Platforms · WordPress
WordPress Maintenance & Management
Senior WordPress and WooCommerce infrastructure, security, and performance, under SLA, from Cape Town.
PHP, MySQL, Redis, DNS, and whichever plugin got updated at the wrong time, treated as one system rather than five unrelated tickets. One engineer accountable for the lot.
Why TurboPress for WordPress
Most WordPress problems are not really WordPress problems. They are PHP, MySQL, Redis, caching, or DNS problems that happen to be hosting a WordPress site. Treat them as the former and you end up installing more plugins; treat them as the latter and you actually fix the site.
Plugin sprawl and automated "maintenance services" tend to hide problems rather than solve them. Weekly update emails and green-tick dashboards are a poor substitute for someone reading the logs. This practice is the opposite: fewer moving parts, honest measurement, and work that reduces risk over time rather than adding to it.
You get senior engineering, not a helpdesk ticket queue. A direct line to the person doing the work, who already knows your stack, your history, and which of your plugins should not be trusted near production.
What I actually do for WordPress sites
Stacked by discipline, not by plugin. Each area below is ongoing work, not a tick-box.
Performance
PHP-FPM tuned against your actual workload (pool sizing, process manager, memory limits, request timeouts), MySQL and MariaDB query work where the slow log is read rather than ignored, and object caching in Redis or Memcached wired correctly so that cache hits are real and not a placebo.
Page caching strategy sits above that: sensible full-page caching, smart invalidation on content and commerce events, and a CDN configured to do the heavy lifting at the edge. Core Web Vitals are measured from the field, not a lab, and regressions are chased down the week they appear.
Security
Server hardening (SSH keys only, default-deny firewalls, fail2ban tuned against your actual log patterns), WAF rules tuned to your site rather than copy-pasted, and Redis exposure checks so the in-memory store is never listening on a public interface.
Plugin and theme audits before anything new gets installed, login hardening at the server rather than via a plugin that can be bypassed, and secret hygiene across the repo, the environment, and any CI pipeline that ever touches the codebase.
Infrastructure
Xneelo, Hetzner, DigitalOcean, and Cloudways for teams that want a managed surface, and self-managed Docker stacks for teams that want full control. The typical bare-VPS stack is Caddy at the edge, PHP-FPM tuned for the workload, MariaDB with sensible innodb settings, and Redis for object and page caching.
The job includes knowing when to leave a host alone and when to move off it. A lot of production WordPress estates are overpaying for slow shared hosting; a fair number are underpaying for infrastructure that has started silently losing data. Both are solvable problems.
WooCommerce specifics
Checkout performance under real traffic, subscription handling that does not silently drop renewals, and payment gateway integration with South African and international processors. When order volume grows past what the default Woo schema handles comfortably, the work moves to query optimisation, index review, and careful use of custom tables or HPOS.
Post-purchase flows, tax and shipping rule integrity, and the reconciliation between Woo order state and whatever accounting or ERP system sits behind it all count as part of the retainer, because that is where real revenue lives or leaks.
Custom development
Plugin maintenance for the bespoke code every long-lived site carries: rewriting deprecated function calls, patching known vulnerability classes (nonces, capability checks, SQL injection surfaces, unescaped output), and keeping compatibility with current WordPress, PHP, and MySQL or MariaDB versions.
Bespoke integrations with third-party APIs, webhooks, and internal systems, plus headless front-ends built in Next.js or React against the WP REST API or GraphQL. Headless moves are planned carefully, not sold as a panacea, and the retainer continues to cover the WordPress back-end once the new front-end goes live.
What this looks like in practice
Anonymised engagement notes. Client names withheld; technical detail preserved.
WooCommerce payment gateway plugin audit
A WooCommerce payment gateway plugin used across South African merchants was audited for security and best-practice compliance. The engagement surfaced eighteen findings across input validation, authorisation checks, error handling, and safe data exposure. Output was a prioritised report with a remediation path for each finding.
Performance rescue under aggressive crawler load
A high-traffic WordPress site was brought to a standstill when a third-party indexer began hammering the origin faster than PHP-FPM could serve requests. Mitigation combined edge rate-limiting, PHP-FPM worker tuning, and origin-side protections, which kept the site responsive without blocking legitimate traffic.
Membership site cache stampede and Redis exposure
A membership site was bleeding performance to a WP Rocket cache preload stampede. The cache warmer was hitting the database harder than the site’s actual users. During investigation, a separate Redis instance was found accepting connections from the public internet with no authentication. Both issues were resolved in the same engagement.
Subscription platform migration
A subscription and membership site migrated from Paid Memberships Pro to WooCommerce Subscriptions, preserving active memberships, billing cycles, and historical transaction records across thousands of members. Downtime was kept to minutes, not hours.
MariaDB redo log recovery
A production MariaDB instance was left unable to start after a failed innodb_log_file_size change corrupted the redo log. Recovery was completed without restoring from backup, preserving in-flight writes that would otherwise have been lost.
The retainer model
WordPress retainers typically budget hours across PHP and database work, WooCommerce specifics, custom plugin maintenance, and migration prep, with the exact mix shifting month to month depending on what the site throws off. Round-the-clock availability sits underneath the agreement, because production sites fail on their own schedule.
The full tier comparison, ZAR pricing, and SLA text sit on one dedicated page.
Ready to hand the infrastructure side over?
The fastest read on a WordPress site is a written audit. The fastest read on whether we match as engineer and client is a short call.