Using AppArmor to lock down an application to a specific profile is well explored, but its relatively rare to see an application integrate deep enough to use changehat throughout its lifecycle. In this talk we will explore an an analysis of what resources WordPress needs to handle various use cases, how to instrument WordPress to trigger just-in-time changes to processes and sessions to be more granular about maintaining least privilege, and how well this has worked against drive-by attackers in practice.