WordPress powers 43% of the internet — which also makes it the single most targeted platform by hackers, malware injectors, and automated bots. Every day, tens of thousands of WordPress websites are compromised. Not just large enterprise sites — small business websites, local service providers, and e-commerce stores are targeted constantly because they are less likely to have security measures in place.
A hacked website does not just cause downtime. It gets blacklisted by Google, removes your search rankings overnight, exposes your customers’ data, and destroys the trust you have spent years building. A slow website does not just frustrate visitors — Google’s Core Web Vitals directly affect your search rankings. An unupdated plugin is not just outdated — it is an open door for attackers.
At WordPress97, our Security Expert and Migration & Hosting Expert work together to keep every website we manage protected, performant, and professionally maintained. We have removed malware, resolved security incidents, and brought hacked websites back to full health for clients including premier-allergy.com and mensweddingbands.com — often within 24 hours of the incident being reported.
Understanding what you are protecting against is the first step in building a defence. These are the most frequent security incidents we deal with — and every one of them is preventable with the right maintenance plan in place.
Malicious code injected into your WordPress files or database, redirecting visitors to spam sites, stealing form data, or serving ads without your knowledge. Often enters through outdated plugins or themes.
Automated bots attempting thousands of username/password combinations per minute on your wp-admin login page. A weak password or no login protection means your site can be taken over in minutes.
Every WordPress plugin and theme is a potential entry point. Developers release security patches regularly — but unupdated plugins remain vulnerable to publicly known exploits, which attackers actively scan for.
Database injection attacks that exploit poorly coded plugins or contact forms to extract data, create admin users, or deface your website. Cross-site scripting (XSS) attacks inject malicious scripts into your pages.
Distributed Denial of Service attacks flood your server with fake traffic, taking your site offline. Bot traffic also inflates your analytics, wastes your ad budget, and strains your server resources — all without a single real visitor.
Contact forms without reCAPTCHA receive hundreds of spam submissions per day, polluting your inbox, wasting your time, and sometimes delivering malware via file uploads. Unprotected forms are one of the most overlooked vulnerabilities.
Every WordPress97 maintenance retainer covers the following. The frequency and depth of each task scales with your plan level — but no plan skips the essentials.
Elementor
PRICING
$99 / Month
$229 / Month
$499 / Month
Our malware removal service is available to any WordPress website owner — you do not need to be on a monthly retainer to access emergency help. Here is what our Security Expert does when you call:
We access your website via FTP/SFTP and WordPress admin to assess the extent of the compromise: which files are affected, what type of malware was injected, how the attacker gained access, and whether the database has been modified. We also check Google Search Console for any manual actions or security warnings issued against your domain.
All infected files are identified, cleaned, and verified. We use a combination of Wordfence, Sucuri, and manual code review to ensure no malicious code remains. This includes checking wp-config.php, .htaccess, all theme files, and every plugin folder. Database entries are reviewed for injected spam links, hidden admin users, and base64-encoded payloads.
Once clean, we identify and close the entry point: updating the compromised plugin or theme, changing all admin passwords, resetting security keys in wp-config.php, and reviewing user accounts for any attacker-created admin accounts. We configure login protection and a web application firewall to prevent reinfection.
If Google has flagged your site as dangerous, we submit a reconsideration request via Google Search Console once the site is clean. We also check Google Safe Browsing status and submit removal requests to any third-party blacklists (McAfee SiteAdvisor, Norton Safe Web) where your domain has been flagged. Most blacklist removals are processed within 24–72 hours of submission.
After cleanup, we apply a full hardening configuration: file permissions corrected, wp-admin directory protected with HTTP authentication where appropriate, XML-RPC disabled if not in use, directory browsing disabled, and all security headers configured. reCAPTCHA v3 is added to all contact forms. A full backup of the clean site is taken before going back live.
You receive a written report documenting what happened, which files were affected, how the attacker gained access, what was removed, and what was hardened. We also provide a recommendation for ongoing maintenance to prevent recurrence. For clients who proceed to a monthly retainer after an incident, the malware removal fee is credited towards the first month.
Retainer clients receive emergency malware removal at no extra charge, plus priority response within 4 hours.
Google’s Core Web Vitals are a confirmed ranking factor. A website with a PageSpeed score of 40 will not rank above a competitor with a score of 90 — all else being equal. And beyond rankings, slow websites lose visitors: every additional second of load time increases bounce rate by approximately 32% according to Google’s own data.
