Service 04 of 05 · Two halves, one service

Speed tuning for sites that should be faster.
Hardening for sites that should have never been opened.

One-time interventions, fixed scope, fixed fee. Most engagements start with the $299 audit — the fastest way for us to see exactly what’s wrong before we start fixing it.

Start with the audit $299 Been hacked? Emergency lane

• Performance

From a 3.8s LCP to 1.2s, on average.

PageSpeed41 → 96 LCP3.8s → 1.2s CLS0.24 → 0.01

• Security

Zero re-infections on
sites we’ve hardened.

Incidents resolved48 Median cleanup6 hours Re-infection rate0%

96Avg PageSpeed
post-tune

−68%Avg LCP
reduction

48Security incidents
resolved, 2024–25

0%Re-infection
rate (post-hardening)

6hrMedian malware
cleanup time

Performance and security sound like two services. They’re really the same service, done in two directions. Both come down to knowing what’s in your WordPress install, and removing everything that shouldn’t be.

What’s in each half

Performance is subtraction. Security is discipline.

Eight interventions, four per side. Every engagement is scoped from this list — you pick the shape of the problem, we pick the right tools for it.

• Performance

Make it fast, and keep it fast.

A speed project starts with a measurable baseline and ends with a Core Web Vitals pass visible in your own Search Console.

Core Web Vitals tune

LCP, INP, CLS driven into the green. Measurable, reproducible, shown in Search Console within 28 days.

Image & asset optimization

AVIF/WebP conversion, responsive srcset, lazy-loading done right. No more 3MB hero JPEGs.

Database & query cleanup

Revision trim, transient purge, index audit. Your database stops carrying its last three years of dead weight.

Caching & CDN configuration

Server-level cache properly scoped, CDN rules written not assumed, Redis object cache where it earns its keep.

• Security

Close the door. Install the lock.

A security project starts with the assumption that something’s already wrong and ends with a clean baseline plus a plan for keeping it clean.

Malware removal

Forensic cleanup of infected files, database scan for injected code, and a report of exactly what was found where.

Hardening pass

File-permissions, secure headers, disabled XML-RPC, login-rate-limiting, 2FA rollout. Twelve small things, one large outcome.

WAF & edge rules

Cloudflare WAF tuned to your site’s actual attack surface. Generic rulesets ignored in favour of site-specific rules that actually help.

Monitoring & recovery

File-integrity alerts, off-site backups tested monthly, a written recovery runbook so the next incident isn’t a panic.

Before / After · Last 12 engagements

Numbers from real projects, not a case-study slide.

Each row is a real site, anonymized. We publish the median — not a cherry-picked best case.

Project	Industry	PageSpeed	LCP	Engagement	Cost
#P-41	Hospitality	38 → 96	4.2s → 0.9s	Perf tune	$1,800
#P-39	B2B SaaS	52 → 98	3.1s → 1.0s	Perf tune	$2,400
#P-37	Editorial	61 → 97	2.6s → 1.1s	Perf tune	$1,600
#S-29	E-commerce	—	—	Malware cleanup + harden	$2,200
#S-27	Membership	—	—	Full hardening, no infection	$1,400
#P-36	Legal	44 → 93	3.9s → 1.3s	Perf + harden combo	$3,200
#S-25	Hospitality	—	—	Post-infection forensics	$2,800
#P-33	Non-profit	58 → 95	2.9s → 1.2s	Perf tune	$999

Hardening checklist · 18 items

The checklist you wish your last developer ran.

Every hardening engagement works through this list. A site that passes all eighteen is genuinely harder to compromise than 95% of WordPress installs in the wild.

Core hardening

File permissions audited (644 / 755)
wp-config.php moved above webroot
Disable file editing in admin
Unique database table prefix
Remove unused themes and plugins
PHP and MySQL on supported versions

Authentication

Enforce 2FA for every admin
Rate-limit + lockout on login
Rename login URL
Disable XML-RPC
Strong-password policy for editors
Audit-log all admin actions

Edge & monitoring

Cloudflare WAF with site-specific rules
Security headers (CSP, HSTS, X-Frame)
File-integrity monitoring
Daily malware scans
Off-site backups, encrypted
Written incident-response runbook

Emergency Lane · live

You’ve just noticed you’ve been hacked.

