SHANNON
日本語 Contact us

WordPress tamper and intrusion protection,
from assessment to operation.

We continuously run vulnerability scanning, WAF, login hardening, tamper detection, backup, and patch management through an assess → harden → monitor cycle. We cover the areas that installing free plugins alone cannot reach.

Request a security assessment See what we cover
Pain points

Does any of this sound familiar?

Because WordPress is so widely used, it is a frequent target. There are situations that installing free plugins alone cannot address.

Your site was tampered with before, and you are worried it will happen again.
You have no WAF, or it is still on its default settings.
Plugin and theme updates have fallen behind, and you have no view of your vulnerabilities.
The admin URL is still the default, and you face brute-force attacks every day.
An audit, ISMS, or client requirement asks you for WordPress security evidence.
You installed free plugins but have never verified whether they actually work.
Approach

The "assess → harden → monitor" cycle

Security is never a one-off task. We include continuous patch management and monitoring.

01

Assess

We inspect your current WordPress setup with vulnerability scanning, configuration audits, and a plugin inventory. We combine automated scanning via WPScan / Wordfence with a hands-on configuration review.

02

Harden

We implement WAF configuration, login hardening, file integrity monitoring, admin protection, and HTTPS hardening. We also remove or replace vulnerable plugins and make themes safer.

03

Monitor

We run tamper detection on production, monitor unauthorized login attempts, and keep up with plugin updates on a monthly basis. We build in the operation needed to maintain the hardened state.

Scope

What we cover

We carry out only the scope you need, based on your site's state and requirements.

01 Diagnose

Security assessment report

We inspect your current WordPress with WPScan and a configuration review, then document vulnerabilities, misconfigurations, and operational risks. You can choose to stop at the assessment.

  • Known-vulnerability detection with WPScan
  • Plugin and theme inventory
  • Admin and login protection review
  • WAF configuration check
  • SSL / TLS configuration review
  • PDF report delivered
02 Hardening

WordPress core and configuration hardening

We harden WordPress core, PHP, and database settings to a level that still works with day-to-day operation. We never lock things down so tightly that editors can no longer work.

  • wp-config.php / .htaccess settings
  • Disable in-dashboard file editing
  • Block unnecessary REST API endpoints
  • XML-RPC restrictions
  • Hide version information
  • Force HTTPS and configure HSTS
03 Login

Login and admin protection

We protect the admin and login screens, which are common brute-force targets. We cover multi-factor authentication, IP restrictions, login URL changes, and reCAPTCHA.

  • Custom admin URL
  • Multi-factor authentication (TOTP / WebAuthn)
  • IP address restrictions
  • Login attempt limits
  • reCAPTCHA / hCaptcha setup
  • Audit log recording
04 WAF

WAF design and setup

We select from Cloudflare WAF / AWS WAF / SiteGuard / WP-Cerber and more to fit your server setup, and tune rules and suppress false positives so the configuration holds up in real operation.

  • Cloudflare WAF design
  • AWS WAF design
  • SiteGuard / WP-Cerber configuration
  • Custom rule additions
  • False-positive suppression
  • Attack-detection alert design
05 Detect

Tamper detection and audit logs

We continuously monitor file integrity in production to detect tampering. We also record admin activity logs to prepare for internal controls and audits.

  • File integrity monitoring
  • Detection of injected malicious files
  • Admin activity logs
  • Failed login attempt logs
  • Change notifications (Slack / email)
  • Export for audits
06 Backup

Backup and recovery design

We put in place a structure that can recover even after tampering or intrusion. We confirm that backups can actually be restored, not just that they are being taken.

  • Daily backups (DB + files)
  • Off-site storage (S3 + separate region)
  • Version retention (30 / 90 days)
  • Restore drills
  • Agreement on RTO / RPO
  • Recovery procedure documents
07 Patch

Continuous patch management

We plan and apply WordPress core, plugin, and theme updates on a monthly basis. Security patches are applied immediately; feature updates are applied after verification.

  • WordPress core patches
  • Plugin updates (applied after verification)
  • Theme updates
  • Immediate response to emergency patches
  • Pre-checks on a verification environment
  • Monthly reports
08 Recover

Recovery support after intrusion or tampering

We also handle investigation and recovery for sites that have already been tampered with or breached, covering root-cause identification, trace removal, and prevention of recurrence as a set.

  • Identify the intrusion path
  • Remove malware and backdoors
  • Restore to a clean state
  • Bulk password reset
  • Security hardening to prevent recurrence
  • Support for reporting to relevant parties
Process

How we work

  • 01Free consultation — we ask about your site URL and current security measures (30 minutes).
  • 02Security assessment — we document risks via WPScan, a configuration audit, and a plugin inventory.
  • 03Proposal and quote — hardening priorities and timeline, in writing.
  • 04Hardening — we carry out only the agreed scope, verifying on staging before going to production.
  • 05Monitoring and operation — tamper detection and patch management continue monthly, with monthly reports.
Plans

Engagement options

Three options depending on the scale of the work. Pricing is provided in writing once requirements are confirmed.

Diagnose

Security assessment only

  • WPScan + configuration audit
  • Risk-priority report
  • Option to stop at the assessment
  • PDF report delivered
Harden

Assessment + hardening

  • WAF, login hardening, tamper detection
  • Staging verification before production
  • Operation documents delivered
  • Scope tuned to the assessment results
Continuous

Continuous security operation

  • Tamper detection and intrusion monitoring
  • Monthly patch management
  • Immediate response to emergency patches
  • Scope agreed individually in the contract
Comparison

Compared with other options

Option A

Free plugins only

  • Installed but never properly configured
  • Default settings leave protection limited
  • No WAF or tamper detection
  • Emergency patches fall behind
Option B

A single security product

  • Only the product's out-of-the-box coverage
  • You still run operation in-house
  • No WordPress-specific measures
  • No recovery support after a breach
SHANNON

Assess → harden → monitor

  • Addresses WordPress-specific risks
  • Hardening that still works with operation
  • Tamper detection + monthly patch management
  • Recovery support after a breach too
Promises

Our promises

01 — Operable Hardening that fits operation We never lock things down so tightly that editors cannot work; we harden to a level that fits day-to-day editing.
02 — Verified Verified before production We verify every feature on staging before going to production, minimizing the risk of downtime.
03 — Recovery Recovery after a breach too Beyond ongoing operation after hardening, we also investigate and recover sites that have already been tampered with or breached.
FAQ

Frequently asked questions

Yes. We handle the whole flow: identifying the intrusion path, removing malware, restoring to a clean state, and hardening security to prevent recurrence. For urgent cases we start as soon as possible within business days (we do not provide overnight or weekend on-call support).
Yes. We design around the constraints specific to multisite, such as permissions, shared themes, and plugin management. If there are many subsites, we discuss the scope during the assessment as we proceed.
We deliver in a usable format. We produce assessment reports, operation procedure documents, tamper detection logs, patch application records, and more at a level of detail you can submit during an audit. If you have specific requirements, we align on them in advance.
This package is WordPress-specific. For PowerCMS / Movable Type / Drupal and similar, we handle it through the security hardening sub-service of infrastructure build and operation.
Generally no. Multi-factor authentication and IP restrictions do affect editors, but we design them to fit your workflow. We also provide editor-facing guidance when we roll them out.
We verify every feature on staging before going to production. When we apply changes to production, we take a backup first and roll them out in stages. We also prepare a rollback procedure in advance in case any issue arises.

Get in touch.

Everything you share is treated as confidential.
We reply within two business days of your inquiry.

Contact form
Request a security assessment