Skip to content
Book Your Audit
Book Your Audit

Fix what’s broken. Harden what isn’t.

Slow sites lose revenue. Compromised sites lose reputation. We improve WordPress performance and security so your site loads fast, stays protected, and neither problem comes back.

Start With the Audit Site compromised right now?
60%+ faster load times 30-point hardening, every time Audit credited on $1.5k+ fixes
4+ Years in
WordPress
100+ Sites
maintained
5
Agency Partner

Performance and security sound like two services. They’re really the same service, done in two directions. Both come down to knowing what’s in your WordPress install, and removing everything that shouldn’t be.

What’s in each half

Performance is subtraction. Security is discipline.

Eight interventions, four per side. Every engagement is scoped from this list - you pick the shape of the problem, we pick the right tools for it.

• Performance

Make it fast, and keep it fast.

A speed project starts with a measurable baseline and ends with a Core Web Vitals pass visible in your own Search Console.

P1

Core Web Vitals tune

LCP, INP, CLS driven into the green. Measurable, reproducible, shown in Search Console within 28 days.

P2

Image & asset optimization

AVIF/WebP conversion, responsive srcset, lazy-loading done right. No more 3MB hero JPEGs.

P3

Database & query cleanup

Revision trim, transient purge, index audit. Your database stops carrying its last three years of dead weight.

P4

Caching & CDN configuration

Server-level cache properly scoped, CDN rules written not assumed, Redis object cache where it earns its keep.

• Security

Close the door. Install the lock.

Start by assuming compromise. End with a clean baseline and a clear plan to keep it that way.

S1

Malware removal

Deep cleanup of infected files. Database scanned for injected code. Clear report of what was found and fixed.

S2

Hardening pass

Tight permissions. Secure headers. XML-RPC off. Rate limits on. 2FA enforced. Small fixes that close big gaps.

S3

WAF & edge rules

WAF tuned to real attack patterns. Generic noise removed. Site-specific rules that block what actually matters.

S4

Monitoring & recovery

Integrity alerts in place. Backups off-site and tested. A written recovery plan so the next incident is controlled.

Hardening checklist · 18 items

The checklist you wish your last developer ran.

Every hardening engagement works through this list. A site that passes all eighteen is genuinely harder to compromise than 95% of WordPress installs in the wild.

Core hardening

  1. File permissions audited (644 / 755)
  2. wp-config.php moved above webroot
  3. Disable file editing in admin
  4. Unique database table prefix
  5. Remove unused themes and plugins
  6. PHP and MySQL on supported versions

Authentication

  1. Enforce 2FA for every admin
  2. Rate-limit + lockout on login
  3. Rename login URL
  4. Disable XML-RPC
  5. Strong-password policy for editors
  6. Audit-log all admin actions

Edge & monitoring

  1. Cloudflare WAF with site-specific rules
  2. Security headers (CSP, HSTS, X-Frame)
  3. File-integrity monitoring
  4. Daily malware scans
  5. Off-site backups, encrypted
  6. Written incident-response runbook

You’ve just noticed you’ve been hacked.

Breathe. This is a fixable problem, and you’re not the first person to find yourself here today. Here’s what we do, in order, for every emergency call.

  1. T + 0

    Contain

    Site put behind maintenance mode so no more visitors hit malicious code. Admin access rotated. Hosting snapshots taken for forensic review before anything is touched.

  2. T + 2h

    Diagnose

    File-system and database scan to find every piece of injected code, back-door user, or modified core file. A written log goes to you as we find each one.

  3. T + 6h

    Clean

    Malicious code removed, core files restored from canonical sources, unknown users purged. Site restored to public with monitoring heightened for 14 days.

  4. T + 48h

    Harden & report

    The full 18-point hardening runs on the cleaned site. You get a written incident report - what happened, how it got in, and exactly what’s changed so it doesn’t happen again.

How we work · Non-emergency engagements

Audit first. Always.

We don’t quote speed work or hardening work sight-unseen. The $299 audit is both the starting point and, often, all a site actually needs.

Step · 01

Audit

Day 0

$299 flat. 30-point scored report in 5 business days. Everything we do next is informed by what the audit surfaces.

Step · 02

Scope

Day 5

A clear, fixed-fee proposal. Here’s what we found, here’s what we’d fix, here’s what we’d leave. No upsell, no scare-tactics.

Step · 03

Execute

Week 1-3

Performance tuning or security hardening, applied to staging, tested, then promoted. Daily Loom updates - you see it happen, not just the invoice.

Step · 04

Verify

Week 4

Core Web Vitals re-measured, security re-scanned, numbers shown against the baseline. A final report documents exactly what changed and why.