Breathe. This is a fixable problem, and you’re not the first person to find yourself here today. Here’s what we do, in order, for every emergency call.

T + 0

Contain

Site put behind maintenance mode so no more visitors hit malicious code. Admin access rotated. Hosting snapshots taken for forensic review before anything is touched.
T + 2h

Diagnose

File-system and database scan to find every piece of injected code, back-door user, or modified core file. A written log goes to you as we find each one.
T + 6h

Clean

Malicious code removed, core files restored from canonical sources, unknown users purged. Site restored to public with monitoring heightened for 14 days.
T + 48h

Harden & report

The full 18-point hardening runs on the cleaned site. You get a written incident report — what happened, how it got in, and exactly what’s changed so it doesn’t happen again.

How we work · Non-emergency engagements

Audit first. Always.

We don’t quote speed work or hardening work sight-unseen. The $299 audit is both the starting point and, often, all a site actually needs.

Step · 01

Audit

Day 0

$299 flat. 30-point scored report in 5 business days. Everything we do next is informed by what the audit surfaces.

Step · 02

Scope

Day 5

A clear, fixed-fee proposal. Here’s what we found, here’s what we’d fix, here’s what we’d leave. No upsell, no scare-tactics.

Step · 03

Execute

Week 1–3

Performance tuning or security hardening, applied to staging, tested, then promoted. Daily Loom updates — you see it happen, not just the invoice.

Step · 04

Verify

Week 4

Core Web Vitals re-measured, security re-scanned, numbers shown against the baseline. A final report documents exactly what changed and why.

What clients say

Quieter logs, faster pages.

Malware recovery

“They had the site back up in four hours and sent me a forensic report I could actually read. The old developer would still be “investigating”.”

Yara D.

Founder · D2C wellness brand

Performance tune

“Organic signups went up 22% in the month after the perf work. Same traffic, faster pages. The math writes itself.”

Pete K.

Growth lead · Dev-tools SaaS

Hardening engagement

“I don’t really understand what they did, but my Cloudflare bot traffic graph is a different shape now. And the audit log is silent.”

Renée B.

Director · Arts non-profit

Questions about performance & security

Answered before you ask.

Do I really have to start with the audit?

For performance work, yes — we won’t quote tuning without baseline numbers, and the audit is the most honest way to get them. For emergencies (live malware, active breach), the audit is skipped and we start with containment. For straightforward hardening without a known incident, we can skip the audit if you already have a recent one from a credible source.

How much does a performance or hardening engagement cost?

Performance work starts at $999 for a focused Core Web Vitals tune and runs to around $3,500 for a full rebuild of asset pipelines, caching, and database. Hardening starts at $1,400 for the 18-point pass on a clean site, or $1,800+ for malware cleanup plus hardening on a compromised site. Every engagement is fixed-fee and scoped before you pay.

Is the $299 audit cost refunded if I book the fix?

Yes. If you proceed with a performance or hardening engagement within 30 days of receiving the audit, the $299 is credited against the invoice. No sales pressure — if the audit says the site is fine, we’ll tell you and save you the other fee.

What if I’m on managed WordPress hosting (Kinsta, WP Engine)?

Ideal, actually. Managed hosts handle the infrastructure-level pieces (OS patches, PHP versions) so we can focus on what happens inside your install — which is where ~80% of both performance and security problems actually live.

Do you handle e-commerce speed projects?

Yes, and they’re the most measurable work we do. A 500ms improvement on a checkout page has a direct revenue line. We handle WooCommerce, Easy Digital Downloads, and custom checkout flows.

What if you can’t hit the numbers?

We quote targets conservatively based on what the audit shows is possible. If we miss a target we committed to in writing, we work free of charge until we hit it — or refund the difference. This has happened twice in four years; both times we kept going.

Start here

Know what’s actually wrong
before you try to fix it.

Every non-emergency performance and security engagement starts with the $299 audit. Five business days, a scored PDF report, and a straight answer. If we can’t help, we’ll tell you who can.

Book an audit $299 Or jump to the Emergency Lane

$299 refunded into any engagement
Fixed-fee quotes, no hourly billing
Target-or-refund guarantee in writing