Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Wordfence Launches WordPress Security Audit Service

This entry was posted in General Security, Wordfence, WordPress Security on May 23, 2017 by Mark Maunder   42 Replies

WordPress Security AuditThis morning I am very excited to announce that Wordfence is officially launching a WordPress Security Audit service. Many of our customers have asked us for a service like this and it has finally arrived.

For just $490, one of our experienced security analysts will perform a 59-point inspection to ensure that your site is secure. They produce a report that includes detailed recommendations for improving your site security. The service also includes a Wordfence Premium license for your site. You can find a sample report on this page.

What makes this service really amazing is that a single Wordfence license costs $99. So now, instead of just buying a $99 license, for just a bit more you can have one of our security analysts secure your site. In addition to the site audit, the team also inspects your Wordfence configuration to make sure malware scanning is running optimally and that your firewall is configured correctly for your hosting environment.

The service is backed by a 1 year guarantee. We will clean your site free of charge should it get hacked within 1 year of the audit.

Why We Created the WordPress Security Audit

For some time now Wordfence has been providing site cleaning services for hacked websites. This service includes a Wordfence Premium API key. We realized that many customers are also interested in having an experienced Wordfence security analyst look at their site, even if they have not been hacked.

Our senior team got together and spent some time developing the WordPress Security Audit service, including the comprehensive 59-point inspection that each site receives from an analyst.

We have been quietly providing site security audits for a few weeks now to a select group of customers as part of a soft-launch. Our team has already found many issues that they have helped customers resolve, including vulnerable PHPMyAdmin installations and commercial plugins and themes with vulnerable subdirectories that our customers weren’t aware of.

Today we are publicly announcing the availability of the service. You can sign up for your security audit now on this page.

The Benefit of an Audit by a Security Team

So far every site audit we have performed has found something that needs attention to help secure the customer website. During testing, our team audited sites belonging to security professionals and have found several items that could help improve site security.

Even if you are a security professional, you can’t compete with the knowledge our team has gained from thousands of hacked site cleanings. The Wordfence Security Services Team (SST) think about WordPress site security all day long and have a wealth of knowledge they can draw from. Having our team of experienced professionals lock down your WordPress site is a way to rapidly improve your security posture.

Get your site security audit scheduled today.

As always you are welcome to post your thoughts and feedback in the comments below. I will be around to reply where needed.

Mark Maunder – Wordfence Founder/CEO.

Did you enjoy this post? Share it!

42 Comments on "Wordfence Launches WordPress Security Audit Service"

Rey Monzon May 23, 2017 at 10:16 am

I'm already a premium member. Will this service add one more year to my account?

Mark Maunder May 23, 2017 at 11:00 am

Hi Rey,

Yes it will.


Erik Haagensen May 23, 2017 at 10:21 am

Will there be a reseller or affiliate program for designers who recommend this service to clients?

Mark Maunder May 23, 2017 at 10:56 am

We do not offer affiliate programs.


Cindy Newman May 23, 2017 at 2:30 pm

Hi Mark,

I am definitely with Erik. You guys should seriously consider and affiliate program.

Mark Maunder May 23, 2017 at 9:18 pm

I don't think we'll ever do that Cindy. I used to participate in affiliate programs myself so I do view this from both sides. The trouble with affiliate programs is that they result in web and email spam related to our brand. Affiliates can be extremely aggressive when it comes to marketing and that does not fit with our brand ethos and who we are.

Wordfence has a close relationship with our customers - much of it through our blog and the kind of conversation I'm having with you right now.


pablo jusem May 23, 2017 at 10:23 am

What if you find the site has been compromised?

Mark Maunder May 23, 2017 at 10:56 am

Hi Pablo. In that case we let you know and with your approval we proceed with a site cleaning at no additional charge.


jcampbell May 23, 2017 at 10:41 am

Have you considered a white label version of this or the gravity scan service? I can already offer potential clients an seo audit using a white label service, if I could also add a security audit with my own branding I think clients would really go for it. Wordfence would then be the centerpiece of our security package.

Mark Maunder May 23, 2017 at 10:55 am

We will not be white labeling Gravityscan. Please simply visit www.gravityscan.com for a scan.



Ari May 23, 2017 at 10:42 am

Would you provide server side audit. such as web server configuration, mail server, file permissions..etc?

Mark Maunder May 23, 2017 at 10:55 am

We do not currently provide server audits.

amac44 May 23, 2017 at 11:06 am

I would upvote this question :)

Mark Maunder May 23, 2017 at 11:08 am

Thanks. A server audit is a much bigger task which involves pretty much any software or service that runs on Linux and potentially also Windows. It really isn't something we want to take on at this time. Thanks for your feedback though.


