SSL/TLS & Security Baseline

Security baseline, before security incident.

The unglamorous web-application and infrastructure hardening that prevents the most common attacks — the ones that hit small and mid-sized sites every week. SSL done right, security headers in place, login protected, two-factor enforced, vulnerabilities caught early.

Get a free SEO report See what’s included
Sub-techniques covered · Let’s Encrypt · Wildcard SSL · HSTS · CSP · Security Headers · WAF · Wordfence · Two-Factor Auth · Brute-Force Protection
01 — What’s Included

A baseline, not a
checkbox.

Most small-business sites are not breached by an exotic zero-day. They are breached by an unpatched plugin, a weak admin password, an expired certificate that nobody noticed, or a default WordPress login left wide open to brute-force.

This is the boring, careful work that closes those doors — applied consistently, documented in plain language, and verified after deployment rather than declared “done” the moment a setting is flipped.

N° 01

SSL/TLS Provisioning & Auto-Renewal

Foundational

Free Let’s Encrypt certificates, paid wildcard certificates for multi-subdomain sites, and EV certificates where a regulated industry calls for them — provisioned, deployed, and verified across every hostname your business serves. Automatic renewal is configured, monitored, and tested with a deliberate failure-recovery drill, because the worst time to discover that auto-renew has been silently failing for three months is the morning your homepage starts throwing a browser warning. We also remove old, weak ciphers, enforce TLS 1.2 minimum (1.3 where supported), and tune cipher suites for the right balance of compatibility and security.

N° 02

HSTS & HTTPS Enforcement

Transport

HTTP Strict Transport Security tells browsers to never speak plain HTTP to your domain again — neutralising the most common downgrade and SSL-stripping attacks. We deploy HSTS with sensible max-age values, ramp up cautiously rather than in one breath, and submit to the browser preload list once the configuration is genuinely stable. Mixed-content warnings are hunted down at the source — usually a stray http:// image URL embedded in a years-old post — and redirect chains from http to https are collapsed into a single hop so the green padlock arrives without performance cost.

N° 03

Content Security Policy & Security Headers

Browser-side defence

A pragmatic Content-Security-Policy that blocks cross-site script injection without breaking your analytics, your tag manager, or your embedded chat widget — tuned in report-only mode first, then promoted to enforcement once we know what is genuinely yours and what is noise. Alongside CSP we deploy the rest of the modern header set: X-Frame-Options (or frame-ancestors) against clickjacking, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and a strict cookie policy with Secure, HttpOnly, and SameSite defaults. These are the headers Mozilla Observatory and securityheaders.com grade against, and they are where most small-business sites quietly fail.

N° 04

WAF & Wordfence

Application firewall

A Web Application Firewall that filters traffic before it ever reaches your origin — Cloudflare’s WAF for sites already on the edge network, and Wordfence at the application layer for the WordPress sites that are our daily bread. We tune Wordfence with sensible rule sets, scheduled scans, real-time IP blocklists, and country blocking where the threat profile justifies it. Alerts are routed to a channel that is actually monitored, not an inbox that fills up unread, and rules are reviewed quarterly so they stay current rather than calcifying around last year’s threats. For deeper Cloudflare configuration — page rules, bot management, custom firewall logic — see Cloudflare & CDN.

N° 05

Login Protection & Two-Factor Authentication

Identity

The single highest-leverage security move for most WordPress sites is mandatory two-factor authentication on every administrator account. We deploy time-based one-time-password (TOTP) 2FA for all privileged users, retire shared logins, enforce strong-password policy, and rename or relocate /wp-login.php so the brute-force bots stop hammering the obvious door. Failed-login throttling, IP-level rate limiting through fail2ban or the equivalent, automatic lockout after repeated failures, and audit logging of every administrator session — applied as a coordinated set, not as scattered toggles.

N° 06

WordPress & Application Hardening

CMS layer

File-permission tightening (folders 755, files 644, wp-config.php at 600), database table-prefix changes for new installs, disabling file editing through the dashboard, restricting XML-RPC to the endpoints that genuinely need it, and removing the WordPress version disclosure that helps attackers fingerprint your stack. We also audit installed plugins and themes against the WPScan vulnerability database, retire unmaintained code, and document a monthly review cadence so the surface area stays small as the site evolves. Quiet, methodical work with outsized payoff.

