Skip to content
PAID SERVICE · FROM AUD $599

Website Security Remediation.

Got a fail list from a security scan? We apply the fixes — HTTP headers, MTA-STS, DMARC enforcement, TLS hardening, CSP — and re-scan to confirm. Configuration only, no rebuild. Before/after grade is the deliverable.

Get a fix-list quote Run the free scan first
01 — HTTP SECURITY HEADERS

Browser-side defences your site is missing

Most SMB websites serve none of the headers a modern browser needs to defend the user. We add the missing ones, set sensible values, and verify they survive your CDN.

  • Content-Security-Policy — allowlist your real script and style origins; block the rest.
  • Strict-Transport-Security — long max-age, includeSubDomains, preload-eligible.
  • X-Frame-Options + frame-ancestors — clickjacking protection.
  • X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy.
  • CORP / COOP / COEP — cross-origin isolation where it makes sense.
  • Cookie flags — Secure, HttpOnly, SameSite on every Set-Cookie.
02 — EMAIL AUTHENTICATION

Stop attackers impersonating your domain

Email security and website security share the same DNS — an unenforced DMARC policy lets attackers send mail as you, which damages your domain's reputation and your customers' trust.

  • SPF — bring lookups under the 10-record limit, switch ~all → -all.
  • DKIM — enable on every sending source (M365, Google, mailers).
  • DMARC — move from p=none to p=quarantine or p=reject with reporting.
  • MTA-STS + TLS-RPT — force TLS on inbound mail, get failure reports.
  • BIMI — logo record for inbox-display branding (when DMARC allows).
03 — TLS + DNS HARDENING

The records attackers check first

Your TLS certificate, DNS records, and redirect chain are the foundation. Get these wrong and every header fix above is undermined.

  • TLS — modern cipher suites, OCSP stapling, no protocol downgrade paths.
  • Redirect chain — collapse to a single HTTP→HTTPS hop.
  • CAA — pin the ACME issuers allowed to mint certs for your domain.
  • DNSSEC — sign your zone where the registrar supports it.
  • Sensitive paths — block /.env, /.git, backup archives at the edge.
04 — VERIFICATION

Before/after, not 'trust us'

The fix isn't real until the scan confirms it. Every engagement includes a starting baseline, applied changes, and a re-scan against the same checks.

  • Pre-fix scan — your starting grade and the full failure list.
  • Applied fix list with diffs — exactly what we changed and where.
  • Post-fix scan + before/after grade — the deliverable, not a promise.
  • 30-day follow-up — we re-check at day 30 to catch silent regressions.
PRICING

Three tiers. Fixed price.

Pick the tier that matches what your scan flagged. We'll confirm the right fit on a free 30-min discovery call before any commitment.

Basic

AUD $599

Headers + cookies + DMARC enforcement. The fast win.

  • All HTTP security headers (CSP, HSTS, XFO, XCTO, Referrer-Policy, Permissions-Policy)
  • Cookie flags audit + fix (Secure, HttpOnly, SameSite)
  • DMARC moved to p=quarantine or p=reject with rua reporting
  • Pre/post scan with before/after grade
  • Typical lead time: 3–5 business days
MOST COMMON

Standard

AUD $999

Adds MTA-STS, TLS-RPT, DNS hardening, redirect cleanup.

  • Everything in Basic
  • MTA-STS policy file + TXT record + TLS-RPT reporting
  • CAA records (registrar-pinned issuers)
  • DNSSEC enablement (where the registrar supports it)
  • TLS configuration + redirect chain cleanup
  • Typical lead time: 1–2 weeks

Full

AUD $1,800

Adds WAF wiring, nonce-based CSP, ongoing 30-day watch.

  • Everything in Standard
  • WAF wiring (Cloudflare or ModSecurity)
  • CSP hardened to nonce-based — kills inline-script attacks
  • Sensitive-path blocking at the edge (.env, .git, /admin, backups)
  • 30-day re-scan to catch regressions
  • Typical lead time: 2–3 weeks
WHAT YOU GET

A working result. Not a recommendation.

Before/after scan report

Plain-English report showing your starting grade, every fix applied with the actual config diff, and the post-fix grade. Print-ready.

Applied fixes — not advice

We change the actual configuration on your server, your DNS, and your headers. You get a working result, not a 'here's what to tell your IT person' document.

30-day regression watch

We re-scan your site at day 30 and flag any setting that drifted. Most regressions come from CDN config changes — we catch them before your customers do.

SCOPE BOUNDARY

When this isn't the right service

Remediation fixes configuration. It doesn't fix structural problems. If any of the below describe your situation, talk to us about a different engagement instead.

  • Your CMS is years out of date — patching brings new bugs faster than it fixes old ones. See the website rebuild.
  • You don't know what's wrong yet — start with the free scan or a Security Health Check audit.
  • You want continuous monitoring — see Managed Services. This is a point-in-time engagement.
  • You need pen-testing — a separate service starting from ~AUD $6,000.
  • You need application-layer code fixes (custom logic bugs) — a development engagement, scoped separately.
IF FIXES AREN'T ENOUGH

When patching costs more than rebuilding

Some sites are too far gone — legacy WordPress with abandoned plugins, dead PHP versions, broken themes. We tell you upfront in the discovery call if that's the case, and quote a security-first rebuild instead.

See website rebuilds
READY TO START

Stop reading reports. Start fixing.

Free 30-min discovery call. We confirm the right tier and scope before any commitment.

Get a fix-list quote Run the free scan

Australian businesses only. Payment on engagement — not upfront.

Frequently asked questions

How is this different from the Security Health Check?
The Security Health Check ($2,500) is an audit — we report. Website Security Remediation is execution — we fix. If your free scan returned a fail list and you already know what's wrong, you don't need another report; you need someone to apply the fixes. That's this service. If you're not sure what's wrong yet, run the free scan first or book the Health Check.
What does 'fix' actually mean — is this a config change or a rebuild?
Configuration only. We change web server config (nginx / Apache), DNS records, mail records, and HTTP headers — without changing your application code. If the scan shows your site needs a structural rebuild (legacy WordPress, dead PHP versions, broken theme), remediation isn't the right service — see the website rebuild option.
What if my hosting provider can't apply some fixes?
We assess this in the 30-min discovery call before you commit. Most managed-WordPress hosts and Plesk/cPanel servers support every fix in scope. If your host blocks header changes (rare — some Wix-style sites), we tell you upfront and either skip those items or recommend migration as a separate engagement.
Will my grade actually improve after the fix?
Yes — that's the deliverable. We re-run the same scan after the fixes are applied and send you a before/after report. If the grade hasn't materially improved (e.g. F → C minimum on the Standard tier, F → B on Full), we keep working at no extra cost until it does, or refund the difference.
What about CMS-level fixes — outdated WordPress plugins, etc.?
Out of scope by default — we focus on the configuration layer because that's where 80% of the failed checks live. We can quote CMS hardening (plugin updates, file-permission audit, wp-admin lockdown) as a separate add-on. If your CMS is so out of date that fixing it costs more than rebuilding, we'll tell you and point you at the rebuild service instead.
How long does this take?
Basic tier: 3–5 business days. Standard: 1–2 weeks. Full: 2–3 weeks. The variance comes from how many DNS changes need to propagate (DMARC reporting, MTA-STS, DNSSEC) and whether we're coordinating with a third-party DNS team.
Free security scan Security Health Check audit Website rebuilds