Eugene Torrey May 23, 2017 at 11:10 am

First let me say that I could not be happier with my Premium Wordfence API keys, and the excellent services and information that have come with them.

After reading the post, I too wondered about Server audits. My web host provider has elected configuration that poses some challenges.

I understand the 59 points of inspection are better than none. However, having said that, how can you offer the aforemented service without explicitly understanding the server configuration?

Mark Maunder May 23, 2017 at 11:21 am

Hi Eugene,

We look at every part of your configuration that is relevant to WordPress. For example, we recently discovered two separate hosting providers that were running out of date and vulnerable versions of PHPMyAdmin. Customer sites were being hacked repeatedly via the interface. We alerted the customer, they worked with their hosting provider to fix the issue.

We have also discovered filesystem permission issues on one hosting provider and worked with the customer to fix that.

Another issue we've seen is a hosting provider running cron jobs as root including wpcli. In that case, if the site is compromised and an attacker can inject malicious PHP code into the WP install, they can root the server. We helped them secure that too.

These examples should illustrate that we aren't just looking at WordPress. We're looking at the whole environment including other services and the underlying platforms and OS.

So really when you get a site security audit from us, it includes everything that touches WordPress and everything it relies on. What we can't do is provide security audit services for non-WP services like email servers, source code repositories, game servers and the many other things that Linux and other servers are used for. We focus strictly on WordPress. That means that the environments we have to audit are fairly common and are generally a database engine, web server, PHP and a fairly standard filesystem structure.

I hope that helps explain why we don't provide generic server audits and how our WordPress site audits actually extend way beyond WordPress.


Ronny Geenen May 23, 2017 at 11:35 am

Hi Mark,
Can you tell a bit more about your audit?
Do you need admin access as an administrator too?
Can I still open my site and write my articles at the same time you doing the audit?
I am just a simple old man who knows how to add articles and images to the site.


Mark Maunder May 23, 2017 at 1:13 pm

Hi Ronny,

When you sign up we provide a way for you to securely send your login details to the analyst that will be working on your site. Your login info remains encrypted and the analyst only decrypts it with their own key when they're ready to do the work.

I asked the SST team if you can publish posts while we're doing the audit. I got a few replies:

From Kathy: While it is ideal if customers are not making modifications to a site during both audit and site cleaning, I think during an audit, publishing posts should not cause an issue.

From David: There goes my idea of telling them a mushroom cloud will appear over the horizon if they publish a post during an audit.

From Brendan: As long as the post doesn't contain the word "cialis", I'll let it slide.

The last two are of course kidding. Sounds like you can continue working without a problem. We'd love to have your business.



anonymous May 23, 2017 at 11:47 am

Mark, can you please get someone other than Tim to look at ticket #44175 concerning my deleted response to this post. Thank you - John

Mark Maunder May 23, 2017 at 12:57 pm

No. Tim is awesome. I completely trust my team. I'm not the kind of leader that tells them how to do their job or that micro-manages.

Pretend you heard whatever Tim said from me.


dbswim May 23, 2017 at 11:49 am

When did the Premium Price go up to $99?

Mark Maunder May 23, 2017 at 12:54 pm

It's been at that level for about a year now.

Juan May 23, 2017 at 3:34 pm

Hi... I have iThemes security on my sites and im good with it. How ever I like the shore you have been doing with wordpress security sites... and want to buy some keys and audit services. I have 2 questions. Are this keys or audit price for lifetime? or 1 year? and has this plugin any conflict with ithemes security pro and its firewall and everything?

Mark Maunder May 23, 2017 at 9:14 pm

We don't have any known conflicts with iThemes. The audit service is a one time security audit. It is not ongoing or repeated.

Please contact our presales team via the contact form on this site for more info.


Paul Cutler May 23, 2017 at 4:41 pm

I am about to buy 4 premium keys (1 for each of 4 separate WP installations) - brings the price per key down from $99 to $62.84.
Are you going to sell the audit separately for $50/site?


Mark Maunder May 23, 2017 at 9:13 pm

Hi Paul,

Please contact our presales team about that using our contact form.


Bertahan May 23, 2017 at 5:57 pm

Once you do the scan, do you offer a service to implement the recommendations?

I read the sample report, and while some of them are easy, other things (such as anything to do with mysql) is way over my head.

