Wordfence Launches WordPress Security Audit Service

WordPress Security AuditThis morning I am very excited to announce that Wordfence is officially launching a WordPress Security Audit service. Many of our customers have asked us for a service like this and it has finally arrived.

For just $490, one of our experienced security analysts will perform a 59-point inspection to ensure that your site is secure. They produce a report that includes detailed recommendations for improving your site security. The service also includes a Wordfence Premium license for your site. You can find a sample report on this page.

What makes this service really amazing is that a single Wordfence license costs $99. So now, instead of just buying a $99 license, for just a bit more you can have one of our security analysts secure your site. In addition to the site audit, the team also inspects your Wordfence configuration to make sure malware scanning is running optimally and that your firewall is configured correctly for your hosting environment.

The service is backed by a 1 year guarantee. We will clean your site free of charge should it get hacked within 1 year of the audit.

Why We Created the WordPress Security Audit

For some time now Wordfence has been providing site cleaning services for hacked websites. This service includes a Wordfence Premium API key. We realized that many customers are also interested in having an experienced Wordfence security analyst look at their site, even if they have not been hacked.

Our senior team got together and spent some time developing the WordPress Security Audit service, including the comprehensive 59-point inspection that each site receives from an analyst.

We have been quietly providing site security audits for a few weeks now to a select group of customers as part of a soft-launch. Our team has already found many issues that they have helped customers resolve, including vulnerable PHPMyAdmin installations and commercial plugins and themes with vulnerable subdirectories that our customers weren’t aware of.

Today we are publicly announcing the availability of the service. You can sign up for your security audit now on this page.

The Benefit of an Audit by a Security Team

So far every site audit we have performed has found something that needs attention to help secure the customer website. During testing, our team audited sites belonging to security professionals and have found several items that could help improve site security.

Even if you are a security professional, you can’t compete with the knowledge our team has gained from thousands of hacked site cleanings. The Wordfence Security Services Team (SST) think about WordPress site security all day long and have a wealth of knowledge they can draw from. Having our team of experienced professionals lock down your WordPress site is a way to rapidly improve your security posture.

Get your site security audit scheduled today.

As always you are welcome to post your thoughts and feedback in the comments below. I will be around to reply where needed.

Mark Maunder – Wordfence Founder/CEO.

Did you enjoy this post? Share it!


  • I'm already a premium member. Will this service add one more year to my account?

    • Hi Rey,

      Yes it will.


  • Hi,
    Will there be a reseller or affiliate program for designers who recommend this service to clients?

    • We do not offer affiliate programs.


      • Hi Mark,

        I am definitely with Erik. You guys should seriously consider and affiliate program.

        • I don't think we'll ever do that Cindy. I used to participate in affiliate programs myself so I do view this from both sides. The trouble with affiliate programs is that they result in web and email spam related to our brand. Affiliates can be extremely aggressive when it comes to marketing and that does not fit with our brand ethos and who we are.

          Wordfence has a close relationship with our customers - much of it through our blog and the kind of conversation I'm having with you right now.


  • What if you find the site has been compromised?

    • Hi Pablo. In that case we let you know and with your approval we proceed with a site cleaning at no additional charge.


  • Have you considered a white label version of this or the gravity scan service? I can already offer potential clients an seo audit using a white label service, if I could also add a security audit with my own branding I think clients would really go for it. Wordfence would then be the centerpiece of our security package.

    • We will not be white labeling Gravityscan. Please simply visit www.gravityscan.com for a scan.



  • Would you provide server side audit. such as web server configuration, mail server, file permissions..etc?

    • We do not currently provide server audits.

    • I would upvote this question :)

      • Thanks. A server audit is a much bigger task which involves pretty much any software or service that runs on Linux and potentially also Windows. It really isn't something we want to take on at this time. Thanks for your feedback though.


  • First let me say that I could not be happier with my Premium Wordfence API keys, and the excellent services and information that have come with them.

    After reading the post, I too wondered about Server audits. My web host provider has elected configuration that poses some challenges.

    I understand the 59 points of inspection are better than none. However, having said that, how can you offer the aforemented service without explicitly understanding the server configuration?

    • Hi Eugene,

      We look at every part of your configuration that is relevant to WordPress. For example, we recently discovered two separate hosting providers that were running out of date and vulnerable versions of PHPMyAdmin. Customer sites were being hacked repeatedly via the interface. We alerted the customer, they worked with their hosting provider to fix the issue.

      We have also discovered filesystem permission issues on one hosting provider and worked with the customer to fix that.

      Another issue we've seen is a hosting provider running cron jobs as root including wpcli. In that case, if the site is compromised and an attacker can inject malicious PHP code into the WP install, they can root the server. We helped them secure that too.

      These examples should illustrate that we aren't just looking at WordPress. We're looking at the whole environment including other services and the underlying platforms and OS.

      So really when you get a site security audit from us, it includes everything that touches WordPress and everything it relies on. What we can't do is provide security audit services for non-WP services like email servers, source code repositories, game servers and the many other things that Linux and other servers are used for. We focus strictly on WordPress. That means that the environments we have to audit are fairly common and are generally a database engine, web server, PHP and a fairly standard filesystem structure.

      I hope that helps explain why we don't provide generic server audits and how our WordPress site audits actually extend way beyond WordPress.


  • Hi Mark,
    Can you tell a bit more about your audit?
    Do you need admin access as an administrator too?
    Can I still open my site and write my articles at the same time you doing the audit?
    I am just a simple old man who knows how to add articles and images to the site.


    • Hi Ronny,

      When you sign up we provide a way for you to securely send your login details to the analyst that will be working on your site. Your login info remains encrypted and the analyst only decrypts it with their own key when they're ready to do the work.

