The problem
One plugin doing everything is a single point of failure.
Most WordPress security postures are exactly this: a single all-in-one security plugin handling firewall, login protection, file integrity monitoring, and scanning simultaneously. Install it, check the box, move on. The problem isn’t that these plugins are bad — it’s the architecture. When that one plugin fails, is bypassed, or gets exploited itself, there’s nothing underneath it. No second layer. No detection. No alert.
The more insidious version of this problem is the site that was compromised weeks ago and nobody noticed. The attacker isn’t defacing anything — they’re running spam campaigns, exfiltrating data, or waiting. A plugin that only fires on known signatures can’t catch what it’s never seen before.
Security is not a product you install. It’s a layered architecture where each component catches what the previous one misses, alerts reach a human when something unexpected happens, and the configuration is version-controlled so you know exactly what changed and when.
What I build
Layered, monitored, and maintained.
- Security audit & threat modelCurrent state assessment, plugin inventory, exposed attack surfaces, server configuration review — before any changes are made
- Cloudflare WAF configurationZone-level firewall rules, bot management, rate limiting, challenge pages for suspicious traffic — tuned to avoid blocking legitimate users and your own tools
- CrowdSec with nginx bouncerBehavioural detection at the server level, community threat intelligence feeds, custom scenarios for WordPress-specific attack patterns — with careful allowlist configuration so your page builder sessions don't trigger it
- Wazuh SIEM with custom detection rulesFile integrity monitoring, log analysis, custom rules for WordPress core/plugin anomalies, alerting via Zoho Cliq or your preferred channel — not just logging, but detecting
- nginx hardeningSecurity headers, hidden server tokens, restricted HTTP methods, dotfile protection, PHP execution prevention in upload directories, xmlrpc and author enumeration blocking
- Server configuration version controletckeeper with GitLab integration — every change to /etc is committed automatically. When your hosting provider silently overwrites your SSL config, you see it immediately
- Authentik SSO / forward authCentralised identity management for protecting admin panels, staging environments, and internal tools — single sign-on without putting everything behind a VPN
- Alerting & incident response runbookConfigured alert routing to your communication stack, documented escalation paths, and a written response guide so that when an alert fires at 11pm someone knows what to do
Real examples
What this looks like in practice.
Example
Full security stack for a 20-site WordPress installation
A managed WordPress hosting setup running 20 production sites needed coherent security coverage without a dedicated in-house team to maintain it. Deployed Cloudflare WAF at the zone level, CrowdSec with a shared blocklist across all sites, Wazuh FIM monitoring nginx config files with automatic alerts to Zoho Cliq when any file in /etc/nginx changes. etckeeper committed to a private GitLab repository. When the hosting provider silently rewrote SSL/TLS configuration during a maintenance window, the commit showed up in GitLab within minutes.
Example
Post-compromise hardening and root cause analysis
A WordPress e-commerce site had been compromised via an outdated plugin. The attacker had been present for an estimated three weeks before detection — injecting spam links into product descriptions and maintaining a backdoor. Removed the infection, identified and closed the entry vector, rebuilt the security stack from scratch including authenticated access to wp-admin via Authentik forward auth, eliminating the public attack surface entirely. Implemented monitoring so that the next anomaly gets flagged in minutes, not weeks.
Example
Protecting internal tools without a VPN
A small team needed to restrict access to staging environments, Matomo, and an internal documentation site without requiring all staff to manage VPN credentials. Deployed Authentik with forward auth on nginx, using SSO backed by the team's existing identity provider. Sensitive URLs return 401 to unauthenticated requests. No VPN. No per-tool credential management. One identity layer protecting everything.
Not right for
Who this doesn't suit.
- Sites on shared hosting where server-level configuration isn't accessible
- Anyone looking for a plugin recommendation rather than architecture
- Businesses that treat security as a one-time event rather than ongoing posture
- Projects where the goal is compliance theatre — looking secure on paper without being secure in practice