Your CMS shouldn't be a liability.
We audit, harden, and right-size the CMS behind your site — WordPress, Drupal, Ghost, headless, static, or fully custom. Then we replace the overburdened plugin stack with simple, tailored pieces that fit your business and don't quietly rot between updates.
The numbers nobody wants to put on a board slide.
of cyberattacks target small businesses.
of breached CMS sites had an outdated plugin or module.
average time from new CVE disclosure to active exploit attempts.
average cost of a small-business breach incident.
Sources: Verizon DBIR, Sucuri Hacked Website Report, IBM Cost of a Data Breach.
If you nod at three or more of these, we should talk.
This is the opening checklist we run on every audit, regardless of CMS. It takes ninety seconds and tells you whether your site is in real maintenance mode — or quietly waiting to be exploited.
- 01Your CMS core, theme, or plugins/modules haven't been updated in 6+ months.
- 02You can't list everyone with admin access — including former contractors and agencies.
- 03Backups exist 'somewhere on the host' but nobody has ever tested a restore.
- 04Admin login has no 2FA, no rate limiting, and no IP allowlist.
- 05You have no WAF, no malware scanning, and no uptime / integrity monitoring.
- 06The site runs on shared hosting with an end-of-life runtime (PHP 7.x, old Node, etc.).
- 07Nulled, cracked, or abandoned plugins / themes are installed — even just one.
- 08Half the plugins or modules were installed to solve a problem nobody remembers.
- 09Your last security review was the day the site launched, however many years ago.
Six checks. Every site. No checkbox theater.
Core, theme & plugin inventory
Every dependency, its version, and its current CVE exposure mapped against active exploits — whatever CMS you're on.
Access & identity audit
Every admin/editor account, every API key, every active session — pruned, rotated, and locked down with 2FA.
Configuration hardening
Config files, admin endpoints, debug flags, file permissions, and HTTP security headers brought to modern standards.
Malware & integrity scan
Deep filesystem scan, database scan, and a known-good baseline you can diff against forever.
Backup & restore drill
Off-site automated backups plus an actual test restore — because untested backups are not backups.
Monitoring & alerting
Uptime, file-integrity, login, and WAF alerts wired into email / Slack so you hear about problems before customers do.
One-time cleanup, ongoing care, or a right-sized rebuild.
One-time audit & hardening
- Full security & complexity audit with prioritized risk register
- Critical patches & access cleanup
- Backups configured & test-restored once
- Hardened config, headers, and admin login
- Written handoff with remaining recommendations
Monthly managed care
- Everything in Triage, plus:
- Weekly core / theme / plugin / module patching
- 24/7 uptime, WAF, and malware monitoring
- Off-site daily backups with monthly test restores
- Quarterly access review & security report
- Priority response on incidents
Rebuild on the simplest stack that fits
- Honest 'is this the right CMS at all?' assessment
- Rebuild on a lighter, safer stack — leaner CMS, headless, static, or a small custom app
- Tailored to your team — no plugin zoo, no features you'll never use
- Content migration & redirect map (zero SEO loss)
- Launch + 30 days of post-launch support, optional Caretaker handoff
Tangible artifacts. Not a PDF that lives in a Slack DM.
- Security & complexity audit with risk register
- Hardened, monitored, backed-up site on its current stack
- Tested backup and restore procedure
- A right-sizing plan: keep, prune, or rebuild — with honest tradeoffs
FAQ.
What CMS platforms do you actually work with?+
All of them. WordPress, Drupal, Joomla, Ghost, Craft, Sanity, Contentful, Strapi, Payload, Webflow exports, Shopify content, static sites, fully custom — if it serves your pages, we can audit and harden it. We're solution-agnostic by design.
Do you host the site, or do we keep our current host?+
Either works. Most clients stay on their current host while we harden it; if the host is genuinely the problem (slow, insecure, oversold shared servers), we'll recommend and migrate you to a managed or VPS provider that fits.
What if our site has already been hacked?+
That's the Triage package. We'll clean infected files, rotate every credential, restore from a known-good backup if needed, and harden the site so the same attacker can't walk back in through the same door.
How long does the initial audit take?+
We typically deliver the written audit and risk register within 5–7 business days, and the first round of hardening goes live the following week.
Will updates break our site?+
We test every update on a staging copy first, run a visual diff, and only push to production when it's clean. If something does break, we roll back automatically — that's what the tested backups are for.
Should we just stop using our current CMS?+
Sometimes — that's the Right-Size conversation. If your site is mostly marketing pages with a small content need, a lighter stack is faster, cheaper to run, and dramatically more secure. If your CMS is genuinely earning its keep, we'll keep it and lock it down. We don't push rebuilds you don't need.
Why simple over feature-rich plugins?+
Every plugin is a permanent maintenance and security liability. We'd rather build the one small piece you actually need — tailored to your workflow — than install five plugins, four of which you'll forget exist until one of them is the vulnerability in next year's breach report.
Stop running your business around your tools.
Get a free AI Assessment and walk away with a clear, prioritized plan for where automation will actually move the needle — typically in 30 days or less.
Free, no pitch. Just an honest look at what's worth automating.