Do you cover WooCommerce and custom plugins?

Yes. The audit is specifically meant to look at the surface added by plugins, custom endpoints, media exposure, and integrations, not only WordPress core.

Is a security plugin enough?

No. A security plugin can filter some traffic, but it does not replace reviewing exposed routes, roles, files, and business logic.

Is this useful even without e-commerce?

Yes. An editorial WordPress site can already expose users, drafts, private media, webhooks, or sensitive options.

WordPress Audit

Your production WordPress.
Not just the version number.

Name: CleanIssue
Price range: €€

A fully patched WordPress can still expose REST routes, ACF options, abandoned plugins, sensitive media, and fragile automation flows. This audit looks at the real surface of the CMS, the plugins, and the integrations living around it.

What we verify

REST API and plugin namespaces

Native and custom routes, users, media, ACF endpoints, and plugin paths that open up unexpected surfaces.

Plugins, roles, and back-office surface

Abandoned plugins, exposed admin pages, over-broad role logic, and reliance on historical plugin behavior.

Media, files, and exports

Media library items, PDFs, exports, private documents, and uploaded files reachable by direct URL or enumeration.

Webhooks, forms, and integrations

Automations, CRM flows, forms, payment callbacks, or business workflows attached to the CMS without strong verification.

What we often find

A REST API that says more than expected

Users, options, private content, or business routes exposed without the access level the team assumes exists.

Forgotten plugins and endpoints

Support functions, CSV exports, ACF configuration, AI hooks, or analytics routes accessible publicly.

Media and documents that are still retrievable

Files meant to stay private but reachable by predictable URL or easy enumeration.

Security focused on passwords, not on the surface

The CMS itself is up to date, but the real exposure sits in plugins, roles, routes, and the automation layer around it.

Ideal for

WordPress sites managing client accounts, premium content, private media, or member areas
Marketing sites enriched with business plugins, ACF Pro, forms, or CRM integrations
WooCommerce stores or B2B portals with customer data and internal workflows
Teams that want to validate the real CMS surface instead of just checking that WordPress is updated

Your production WordPress.
Not just the version number.

What we verify

REST API and plugin namespaces

Plugins, roles, and back-office surface

Media, files, and exports

Webhooks, forms, and integrations

What we often find

A REST API that says more than expected

Forgotten plugins and endpoints

Media and documents that are still retrievable

Security focused on passwords, not on the surface

Ideal for

Related reads and pages

WordPress 6.8 and bcrypt

Dangerous WordPress REST API endpoints

API & webhook audit

External Review

FAQ

Need an external review of your HR SaaS?

Your production WordPress.Not just the version number.

What we verify

REST API and plugin namespaces

Plugins, roles, and back-office surface

Media, files, and exports

Webhooks, forms, and integrations

What we often find

A REST API that says more than expected

Forgotten plugins and endpoints

Media and documents that are still retrievable

Security focused on passwords, not on the surface

Ideal for

Related reads and pages

WordPress 6.8 and bcrypt

Dangerous WordPress REST API endpoints

API & webhook audit

External Review

FAQ

Need an external review of your HR SaaS?

Your production WordPress.
Not just the version number.