Ongoing Website Maintenance & Management

Moving a live site between hosts is one of those jobs where the difference between a careful engineer and a checklist follower shows up in your analytics the next morning. Migrations under this retainer cover the full move: replica builds on the destination, DNS staged with low TTLs ahead of time, search-and-replace on serialised data, media and uploads synced, and a cutover window chosen against your actual traffic curve.

The primary case is WordPress, moving between Hetzner, DigitalOcean, Cloudways, Kinsta or WP Engine (or off them, onto tuned infrastructure). The same discipline applies to Shopify store-to-store migrations, where theme, apps, Liquid customisations, metafields and DNS cutover all have to land together, and to React / Next.js moves between Vercel, Cloudflare and self-hosted Node, where env vars and secrets have to transfer cleanly alongside the code and the database.

The target is zero downtime and zero lost orders. Where that is not physically achievable, the plan is agreed in writing before we start. Post-cutover, I keep the old environment warm for a rollback window and watch error rates, 404s, and payment flows until everything has settled.

For WordPress, I provision and manage servers on Hetzner, DigitalOcean, Cloudways and the usual managed WordPress hosts. For teams that want the price-to-performance of bare VPS, the typical stack is Docker-composed: Caddy as the edge, PHP-FPM tuned for your workload, MariaDB with sensible innodb settings, and Redis for object and page caching.

Shopify is SaaS, so "infrastructure" shifts meaning. There, the work is theme and app infrastructure: structured sections, Liquid organisation, app choice and app permissions, webhook integrity, and the admin and checkout hardening that a store owner cannot see from the dashboard. For React / Next.js, infrastructure runs across Vercel, Cloudflare and self-hosted Node: runtime configuration, caching strategy, ISR behaviour, and the glue between the front-end and whatever database or content API sits behind it.

If you are already on a managed host, that is fine. A good chunk of this work is knowing when to leave a host alone and when to move off it. The development practice sits behind this, because infrastructure is treated as engineering and not as something to shove at a support ticket.

Beyond default plugins. Server-level hardening, WAF rules, fail2ban, application-level auth checks, secret rotation. What this looks like in practice depends on the stack: plugging a Redis instance that is quietly listening on a public interface, auditing a Shopify app’s scopes before it gets installed store-wide, or catching an env var that made it into a Git commit on a Next.js repo.

For WordPress specifically, that means SSH keys only and no root login, fail2ban tuned against the actual attack patterns your logs show, firewall rules that default-deny, Redis bound to localhost so it never leaks to the internet, and MariaDB users scoped to what they actually need. At the application level, WAF rules (Cloudflare or equivalent) tuned to your site, admin URLs obscured or IP-restricted, login rate-limits enforced server-side rather than via a plugin that can be bypassed, file-integrity monitoring, and a disciplined approach to user roles. XML-RPC and REST surfaces are audited, not just ignored.

Backups that have never been restored are not backups. Under this retainer, backups are scheduled, off-site, encrypted at rest, and tested on a rotation. On WordPress the typical toolchain uses restic against object storage, with S3 for the working set and Glacier for longer retention. Credentials and keys sit separate from the production environment so that a compromised server cannot wipe its own backup history.

Shopify cannot be backed up the way a self-hosted site can, so the work shifts to structured exports of store state: Admin API and GraphQL-Admin pulls of products, variants, metafields, customers and orders, plus CSV exports on a schedule, all kept outside the Shopify account that owns the store. For React / Next.js, backups cover the three surfaces that matter: repo snapshots (usually already via Git, but mirrored), database dumps tested against a clean restore, and media or asset storage kept on the same rotation.

Retention is set against your actual risk: hourly snapshots for databases on commerce sites, daily for content sites, and longer-tail archives for compliance. The important bit is the restore drill. I periodically pull a backup down to a clean environment, bring the site up, and confirm it actually works. That is the only way to know the backups are real.

Most WordPress sites of any age carry at least one bespoke plugin, written by a previous developer, an agency, or the site owner themselves. These are the plugins that break first when WordPress or PHP is updated, and the ones nobody wants to touch. Under this retainer I keep custom plugins compatible with current WordPress, PHP and MySQL/MariaDB versions, rewrite deprecated function calls, patch known vulnerability classes (nonces, capability checks, SQL injection surfaces, unescaped output), and align them with current best practice.

The same attention extends to custom Shopify apps (private or custom public apps built on Remix or Node, with their own webhook handlers and scope requirements) and to React / Next.js modules and integrations, which drift the moment React, Next, Node or any pinned SDK moves a major version. Keeping this code current, rather than rewriting it in a panic two years later, is the whole point of the retainer.

If you have inherited code you are not sure about, I also offer a standalone plugin audit, a structured review of a specific plugin, app or module, or a full site’s plugin load, that either stands on its own or feeds into an ongoing retainer.

Proactively, this means sensible Cloudflare configuration (or equivalent): proxying the origin, firing origin-lock rules so that only the CDN can reach your server, rate-limits on expensive endpoints like search and WooCommerce cart, bot-fight policies tuned to your traffic, and challenge pages set against known-bad ASNs rather than turned up blindly to the point of hurting conversions. On React / Next.js the same model applies, with Cloudflare or Vercel edge rules fronting the app runtime.

Shopify sits behind its own edge, so the equivalent work is bot and checkout-abuse mitigation: carding protection, rate-limits on sensitive endpoints, blocking the script kiddies hammering gift-card lookups, and tightening storefront and admin access where it matters. Same posture, different levers.

Reactively, if you come under an active attack, mitigation is immediate: under-attack mode, tighter rate limits, custom rules against the specific signature, origin hardening, and clear communication while it is going on. Once the attack has stopped, the rules are walked back to a sane steady state rather than left on forever, quietly hurting real users.

Technical SEO health is part of the retainer: crawlability, indexation, structured data, canonical tags, sitemaps, internal linking, and Core Web Vitals as they affect ranking. Search Console is monitored rather than forgotten, and regressions are chased down the same week they appear. On Shopify that means collection templates, canonical handling across variants and tags, and product JSON-LD; on React / Next.js it means SSR or ISR rendering choices, sitemap routes, and canonicals that actually resolve.

Deeper content and keyword work, the kind that actually moves rankings, sits in the Growth tier, where it gets its own monthly hour bucket.

Answer Engine Optimisation and Generative Engine Optimisation make your brand and content legible to ChatGPT, Gemini, Perplexity, Claude and Google AI Overviews. Both are emerging disciplines, not solved ones. Under this retainer they are treated as real work: structured data that models can trust, content rewritten into quotable answer form, explicit entity definitions, and monitoring of which AI surfaces actually cite your site.

It is early, it is genuinely moving, and the honest framing is that: an emerging discipline, covered seriously rather than sold as a finished product. It is included in the Growth and Deluxe tiers.

Retainers include scheduled full website audits at a cadence that fits the tier, typically every quarter. A structured review across performance, security, SEO, accessibility and infrastructure, written up in plain English with prioritised actions, so you always have a current picture of where the site stands and what is worth doing next.