Reviews

Have a Look at What Our Clients Have to Say About Us

Terence Critchlow · 3rd+

Break Free from Your Paycheck | Invest Smarter, Reclaim Your Time

WordPress Design
5.0 - December 28, 2024
Nik’s team did a redesign of my website and really opened my eyes as far as what was possible. They took the content I had, which was presented in a very old / dated format, and reworked it to make it more accessible. The result is a website that is more aligned with customer expectations and is easier for them…
Jack Maged. · 3rd+

I help you to reboot pivot or persevere in your career. #careercoach #careeradvise #careerhelp #careerchange

Web Development
5.0 - December 24, 2024
Working with Ninegravity to design and build my website was an exceptional experience. As a demanding client with a challenging concept, I was blown away by their accommodating and patient approach. They consistently went above and beyond to ensure every detail was perfect and brought my vision to life with creativity.
Richard Carey. · 3rd+

Fractional Chief Product Officer and Chief Marketing Officer. Lifelong media entrepreneur. Managing Director of RCDM Studio, designing, building, and managing digital media campaigns that deliver results.

Web Development
5.0 - December 28, 2024
Nik and his team were a pleasure to work with on the Finding Next.guru website build. They’re creative, responsive, organized, and know their stuff. Highly recommended.
Kevin Sparkman · 3rd+

Founder at Sparkman Media LLC

Web Development
5.0 - December 19, 2024
Nik’s team has been responsive to our WordPress development needs during the past couple of years. NineGravity was the first offshore team that we’ve worked with and apart from the anticipated challenges of time difference, projects have been managed smoothly.
Nadia McDowell

Senior Director, Membership & Inclusive Community Programming | #Inclusive100 at She Runs It

- August 13, 2024, Nadia was Nik's client
Nik and his company have done an exemplary job in rebuilding our website and with ongoing maintenance of a site that needed management and work. He and his company took the time to learn all of the nuances of our needs and deployed their team that collaborates with us on a weekly basis. I would highly recommend Nik and his team for any of your web needs without a doubt!.
David C. Garcia

Founder / Creative Director Founder / Creative Director

- July 5, 2024, David C. was Nik's client
Highly professional and consistently exceeding expectations. I am extremely pleased to be collaborating with Nik and the Ninegravity team for web development solutions.
Claudia Estela Ortiz de Dios

Director General at Informática Asociada S. A. de C. V.

- August 8, 2018, Claudia Estela was Nik's client
Efficient and reliable proffesional.nVery kind and attentive in dealing with the client.nHighly recommended.
Carlos Emir Macedo

Support Engineer @ e-Core

- September 19, 2017, Carlos Emir was Nik's client
Working with Nik has always been a pleasure. He is very proactive, efficient and always attainable. Nik has always ensured things have run smoothly even during urgent case as well. I believe Nik is a great Business sales manager, and will continue to progress within his career.
Ricardo Cunha

Project Manager @ Rcons | Scrum Fundation Professional Certificate

- September 5, 2017, Ricardo was Nik's client
True mastery of iconic Information & Technology Industry. he always made himself very approachable. he was always very empathetic and fair while maintaining the statute of client upper management.I had worked with Nik and his team and they are truly experts in the software development & POS.
Michael Gagliardini

Digital Strategist | B2B & B2C eCommerce | Digital Marketing | Social Media Strategy | High Quality Content

- July 31, 2023, Michael managed Nikunj directly
Nik is a very capable technical project manager who understands all areas of digital technology and how to ensure projects keep moving forward. He introduced me to Trello which has been a game changer in my organization
Questions about performance & security

Answered before you ask.

For performance work, yes - we won’t quote tuning without baseline numbers, and the audit is the most honest way to get them. For emergencies (live malware, active breach), the audit is skipped and we start with containment. For straightforward hardening without a known incident, we can skip the audit if you already have a recent one from a credible source.
Performance work starts at $999 for a focused Core Web Vitals tune and runs to around $3,500 for a full rebuild of asset pipelines, caching, and database. Hardening starts at $1,400 for the 18-point pass on a clean site, or $1,800+ for malware cleanup plus hardening on a compromised site. Every engagement is fixed-fee and scoped before you pay.
Yes. If you proceed with a performance or hardening engagement within 30 days of receiving the audit, the $299 is credited against the invoice. No sales pressure - if the audit says the site is fine, we’ll tell you and save you the other fee.
Ideal, actually. Managed hosts handle the infrastructure-level pieces (OS patches, PHP versions) so we can focus on what happens inside your install - which is where ~80% of both performance and security problems actually live.
Yes, and they’re the most measurable work we do. A 500ms improvement on a checkout page has a direct revenue line. We handle WooCommerce, Easy Digital Downloads, and custom checkout flows.
We quote targets conservatively based on what the audit shows is possible. If we miss a target we committed to in writing, we work free of charge until we hit it - or refund the difference. This has happened twice in four years; both times we kept going.

Know what’s actually wrong before you try to fix it.

Five business days, a scored PDF report, and a straight answer. If we can’t help, we’ll tell you who can

Book Your Audit Or jump to the Emergency Lane