Mark Maunder May 23, 2017 at 9:13 pm

In most cases we provide recommendations and don't make any changes to a customer account other than Wordfence configuration changes.

Duane Reeve May 23, 2017 at 9:36 pm

Going back to what jcampbell commented regarding a Whitelabel Version of the Security Audit. Your reply was focused on not offering whitelable of the Gravity Scan Service. You did not mention whether a Whitelable offering of the Security Audit would be considered.

I think most Web-Design Agencies would be interested in this and it could possibly add considerable recurring income for yourselves too. Going whitelabel also alleviates the issues you mentioned with Affiliate Spamming & junk traffic etc. The whitelabel agencies will be driving traffic to their own Security Audit Services pages to grow their businesses and in-turn; yours...

Needless to say; I think this is a great service you're providing.

Mark Maunder May 24, 2017 at 1:30 am

Thanks Duane, interesting idea. I'll share it with our team.

pheck May 23, 2017 at 11:12 pm

Reading the comments above, I understood, that when I order the service, another year of subscription will be added (my will end August 8 2017, so assumption is, that it will be extended to August 8 2018 - please confirm.

Another question: I assume, I need to hand over login credentials to the security auditor. My Wordpress site is protected by a YubiKey 2nd factor authentication - so do I need to disable the 2nd factor authentication during the audit?

Cheers Peter

Mark Maunder May 24, 2017 at 1:31 am

Hi Peter,

Yes I'm pretty sure that's the case, but please contact our presales team to confirm via our contact page. You'll have to do the same for the Yubikey question.


Larry Woods May 24, 2017 at 6:16 am

I just recommended the $99 WF fee to a client. Now it's $149, but there will be an audit of the site to see if it is secure. So, my client says, "Then what is the present WF scan doing? I thought that WF was supposed to be monitoring my site for hacks---but now you are telling me that there is no guarantee unless I pay $149. Isn't that what you call 'bait and switch'?"
So, what do I tell my client? That the WF that he has been using, and willing to pay $99 for, has not been working up to now? It's not clear to the "uninitiated" what you are offering.

Mark Maunder May 25, 2017 at 1:24 pm

Wordfence is still $99 and it is a software solution.

In addition to this we're offering you the option to have an experienced analyst do a one time hands-on audit of your site. It is entirely optional.

Wordfence is software designed to run on a huge range of sites and configurations. The audit is done by a human and tailored for your specific site. An analyst signs in and goes through your site by hand to make sure it is locked down.

In my opinion, in addition to Wordfence, it's worth every penny.


Oscar May 24, 2017 at 10:09 am


I have 2 questions:

-what is the real differencebetween gravity scan and this audit service? Will it be correct to say that it is a much compelte analysis that the one included at gravity scan

- In order to understand the audit product. I understand that after the audit has been done you present a report to he user, with the things that are OK, need improvementor are wrong? Is this correct? Will you provide a list of actions to correct those things that are wrong or need improvement? Are they suggested by the analyst?

-If I have just renewed wordfence, can I pay $50 for the audit?



Mark Maunder May 25, 2017 at 1:21 pm

Gravityscan is an automated vulnerability and malware scan.

The security audit is done by a highly trained and experienced analyst. It is recommended in addition to any software you're running.

Yes, that is correct. The analyst provides you with a detailed report. There is a sample report in the post above.

Yes you can get the audit for $50 - I think our team usually does that. Contact presales using our customer support form.


Chris May 24, 2017 at 2:08 pm

Hi Mark,

I think the audit is a great idea and the perfect intro for your premium service. How long does a security audit usually take?

Mark Maunder May 25, 2017 at 1:22 pm

The audit takes 1 business day unless otherwise noted on checkout.


Doug May 25, 2017 at 12:32 pm

Why do I need a Wordfence Security Audit if I'm running your security plug-in?

Mark Maunder May 25, 2017 at 1:18 pm

Well... that's a bit like asking "why do I need my motorcycle and riding style checked if I'm wearing a helmet?"

The Wordfence firewall stops attackers from exploiting vulnerabilities on your site. (A helmet stops your head from imploding on crash)

The audit removes the vulnerabilities and makes sure Wordfence is configured optimally for your environment and that you are following security best practices. (Making the bike and rider safer means you're less likely to need a helmet.)

Hope that makes sense.


Doug May 25, 2017 at 5:32 pm

Got it. Thank you.

Komodo tours June 4, 2017 at 6:59 pm

I have no doubt about wordfence security although i am using free. All control with intelligent for all spammer. Strong control and everything go without any problem for my site. Maybe i will go premium in the next

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates