Service / 04
We update, back up, monitor, and patch your WordPress site every week so a stale plugin never takes your business offline. Senior team handling every update on a staging mirror first, then rolling to production after smoke tests. Transparent pricing, no long-term contracts.
What it unlocks
Built for businesses that depend on their WordPress site (ecommerce, lead generation, content publishing) and cannot afford a Monday morning when the site is down and nobody knows why.
Capabilities
Engagement rhythm
Onboarding audit
Weekly maintenance cycle
Monthly performance review
Quarterly strategic review
What we do
Core, plugins, and themes updated weekly on a staging mirror, smoke-tested for visual regressions, then rolled to production. We catch the breaking changes; you do not. If a plugin update breaks something on staging, we roll back, investigate, and either find a workaround or wait for the next release. Production never sees the break.
Encrypted backups taken nightly to two separate servers (geographically separated), 30-day retention, one-click restore. Quarterly tested restore so we know it actually works. Backup-without-restore-testing is theatre; we test.
24/7 vulnerability scanning, firewall enforcement, hardened login (2FA, brute-force protection, login URL obfuscation), and malware removal included. We patch known CVEs as they land, not when you notice. Most WordPress compromises happen through unpatched plugins; weekly updates plus active CVE monitoring closes the window.
Site checked every 60 seconds. We are notified before you are. Office-hours response SLA on all tiers, faster response on the upper tiers when you cannot afford a 2-hour wait. Outages get triaged, root-caused, and resolved with a written incident report after the fact.
Caching tuned, images compressed, CDN optimised, monthly Lighthouse and Core Web Vitals audit. Slow sites lose conversions and slip in rankings; we do not let yours drift. If a recent plugin install has tanked CWV, we flag it and propose either configuration or replacement before it costs you organic traffic.
Included support time per tier for content edits, image swaps, copy updates, and small development tasks. No emails into a void: we tell you what we did, when, and why. Anything outside the included time is quoted ahead of time, not surprise-billed.
How an engagement runs
Audit of your current WordPress site: plugin inventory, theme audit, hosting profile, security posture, backup state, performance baseline. We document what is there, what is outdated, what needs immediate attention, and the catch-up work needed to bring the site to a maintainable baseline before the weekly cycle kicks in.
Every week: core, plugin, and theme updates on staging, smoke-test, rollout to production. Backup verified. Security scan. Uptime monitor reviewed. Any flagged issues triaged. You get a short weekly report (what was updated, what was caught, what was deferred and why).
Monthly Lighthouse and CWV audit. Plugin load impact reviewed. Any creeping performance regression flagged with a proposed fix. If something has tanked, we say so and propose action; no silent drift.
Every 90 days: plugin audit (which can be removed, which need replacing), security posture review (any CVE patterns to flag), hosting tier review (whether your traffic has outgrown the current tier), backup restore test. The work that prevents the 'why is everything broken' conversation in year three.
The lay of the land
Most WordPress sites that go down do not go down because of an external attack. They go down because a plugin updated to a version that conflicts with another plugin, the WordPress core auto-updated overnight, a theme update silently broke a custom field, or the hosting account ran out of disk because backups were piling up and nobody noticed. The common thread is: no one was watching, and nothing was tested before it hit production.
Proper WordPress maintenance is unglamorous and continuous. Weekly updates handled on staging first (so production never sees the break). Daily backups with quarterly tested restores (so you know recovery works). Security patches as CVEs land (so the window between disclosure and patch is minimised). Uptime monitoring on 60-second intervals (so you find out from us, not from a customer). None of this is exciting. It is what stops your business from finding out about a problem at 11pm on a Sunday.
The other failure mode is the cheap maintenance retainer that nobody actually does the work on: a cut-rate fee, plugins updated when the developer remembers, no staging, no backup verification, no security scanning. It looks like you have maintenance until something breaks, and then it turns out the last backup was three months old, the staging environment never existed, and the developer is on holiday. We do not run that retainer. Real maintenance work costs real money; we are direct about scope and what is included.
FAQ
Tiered by site complexity, plugin count, backup frequency, and response SLA. Small content or service sites with low complexity sit at the entry tier; WooCommerce, high-traffic, or business-critical sites move up. The onboarding audit ends with a specific quote based on your site, not a generic price list.
No. Rolling monthly. Cancel any time with 30 days notice. The work is the work; we do not lock you in. If we have not earned the next month's fee, you should not pay it.
Caught on staging before it goes to production. If we cannot find a fix, we hold the update and wait for the next release of the plugin, the next release of WordPress, or a compatibility patch. We log the held update in the weekly report so you can see what is pending and why. Production sees only updates that have been tested clean.
Yes, with extra care. WooCommerce updates need more careful staging testing because the plugin ecosystem (payment gateways, shipping plugins, subscription plugins) often lags behind core WooCommerce releases. We hold updates that risk breaking checkout or order flow until the dependent plugins catch up.
Malware removal is included on all tiers. Compromise investigation, hardening, restore from clean backup, and documenting the entry vector so the same path is closed are all part of the response. We do not charge extra for an incident the maintenance was meant to prevent (although a malicious actor exploiting a zero-day before any patch existed is not on us, and we will be honest about which side of that line an incident sits).
Yes. Onboarding audit covers the catch-up work needed to bring the site to a maintainable baseline. Sometimes that is light (modern site, well-maintained, just needs the discipline added); sometimes that is heavy (years of neglected plugin updates, no backups, soft compromise). We quote the catch-up separately so the monthly retainer reflects steady-state work, not catch-up debt.
Office-hours response on all tiers (within 4 hours during 8am-5pm SAST weekdays). Upper tiers add faster response and out-of-hours coverage when downtime cost is high enough to justify it. Outage triage starts immediately when the monitor catches it, regardless of tier.