N° 07

Vulnerability Scanning & Patch Response

Continuous

Scheduled scans against the public CVE feeds and the WPScan database, with notification routed to the team that can actually act on it. When a critical vulnerability lands in a plugin, theme, or core dependency you rely on, we triage it within hours, patch within the disclosure window, and document what was changed and why. The aim is not zero exposure — that is unachievable — but a measurably shorter window between disclosure and remediation than a site without active monitoring would ever achieve.

N° 08

Security Audit & Posture Report

Baseline

A written audit of your current state: certificate inventory, header grades, plugin and theme exposure, login surface, file-permission posture, backup reachability, and the gap between “configured” and “actually working”. Each finding is documented with location, severity, evidence, and a recommended remediation, and the report is yours to keep — useful when an insurer, a new client, or a regulator asks the unavoidable question of what your security baseline actually looks like. This is not a penetration test or a SOC-2 audit; it is the practical posture check that should precede any of those.

02 — Our Approach

Audit. Layer.
Document. Verify.

Security is not a configuration screen you tick through and forget. It is a posture, maintained over time, that improves slightly with every quiet, deliberate decision and degrades the moment attention lapses.

i

Audit before you act

The first deliverable is a written posture report. We test the certificate chain, grade the headers, list every plugin against the vulnerability database, inspect login configurations, and verify file permissions. Nothing is changed until the picture is clear, because security work driven by guesswork tends to break things that were not actually broken — and miss the things that were.

ii

Defence in layers

No single control is enough on its own. SSL is necessary but not sufficient. A firewall is necessary but not sufficient. Two-factor authentication is necessary but not sufficient. We build coordinated layers — transport, application, identity, monitoring — so a compromise of any one layer is caught and contained by another rather than propagating cleanly to your data.

iii

Documented, not mysterious

Every header, every rule, every excluded path, and every reason behind a configuration choice lives in a shared reference. Future-you, your developer, your insurer, or the next administrator who inherits the site can answer the obvious questions without having to reverse-engineer six months of changes. Security stays auditable instead of becoming arcane.

iv

Verify after deployment

We do not declare a header “configured” until securityheaders.com, Mozilla Observatory, or SSL Labs grades it as expected. We do not trust auto-renewal until we have watched a renewal succeed in the logs. Verification is the discipline that separates security work from security theatre, and we treat it as a non-negotiable closing step on every change.

03 — Who It’s For

Sites whose risk has
quietly outgrown their setup.

Most growing businesses sit at a stage where the original security posture — usually whatever the host’s default install produced — has not kept pace with the data the site now collects, the audience it now reaches, or the obligations it has quietly inherited along the way.

A few recurring profiles where a security baseline pays for itself the first month it is in place.

  • i WordPress sites that have never been auditedThe site has been running for years, plugins have come and gone, no one is sure which are still maintained, and the admin login is still at /wp-login.php. A baseline pass closes the obvious doors first.
  • ii Sites collecting personal information through formsIntake forms, contact forms, application forms, anything that captures names, emails, or sensitive details. Privacy obligations now follow the data, and a documented security posture is no longer optional.
  • iii E-commerce stores past the brochure-site stageOnce a checkout is processing real cards, the security expectation jumps. PCI-DSS in spirit if not in scope, payment-form integrity, and a hardened admin perimeter all become baseline rather than aspirational.
  • iv Businesses recovering from a compromiseYou found malware, your host suspended the account, or Google flagged the site as deceptive. Cleanup is one job; ensuring it does not recur is a different one, and that is where the baseline matters.
  • v Insurer or enterprise client asking the questionA new contract, an insurance renewal, or a vendor questionnaire wants written evidence of your security posture. We deliver the baseline and the documentation that lets you answer those questions without bluffing.

We are not a 24×7 security operations centre. We do not ship custom intrusion-detection systems, we do not run zero-day research, and we do not take on regulated workloads that require SOC-2, ISO 27001, or HIPAA-grade compliance evidence. What we do is bring small and mid-sized web properties from “default install” to a credible, documented security baseline that holds up against the attacks they are actually seeing every day. For everything beyond that perimeter, we will tell you honestly that it is beyond our perimeter — and recommend partners who specialise in it.

04 — A complimentary report

Curious how Google sees your site?

Send us your URL. We’ll send back a Premium SEO Report, prepared by hand, within 48 hours — domain authority, keyword rankings, backlinks, competitor gap, and the quick wins worth chasing first. We’ll also flag any visible security or certificate issues we notice along the way.

No sales call required.

Security is a posture, not a checkbox. The work is daily, quiet, and never quite finished.
— The Aureole Practice —
05 — Frequently Asked

Questions we get
about web security.

