Security March 6, 2026 by Greg

We Pentest Websites Before Hackers Do. Here's What We Find.

Most businesses don’t think about website security until something breaks. A defaced homepage. Customer data leaked. Google flagging your site as “This site may be hacked.” By then, the damage is done.

We offer authorized penetration testing as a service — probing your website and server infrastructure for vulnerabilities before attackers find them. Here’s what we typically discover.

What a Pentest Actually Is

A penetration test (pentest) is a simulated attack against your systems, performed with your explicit authorization. We use the same tools and techniques that real attackers use, but instead of exploiting what we find, we document it and help you fix it.

This isn’t a vulnerability scanner running on autopilot. It’s a hands-on assessment by someone who understands web architecture, server configuration, and attack methodology.

The Most Common Findings

After pentesting dozens of client sites and prospects, these are the issues we find most often:

1. WordPress Admin Panels Exposed to the Internet

Found on: 78% of WordPress sites we test.

The WordPress login page (/wp-admin/ or /wp-login.php) is accessible to anyone on the internet. No IP restriction, no VPN requirement, no rate limiting beyond whatever plugin they installed (if any).

We’ve brute-forced weak admin passwords in under 4 minutes using common password lists. The fix: either don’t use WordPress, or restrict admin access to specific IPs via server configuration.

2. Outdated Plugins with Known CVEs

Found on: 89% of WordPress sites.

The average WordPress site we test has 7 plugins with known security vulnerabilities (CVEs). These aren’t theoretical — they’re documented exploits with proof-of-concept code available on GitHub.

Common culprits: Contact Form 7 (XSS), Elementor (authenticated RCE), WP File Manager (unauthenticated upload), and Yoast SEO (SQL injection in older versions).

3. Missing Security Headers

Found on: 92% of all sites we test.

No Content-Security-Policy. No X-Frame-Options. No Strict-Transport-Security. These headers take 5 minutes to configure and prevent entire classes of attacks (XSS, clickjacking, protocol downgrade).

4. Directory Listing Enabled

Found on: 34% of Apache-based sites.

Browsing to /wp-content/uploads/ shows every file ever uploaded to the site. Sensitive documents, internal PDFs, backup files — all publicly accessible and indexed by Google.

5. Sensitive Files in Web Root

Found on: 23% of sites.

.env files with database passwords. backup.sql with full database dumps. .git/ directories exposing the entire source code history. phpinfo.php revealing server configuration details.

Every one of these is a critical finding that takes under 5 seconds to exploit.

6. No Rate Limiting on Authentication

Found on: 67% of sites with login forms.

Login forms, API endpoints, and password reset flows with no rate limiting. An attacker can submit thousands of login attempts per minute with no throttling.

What Our Pentest Includes

Our web application pentest covers:

  • Reconnaissance: Domain enumeration, technology fingerprinting, exposed services
  • Authentication testing: Brute force, credential stuffing, session management
  • Input validation: SQL injection, XSS, command injection, path traversal
  • Configuration review: Security headers, TLS configuration, directory permissions
  • Business logic: Payment bypass, privilege escalation, access control
  • Server-side: SSH configuration, open ports, service versions, firewall rules
  • Report: Executive summary + technical details + remediation steps for every finding

Why We Don’t Pentest WordPress Sites (Usually)

We already know what we’ll find. WordPress sites have a predictable attack surface: exposed admin panel, outdated plugins, weak passwords, directory listing, and missing headers. We’ll pentest it if you want, but the recommendation will be the same: rebuild on a secure framework.

The sites we build on Astro have a fundamentally different security posture:

  • No admin panel to attack (static HTML, no login)
  • No plugins with CVEs (zero server-side code)
  • No database to inject into (no SQL, no queries)
  • Security headers configured by default on every site
  • Server hardening applied before the first deploy

You can’t hack a site that doesn’t have server-side code. That’s not marketing — it’s architecture.

Get Your Site Tested

We offer standalone pentest engagements for businesses that want to know where they stand. You get a full report with findings ranked by severity, proof-of-concept demonstrations, and step-by-step remediation guidance.

Request a pentest or ask about it as part of our server security service.

Back to Blog