      I asked the SST team if you can publish posts while we're doing the audit. I got a few replies:

      From Kathy: While it is ideal if customers are not making modifications to a site during both audit and site cleaning, I think during an audit, publishing posts should not cause an issue.

      From David: There goes my idea of telling them a mushroom cloud will appear over the horizon if they publish a post during an audit.

      From Brendan: As long as the post doesn't contain the word "cialis", I'll let it slide.

      The last two are of course kidding. Sounds like you can continue working without a problem. We'd love to have your business.



  • Mark, can you please get someone other than Tim to look at ticket #44175 concerning my deleted response to this post. Thank you - John

    • No. Tim is awesome. I completely trust my team. I'm not the kind of leader that tells them how to do their job or that micro-manages.

      Pretend you heard whatever Tim said from me.


  • When did the Premium Price go up to $99?

    • It's been at that level for about a year now.

  • Hi... I have iThemes security on my sites and im good with it. How ever I like the shore you have been doing with wordpress security sites... and want to buy some keys and audit services. I have 2 questions. Are this keys or audit price for lifetime? or 1 year? and has this plugin any conflict with ithemes security pro and its firewall and everything?

    • We don't have any known conflicts with iThemes. The audit service is a one time security audit. It is not ongoing or repeated.

      Please contact our presales team via the contact form on this site for more info.


  • I am about to buy 4 premium keys (1 for each of 4 separate WP installations) - brings the price per key down from $99 to $62.84.
    Are you going to sell the audit separately for $50/site?


    • Hi Paul,

      Please contact our presales team about that using our contact form.


  • Once you do the scan, do you offer a service to implement the recommendations?

    I read the sample report, and while some of them are easy, other things (such as anything to do with mysql) is way over my head.

    • In most cases we provide recommendations and don't make any changes to a customer account other than Wordfence configuration changes.

  • Going back to what jcampbell commented regarding a Whitelabel Version of the Security Audit. Your reply was focused on not offering whitelable of the Gravity Scan Service. You did not mention whether a Whitelable offering of the Security Audit would be considered.

    I think most Web-Design Agencies would be interested in this and it could possibly add considerable recurring income for yourselves too. Going whitelabel also alleviates the issues you mentioned with Affiliate Spamming & junk traffic etc. The whitelabel agencies will be driving traffic to their own Security Audit Services pages to grow their businesses and in-turn; yours...

    Needless to say; I think this is a great service you're providing.

    • Thanks Duane, interesting idea. I'll share it with our team.

  • Reading the comments above, I understood, that when I order the service, another year of subscription will be added (my will end August 8 2017, so assumption is, that it will be extended to August 8 2018 - please confirm.

    Another question: I assume, I need to hand over login credentials to the security auditor. My Wordpress site is protected by a YubiKey 2nd factor authentication - so do I need to disable the 2nd factor authentication during the audit?

    Cheers Peter

    • Hi Peter,

      Yes I'm pretty sure that's the case, but please contact our presales team to confirm via our contact page. You'll have to do the same for the Yubikey question.


  • I just recommended the $99 WF fee to a client. Now it's $149, but there will be an audit of the site to see if it is secure. So, my client says, "Then what is the present WF scan doing? I thought that WF was supposed to be monitoring my site for hacks---but now you are telling me that there is no guarantee unless I pay $149. Isn't that what you call 'bait and switch'?"
    So, what do I tell my client? That the WF that he has been using, and willing to pay $99 for, has not been working up to now? It's not clear to the "uninitiated" what you are offering.

    • Wordfence is still $99 and it is a software solution.

      In addition to this we're offering you the option to have an experienced analyst do a one time hands-on audit of your site. It is entirely optional.

      Wordfence is software designed to run on a huge range of sites and configurations. The audit is done by a human and tailored for your specific site. An analyst signs in and goes through your site by hand to make sure it is locked down.

      In my opinion, in addition to Wordfence, it's worth every penny.


  • Hi,

    I have 2 questions:

    -what is the real differencebetween gravity scan and this audit service? Will it be correct to say that it is a much compelte analysis that the one included at gravity scan

    - In order to understand the audit product. I understand that after the audit has been done you present a report to he user, with the things that are OK, need improvementor are wrong? Is this correct? Will you provide a list of actions to correct those things that are wrong or need improvement? Are they suggested by the analyst?

    -If I have just renewed wordfence, can I pay $50 for the audit?



    • Gravityscan is an automated vulnerability and malware scan.

      The security audit is done by a highly trained and experienced analyst. It is recommended in addition to any software you're running.

      Yes, that is correct. The analyst provides you with a detailed report. There is a sample report in the post above.

      Yes you can get the audit for $50 - I think our team usually does that. Contact presales using our customer support form.


  • Hi Mark,

    I think the audit is a great idea and the perfect intro for your premium service. How long does a security audit usually take?

    • The audit takes 1 business day unless otherwise noted on checkout.


  • Why do I need a Wordfence Security Audit if I'm running your security plug-in?

    • Well... that's a bit like asking "why do I need my motorcycle and riding style checked if I'm wearing a helmet?"

      The Wordfence firewall stops attackers from exploiting vulnerabilities on your site. (A helmet stops your head from imploding on crash)

      The audit removes the vulnerabilities and makes sure Wordfence is configured optimally for your environment and that you are following security best practices. (Making the bike and rider safer means you're less likely to need a helmet.)

      Hope that makes sense.


      • Got it. Thank you.

  • I have no doubt about wordfence security although i am using free. All control with intelligent for all spammer. Strong control and everything go without any problem for my site. Maybe i will go premium in the next