GMTekSecurity & Web · Austin, TX
Work & Approach

When a small business site gets hacked, exposed, or left behind — we fix it, and prove it's fixed.

GMTek does WordPress security and modern site builds for local small businesses: malware cleanups that actually stick, pre-launch security audits, hardening, and fast mobile-first sites with real lead capture.

Fixed-fee, not hourly Written authorization before we touch anything Every change has a rollback
What we do

Productized, fixed-fee services

Clear scope, a clear number, a real deliverable. No surprise hourly bills.

Security Audit

$350 flat

Read-only review of your live site. Prioritized, plain-English report of every risk and the exact fix. The easiest place to start.

Lockdown & Hardening

$450 flat

Close the doors before trouble: updates, forced SSL, security headers, login hardening, off-site backups — with a runbook of what changed and why.

Emergency Cleanup & Eviction

$900–1,500

Site hacked or reinfecting? We find every foothold, evict in an order that survives self-heal, close the entry point, and prove it's gone.

Security Care

$99–200/mo

The site stays clean: monthly updates, backups, malware scans, uptime & SSL monitoring, and a short health note. Attaches to any build or cleanup.

Also: modern mobile-first website builds ($1–3k) with lead-capture forms and local-business SEO — secure from day one.

Representative engagements

How we handle real problems

A look at the kind of work GMTek does and the methodology behind it. Client names and identifying details are withheld; outcomes and technical approach are shown as-is.

Incident Response · Reinfection Eviction

“We deleted the hacked file and it came back.”

A small dental practice's WordPress brochure site had been cleaned once — the owner's helper deleted a webshell and a mystery admin user — and the infection reappeared within a week. The host kept flagging a malicious file no one could find.

Outcome
Identified 7 persistence footholds and 3 independent self-healing re-creators all feeding off one payload stored in the database — then evicted them in an order that prevented respawn, closed the entry vector, and verified 0 reinfections across a full cycle.

The prior "cleanup" removed only the two visible pieces and left every mechanism that rebuilt them — a plugin object-injection entry point, a cron dropper, a hidden dot-file webshell, a look-alike core file, and a theme hook that recreated the admin on every page load. The fix was the order: source and re-creators before the artifacts they rebuild.

Stack: WordPress · nginx · PHP-FPM Role: Forensics, eviction, proof-of-eradication 6 Critical 1 High
Pre-Launch Security Audit

A booking site about to spend on ads — with the keys to the business exposed

A small tour-booking company was ready to drive paid traffic to a new website. A source-level security review before launch found the site was publicly serving its own production secrets.

Outcome
7 issues found (1 Critical, 3 High, 3 Medium) before a dollar was spent on ads — including live payment & email API keys downloadable by anyone, and a staff portal with no login exposing real customer bookings. Each pinned to an exact file, with the specific fix and a priority order.

Delivered as a plain-English report an owner can act on and a developer can execute: rotate the burned credentials today, put the portal behind real authentication, fix a reflected XSS, set security headers, and clean recon-leaking source comments. Scope boundaries and confidence stated honestly — no scanner spray, no crying wolf.

Stack: Static site · staff portal · Stripe/SendGrid keys · CSP/headers Role: White-box security review & report 1 Critical 3 High 3 Medium
Full Incident Engagement

Compromised store: contain, notify, harden — end to end

A small e-commerce WordPress site was compromised. GMTek ran the whole engagement: find what happened, contain it safely, advise the owner on obligations, and harden against a repeat.

Outcome
7 indicators of compromise traced to exact files and log lines, contained in a safe order (persistence before the account it respawns), plus honest breach-notification guidance scoped to the actually-affected records and a verify-by-observation hardening runbook with rollbacks.

Just as important: what was not an incident. Legitimate owner logins and a routine plugin auto-update were correctly cleared instead of inflated into alarms — the difference between a report a client can trust and one that cries wolf.

Stack: WordPress · WooCommerce Role: IR lead · containment · client comms · hardening Contained, notified, hardened
Website Build · Lead Capture

Local service business with no working site → a mobile-first one that books

Local businesses that live on a dead link, a platform listing, or a decade-old page lose customers who search on their phones. GMTek builds tailored single-page sites that load fast and turn visitors into inquiries.

Outcome
A fast, mobile-first site with the business's real photos, an estimate/booking request form, and valid LocalBusiness structured data so it shows up correctly in search — deployed on a modern, secure host with SSL from day one.

Built as a real preview the owner can see before committing, then grown into the full site and an ongoing care plan on the first yes.

Stack: HTML · Tailwind · Cloudflare Pages · JSON-LD Role: Design · build · deploy · care Live & lead-ready
How we work

Careful by default

Security work on a live business site is trust work. Here's the discipline behind every engagement.

1

Authorize first

Written authorization and scoped access before anything is touched. We contain before we change.

2

Prove, don't guess

Every finding is pinned to an exact file, line, or log entry — evidence, not a scanner's opinion.

3

Order that holds

Evict in a sequence that can't respawn behind us, and close the entry point so it can't happen again.

4

Rollback on every step

Safe-deploy discipline: verify by observation, and a way back if anything on a live site misbehaves.

Note: the engagements above are shown as representative of GMTek's methodology and capability. Client names, domains, and any real data are withheld; technical approach and outcomes are described as performed.

Not sure how bad it is? Find out free.

A 10-minute look at your site and an honest answer: what's wrong, how urgent it is, and what it would take to fix. No pressure, no jargon.