Service · Security & Data Privacy (LGPD)
Protect your website and comply with LGPD
Vulnerability fixes, hardening, and compliance with LGPD (Brazil's data-protection law, LGPD) — done by a developer, proportional to your business's actual risk. No fear-mongering; starting with what can be fixed for free.
Protecting a website and complying with LGPD means closing the doors that bots exploit — updates, HTTPS, strong passwords, vulnerability fixes — and, in parallel, being transparent about what data you collect, why, and how visitors can exercise their rights. I start with what can be resolved for free and calibrate the rest to your business's actual risk.
Fear of being hacked and confusion about LGPD: what actually threatens you?
Most attacks on small websites are not someone targeting you personally. They are bots scanning the internet for an open door — outdated software, weak passwords, a known vulnerability that was never patched. According to Patchstack data, 97% of WordPress vulnerabilities in 2023 came from plugins and themes, not the core, and almost 6 in 10 could be exploited without any login at all. Being small does not protect you — having an open door is what matters. (I go deeper on this in the website security guide.)
On LGPD (Brazil's data-protection law, LGPD), I skip the hype: it does not exempt anyone by company size (Law 13.709/2018 applies from solo operators to large enterprises), but it is not the monster it is often made out to be either. What exists for small businesses is operational flexibility (ANPD Resolution 2/2022), not exemption. If your website has a contact form, WhatsApp link, newsletter, or Analytics, you process personal data and owe transparency: state what you collect, why, and offer a channel for visitors to request access or deletion.
And no, the conversation is not "a million-dollar fine." The R$ 50 million figure is the absolute ceiling per violation; for a small business the real cap is 2% of a small revenue. The first ANPD fine, in 2023, was R$ 14,400 against a micro-business — and the Authority's first move is typically a warning with time to correct, not a fine. I would rather explain the real risk than manufacture urgency.
What website protection and LGPD compliance involve
Vulnerability fixes
I identify and fix known vulnerabilities in your website, from the most critical down — prioritizing what an automated attack would exploit first.
Website hardening
I close ports that do not need to be open, enforce strong passwords and two-factor authentication, and block access to sensitive files — locking the site down before an attack arrives.
HTTPS and security headers
I remove the browser's "Not secure" warning with HTTPS and configure the headers that close common gaps, such as script injection (XSS) and your site being embedded in an iframe to deceive visitors.
Hacked-site cleanup
Site down, defaced, or flagged as "deceptive" by Google? I remove the malware, close the gap that let the attacker in, and restore what I can — so they do not come back the following week.
LGPD compliance
The privacy policy — the standard way to fulfill LGPD's transparency obligation —, the correct legal basis for each data collection, and the opt-in cookie banner the ANPD recommends. I start with my free generator, PolicyForge.
Anti-spam without CAPTCHA
I block automated bot submissions from your forms using honeypot and time-trap techniques, without forcing visitors through an annoying CAPTCHA that drives them away.
Why hire a developer for security and LGPD instead of just a plugin?
I do not sell compliance consulting driven by fear. I am a full-stack developer who does security by hand, in the code. I built VulnGuard, a system that organizes vulnerability remediation and calculates the severity of each issue using the CVSS score (0 to 10), with automatic deadlines — critical in 24h, high in 7 days. And I built PolicyForge, an LGPD privacy-policy generator that is free, and will stay free.
My differentiator is protection proportional to your business's actual risk. A simple blog does not need the same apparatus as a store that stores payment data. I start with what is free or cheap, tell you straight what you can handle yourself, and only charge for what genuinely requires technical hands — code fixes, server configuration, hardening.
Being honest about limits: no one delivers a "100% secure" or "hacker-proof" website, and anyone who promises that is selling you a story. Security is defense in layers — keep everything updated, strong passwords, HTTPS, backups, monitoring. And complying with LGPD reduces risk and can work in your favor if something goes wrong: whoever showed good faith and was organizing their data practices is treated more leniently by the ANPD. But no document alone guarantees compliance — what counts is real practice.
How I work, in practice
Assessment and scan
I look at your website from the outside and the inside: what is outdated, known vulnerabilities, whether HTTPS is active, how forms behave, and what data you collect. I come out with a list prioritized by actual risk, not by scare factor.
Fix and harden
I fix vulnerabilities from most critical to least, update what needs updating, configure HTTPS and security headers, and close the open doors. The technical work that blocks the vast majority of automated attacks.
