news networks where the security surface was a daily concern.
Author of practical WordPress and SEO articles. Speaker at WordCamp Toronto.
Senior-developer rate, $275 CAD/hr. Each security tier (audit, engagement, or retainer) is fixed-fee against scope, not against time.

Common questions

What if you find an active compromise during the scan?

The hardening engagement pauses immediately. I will tell you what I found, in writing, the same day. You then decide whether to convert the engagement to incident response (separate hourly engagement, starts the next morning) or whether to pause the hardening until the IR work is complete. Either way, you do not get silently up-billed.

Do I need the retainer?

If your team has the discipline to review user accounts monthly, audit plugin updates against CVE databases, and rotate keys on a schedule, you do not. If that sentence made you wince, you do.

Will this break anything?

Hardening can interact badly with badly-written plugins. The sprint runs on staging where one is available, on production with backup where it is not, and the implementation plan is reviewed with you in writing before I touch anything live.

Is Wordfence or Solid Security enough on its own?

No. Both are useful tools inside a real hardening strategy. Neither, on its own, fixes weak credentials, stale admin accounts, outdated plugins with known CVEs, or a misconfigured upload pipeline. The plugin watches the front door; the hardening locks the rest of the house.

Ready when you are

Security & hardening, three tiers: audit from $1,375 · $2,750–$8,250 audit + remediation · $1,375/mo hardening retainer. Pay up front, get access provisioned, the clock starts.