Speed optimisation is a core part of every WordPress97 maintenance plan — not an optional add-on. Every month, we review your PageSpeed Insights scores on both mobile and desktop, identify regressions caused by new plugins or content, and resolve them before they affect your rankings or visitor experience.
PageSpeed score improved from 38 to 91 through WP Rocket configuration, Imagify WebP compression, Cloudflare CDN setup, and removal of render-blocking scripts. The site now loads in under 2 seconds on mobile — up from over 8 seconds. Core Web Vitals all pass.
New Flywheel-hosted build achieved PageSpeed 91 from day one through proper server configuration, WP Rocket caching, and Imagify optimisation. The site maintained this score post-launch with monthly maintenance monitoring catching any regressions immediately.
This WooCommerce jewellery store had accumulated 280+ errors in Google Search Console over time — a combination of 404 pages from discontinued products, broken internal links, duplicate meta descriptions across product variants, missing canonical tags on paginated category pages, and unindexed product URLs caused by incorrect robots.txt configurations. The store was also running outdated plugins with known security vulnerabilities, had no proper backup system, and had not had a security audit since the site launched.
WordPress97 performed a full GSC audit and systematically resolved every error: 301 redirects implemented for all discontinued product URLs, canonical tags added to all product variant pages, duplicate meta descriptions rewritten for every affected page, and robots.txt corrected to allow proper product page indexation. All plugins were updated and two with active CVE vulnerabilities were replaced with secure alternatives. A daily offsite backup system was configured with 90-day retention. Schema markup (Product, AggregateRating, BreadcrumbList) was added across all product pages as part of the maintenance pass.
280+ GSC errors resolved | All CVE-vulnerable plugins replaced | Daily backups active | Product schema deployed
| Improved product page indexation in Google
On our Starter plan, updates are applied weekly in a manual review pass. On Professional and Enterprise plans, updates are applied daily — but always tested on a staging environment first before being pushed to your live site. Automatic WordPress core updates for minor security releases are enabled on all plans. Major version updates (e.g. WordPress 6.x to 7.x) are always done manually after testing, because they occasionally break theme or plugin compatibility.
This is exactly why we test updates on staging before deploying to live. If an update causes a compatibility issue on staging, we hold it until the plugin or theme developer releases a fix, and we notify you. If something breaks on the live site after deployment (rare but possible), we roll back to the most recent backup immediately — typically within 30 minutes of the issue being reported. Rollback is covered under all plans at no extra charge.
We create complete WordPress backups: all website files (themes, plugins, uploads) plus the full database. Backups are stored offsite — on a separate server from your hosting — so that if your hosting account is compromised, your backups are unaffected. On Starter, we retain 30 days of daily backups. On Professional, 90 days of real-time backups. On Enterprise, 180 days with hourly snapshots for high-traffic periods.
WhatsApp us immediately at +92 306 7917297. Do not try to fix it yourself — manual cleanup attempts without proper tooling often miss hidden backdoors that allow reinfection within days. Do not delete your WordPress installation — we need the infected files to identify the attack vector and close it permanently. If you have access to your hosting control panel, putting the site in maintenance mode will prevent further visitor exposure while we work on the cleanup.
Routine updates and maintenance are performed without any visitor-facing downtime on Professional and Enterprise plans, because we use staging environments. On Starter plans, major updates may require a brief maintenance window of 5–15 minutes, which we schedule during off-peak hours (typically early morning US time) and notify you about in advance.
Our maintenance service is specifically designed for WordPress websites. For Webflow sites (such as cfoly.ai and hibiscus.health), we provide content updates and performance monitoring but not the same level of security scanning available for WordPress. For Shopify, security is managed by Shopify itself, so our work focuses on performance, app management, and content maintenance. Contact us to discuss your specific platform.
The included development hours (1 hour/month on Professional, 5 hours/month on Enterprise) can be used for minor website changes that do not require a separate project scope: adding a new service to a service page, updating team member photos, editing pricing information, adding a new FAQ item, adjusting a form field, or fixing a layout issue on a specific page. Hours cannot be rolled over to the following month. Larger changes (new page builds, functionality additions, redesign work) are quoted separately.
Every plan includes a monthly maintenance report documenting exactly what was done: which plugins and themes were updated (with version numbers before and after), backup status and storage confirmation, uptime percentage for the month, PageSpeed score, GSC error count, and any security events detected. You receive this report on the first business day of every new month. On Enterprise plans, the report is accompanied by a 30-minute strategy call.