LGPD compliance
I publish the privacy policy (starting from the free PolicyForge) as the way to fulfill the transparency obligation, define the correct legal basis for each data collection — it is not always consent —, adjust the cookie banner, and set up the channel for visitors to exercise their rights.
Monitoring and maintenance
I configure automatic off-server backups and monitoring of changes and logins. Security is not a one-time service: updates are ongoing, and I agree with you on how to maintain the standard after I hand things over.
Not just theory
Security is not just something I talk about — I build the tools. These are products I created and use in my own day-to-day work:
What it costs
There is no fixed price list because it depends on what your website actually needs — and part of it is usually free. You generate the privacy policy yourself on PolicyForge at no cost, and I can teach you to handle several things directly (enabling HTTPS, updating plugins). I charge for the technical work: vulnerability fixes, server hardening, header configuration, and hacked-site cleanup. What I guarantee is predictability — after the assessment you receive a fixed quote (agreed upfront) before any work begins, always starting with what reduces the most risk for the least spend.
Frequently asked questions
Do I really need to worry about LGPD as a small business?
Yes, but take a breath. LGPD does not exempt anyone by size — if your website has a form, WhatsApp link, newsletter, or Google Analytics, you process personal data and the law applies. What exists for small businesses is operational flexibility (ANPD Resolution 2/2022), provided you qualify as a small-scale data processor and do not engage in high-risk processing: you are not required to appoint a DPO (a contact channel is enough) and you get double the response time. The core obligations remain: state what you collect, why, and offer a channel for visitors to request access or deletion. It is not as scary as it sounds.
How much does it cost to secure my website and comply with LGPD?
It depends on the size of the risk. A simple business blog with only a contact form is one scope; a store that stores payment data is another, much larger one. Part of it is free — you generate the privacy policy in my PolicyForge at no charge, and I can walk you through enabling HTTPS or updating plugins. I charge for the technical work: vulnerability fixes, hardening, security headers, post-breach cleanup. I run the assessment, show you what is free and what requires my hands, and send a fixed quote (agreed upfront) before we start.
Is my WordPress website secure?
WordPress itself is not inherently insecure — the problem is almost never the core. According to Patchstack, 97% of WordPress vulnerabilities in 2023 came from plugins and themes, with only 0.2% from the core. The real risk is what you install on top and leave outdated. Keeping everything updated, removing plugins you do not use, and enabling a strong password with two-factor authentication already locks most doors. It is not WordPress that exposes you — it is neglecting it.
Can you make my website 100% secure, hacker-proof?
No, and be suspicious of anyone who promises that. Absolute security does not exist — no website is "bulletproof" or "impenetrable"; that is sales talk. What can be done, and it is a lot, is defense in layers: keep everything updated, strong passwords with two-factor authentication, HTTPS, off-server backups, and monitoring. That reduces risk to a level that blocks the overwhelming majority of automated attacks — which are exactly the ones that threaten a small website.
If I do not comply with LGPD, will I get a million-dollar fine?
Almost certainly not, and anyone using that number to scare you is exaggerating. The R$ 50 million figure is the absolute ceiling per violation; for a small business the real cap is 2% of a small revenue. The first ANPD fine, in 2023, was R$ 14,400 against a micro-business — and the Authority only gained the power to fine after the regulation came into force in February 2023. The first response is typically a warning with time to correct, and being organized works in your favor. The risk is real, but it is gradual, not a manhunt.
My website was hacked — can you clean it up and recover it?
Yes, and that is one of the most common reasons people call me urgently. I remove the malware, identify and close the gap that let the attacker in (otherwise they come back the following week), and restore the site from a clean backup when one exists. If your website stores sensitive data or payment information, recovery is not the time to try it alone: the first step is changing all passwords and reviewing who has administrator access. Contact me and I will handle the rest.
How do VulnGuard and PolicyForge fit into the service?
They are tools I built myself and use in my work. PolicyForge is a free LGPD privacy-policy generator — it is where I start the compliance side, at no cost to you for the document. VulnGuard organizes vulnerability remediation: it takes the findings, calculates severity using the CVSS score (0 to 10), and automatically sets the deadline for each fix. To be clear: VulnGuard manages and tracks the deadlines, but I am the one who actually fixes the vulnerability, by hand.
Keep reading
Ready to protect your website and comply with LGPD?
It starts with a free assessment call. I look at your website, show you exactly what is exposed, what you can fix yourself for free, and what is worth having me do — always proportional to your business's actual risk. If you want to take the first step right now, generate your privacy policy on the free PolicyForge. Then just reach out.