Understand what your scan found

How to tell if your WordPress site has been hacked — the warning signs, what to check, and exactly what to do next. No technical knowledge required.

Read →

Your WordPress site is showing a Google malware warning or security flag. Here's what it means, how to check if it's real, and exactly how to get it removed.

Read →

The honest answer to how often you should run a WordPress security scan — and why the timing matters more than most site owners realise.

Read →

The most common WordPress security myths, debunked. What actually protects your site — and what's just noise that gives you false confidence.

Read →

Cleaned up your WordPress site and got hit again? You missed something. The five places backdoors hide, the forensic checklist, and when to rebuild.

Read →

A prioritised WordPress hardening checklist — 25 items across three urgency tiers, with inline fixes and two contested practices most guides still get wrong.

Read →

Find WordPress backdoors yourself — what they look like, where they hide, and the file + database checks that uncover them, with honest time estimates.

Read →

Cleaned up a hacked WordPress site but worried something survived? The verification checklist — what to check, where sleepers hide, when to call it clean.

Read →

File scanners miss WordPress database malware. The SQL queries that find malicious entries in wp_options, wp_postmeta, wp_posts and wp_users — safely.

Read →

Most guides tell you to disable the WordPress REST API and break Gutenberg. The real problem is one endpoint leaking usernames — two filters fix it.

Read →

A practical walkthrough to clean a hacked WordPress site — file scan, database pass, vulnerability close, verification, and when DIY stops being worth it.

Read →

How to add two-factor authentication to your WordPress admin in 2026 — which plugin to pick, the setup walkthrough, backup codes, and rollout to other admins.

Read →

What modern WordPress brute-force attacks look like, the four defenses that actually work in priority order, and which popular protections are theatre.

Read →

The Search Console review-request flow end-to-end — what to write, what to do if Google rejects, and the exact UI sequence to remove the hacked warning.

Read →

Where WordPress malware actually hides — files, database, or both — why most scanners miss one of them, and the order of operations for a cleanup that holds.

Read →

Plugins cause 91% of WordPress hacks. Learn how to detect vulnerable plugins, read CVE advisories without panic, and protect your site before attackers act.

Read →

WooCommerce stores face the same WordPress vulnerabilities as any site — plus the stakes of customer data and payment processing. Here's what matters.

Read →

If you build or maintain WordPress sites for clients, security isn't just their problem — it's yours. Here's how to manage it without it taking over your life.

Read →

Inheriting a WordPress site you didn't build? Step-by-step audit workflow — scan, forensic check, fix, re-scan — for agencies, freelancers, and VAs.

Read →

GuardingWP, Wordfence, WPScan, Sucuri — what each one actually does and when to use it. A plain-English guide to WordPress security tools.

Read →

The best free WordPress security plugins compared — plus when good hosting and Cloudflare make one redundant, and the Wordfence free-tier delay most skip.

Read →