If a question is missing here, the contact link at the foot of the page goes straight to the person who would answer it. No ticket queues, no funnels.

i Is your security baseline a substitute for a penetration test or SOC-2 audit?
No, and we want to be plain about that. A penetration test simulates an attacker actively probing your application for unknown vulnerabilities, and a SOC-2 audit is an external attestation of organisation-wide controls assessed against a specific framework. Neither is what we do. Our baseline is the foundational hygiene work that prevents the most common automated attacks — credential stuffing, plugin exploits, SSL downgrades, header-based injection — and it is the right precondition before paying for either of those higher-tier engagements. If you are heading into a pen test or SOC-2 audit, the baseline is what gets you ready; it is not what replaces them.
ii Do you provide 24×7 incident response or a security operations centre?
No. We do not run a 24×7 SOC, we do not provide a defined response-time SLA outside of business hours, and we do not staff a dedicated incident-response on-call rotation. What we do provide, on a maintenance retainer, is monitored alerts, scheduled vulnerability scans, and same-business-day patch response on critical disclosures. For organisations whose risk profile genuinely requires round-the-clock human eyes, we will tell you so honestly and recommend a managed-security partner whose model matches that need.
iii My site already has SSL — what else really matters?
SSL is necessary, but it is the floor, not the ceiling. A site with a green padlock and nothing else is still missing the controls that block the attacks small-business sites actually face: brute-force login attempts, plugin exploits, cross-site scripting through unsanctioned third-party scripts, and clickjacking. Most of these are addressed by a coherent set of HTTP security headers, a tightened login surface, two-factor authentication, and a small amount of WordPress hardening. The certificate is the visible reassurance to your visitors; the rest is the actual defence.
iv Will the security baseline break anything on my site?
It can if it is rolled out carelessly, which is why we don’t roll it out carelessly. Content Security Policy in particular is famously easy to over-tighten — the result is broken analytics, a missing chat widget, or fonts that fail to load. We deploy CSP in report-only mode first, watch the violation reports for a week, allow-list the legitimate sources, and only then promote to enforcement. The same staged approach applies to HSTS, to firewall rules, and to login changes. Configuration is verified end-to-end before we close the ticket.
v My site was compromised — can you clean it up?
In most cases, yes — for the WordPress, WooCommerce, and standard PHP-stack sites that make up our practice. We start with a forensic pass to identify the entry point and the scope of the compromise, restore from a clean backup where one exists, manually scrub injected files where a clean backup does not, rotate all credentials and salts, and submit a reconsideration request to Google Safe Browsing if the site was flagged. Recovery is then immediately followed by deployment of the security baseline, because cleaning a compromise without closing the door that allowed it is an exercise in being compromised again next month.
vi Can you help us answer a security questionnaire from a client or insurer?
Yes — the documentation we produce as part of a baseline engagement is designed for exactly this. We hand you a posture report covering certificate inventory, header configuration, login controls, two-factor coverage, vulnerability-scan cadence, backup posture, and incident-response contacts. That is enough to answer the majority of vendor and insurer questionnaires factually, and it gives you a defensible record of the baseline as it stood on a specific date. For organisations where the questionnaire requires controls beyond our perimeter, we will say so and help you scope what’s missing.
06 — Connected Practice

Where the baseline
fits in the whole.

Security work overlaps heavily with the rest of the IT discipline — the firewall lives at the CDN edge, the certificates depend on DNS, the recovery plan depends on backups, and the early-warning depends on monitoring. The links below return to the parent service and extend laterally to the sister sub-disciplines that compound with security work.

Parent service

IT ServicesLess hassle, more growth. The full IT practice — hosting, DNS, email setup, Cloudflare, SSL, backup, and monitoring — for businesses that need reliable web infrastructure without hiring a dedicated systems administrator.

Sister sub-disciplines

Hosting & Cloud DNS & Domain Email Setup Cloudflare & CDN Backup & Recovery Server Monitoring

Adjacent services

Maintenance & Care Plans Web Design & Development Technical SEO SEO
The Invitation

Ready to get the
baseline in place?

Tell us what you have today — the host, the platform, whether anything has gone wrong, and whether anyone has audited the security posture before. We’ll respond within one business day with an honest read of where you stand and what would move the needle first.

Get in touch Or request a free SEO report
Mon–Fri · 9–6 PT support@aureoleintelligence.com Reply within 1 business day