■ Incident Response · Fixed-Fee Emergency Packages
Sucuri sells scans. We sell the engineers who actually removed the malware and wrote the breach notice.
Vector: Magecart-style skimmer on Checkout
Detected: Day 14
Removed: Day 14
Notified CNIL: Day 16 (within 72-hour window)
Outcome: No card data confirmed exfiltrated post-removal
■ Incident response — talk to the lead architect
Active incident, suspected compromise, or post-cleanup hardening needed? Bring it directly to Ritesh — no SDR, no qualification call.
Ritesh Agarwal · Lead Architect, Appycodes · LinkedIn
■ What you get
Six engagements covering the full incident lifecycle.
We don't sell a scanner. We sell engineers who treat the compromise like the start of a project, not the end of one.
01
Emergency malware removal
Magecart skimmers, SEO-spam injections, redirect malware, cryptominers, backdoor PHP shells. Identified, removed, root cause documented.
02
Forensic incident response
Timeline reconstruction. Breach-window estimation from page revision history. Indicator-of-compromise documentation handed to your legal and DPO.
03
Post-cleanup hardening
File integrity monitoring, WAF rules, geo-blocking, ASN blocking, full credential rotation (DB, API keys, hosting panel, FTP/SSH, gateways), 2FA enforcement.
04
Breach-notification support
GDPR Article 33, CNIL, ICO. What to write, when to write it, what counts as a notifiable breach, who has to be told within 72 hours.
05
Ongoing security retainer
Monitoring, alerting, patch management, scheduled scans. Quarterly review. Not a vendor relationship — a phone number that picks up at 02:00.
06
Legacy PHP upgrades
7.x → 8.x. The work that should have happened before the compromise — done after, with the codebase rewritten where the old packages stopped receiving security patches.
▼ The IOC Map
What a clean site doesn't have.
Twelve indicator-of-compromise patterns we look for during an incident. Each tile is the one-line check we actually run.
File mtime drift
find wp-content -mtime -30 -type f
PHP in /uploads/
find wp-content/uploads -name '*.php'
eval(base64_decode(
grep -R 'eval(base64_decode' wp-content/
option_value injection
SELECT option_value WHERE LIKE '%<script%'
Admin user drift
wp user list --role=administrator
Cron task hijack
wp cron event list
.htaccess rewrite
git diff .htaccess (or backup compare)
Skimmer JS in content
grep -R 'metrics.js\|easystation' wp_posts
Backdoor polling URLs
tail -f access.log | grep wp-load
ASN traffic spikes
Cloudflare Firewall Events · group by ASN
WSO / FilesMan shells
grep -R 'FilesMan\|WSO\|assert(\$_'
Iframe injections
grep -R '<iframe[^>]*src="http' theme/
■ Evidence — anonymised case files
Two incidents. Two distinct attack patterns. Both closed cleanly.
French WooCommerce site running Payplug + WPML. Duplicate card-detail fields appeared at checkout. Initial hypotheses (duplicate plugins, WCML gateway double-registration, Gutenberg block conflicts, theme overrides) all ruled out methodically.
Actual cause: malicious third-party script easystation.top/fibrebio/metrics.js injected into Checkout page content, rendering a fake payment form overlay alongside the legitimate Payplug form. Classic Magecart pattern — overlay captures, exfiltrates, passes through to the real form so the order completes and nobody notices.
Post-removal: file-mtime audit across wp-content/ for 30 days, grep for backdoor patterns (eval(base64_decode, eval(gzinflate, assert($_, FilesMan, WSO), PHP-in-uploads scan, SQL audit of wp_options for script injection, admin user review, MalCare deep scan with second-pass confirmation, full credential rotation, GDPR Article 33 conversation with the client.
nginx upstream timeout cascade caused by PHP-FPM worker pool exhaustion. Diagnosed: coordinated bot attack from Hetzner Cloud IPs hitting /boiler-cover/ variants. Higher-priority finding alongside: POST requests to wp-load.php and /v1/wp-load.php with randomised hex query parameters — backdoor polling pattern suggesting the install was already compromised.
Remediation: ASN-level Cloudflare blocking, aggressive page caching to absorb bot traffic, reduced fastcgi_read_timeout, geo-blocking by country allowlist with cf.client.bot bypass for verified Googlebot. Deployed first under Managed Challenge before switching to Block to avoid taking down legitimate traffic.
Hardening engagements run alongside maintenance & support, custom WordPress, and WooCommerce development. Edge-layer work for WAF and geo-blocking ties into Cloudflare edge engineering.
■ Good fit if
- WooCommerce stores under active attack or post-compromise
- WordPress sites with unexplained traffic spikes, blocked emails, or Google Safe Browsing warnings
- Operators who need GDPR Article 33 support and don't know what's notifiable
- Sites running EOL PHP, EOL plugins, or unpatched cores past 12 months
■ Probably not a fit
- Spec-only hardening with no incident or compromise — start with a Sucuri or Wordfence scan
- Static brochure sites with no checkout, no users, no PII
- Anyone looking for a $50 'clean my site' freelancer
■ Tools we use
Boring, deliberate, repeatable.
■ Active incident
Call. We answer.
Engineers, not a ticketing queue.
■ Other services
We build a lot more than this.
Explore the rest of what we build.
SaaS Web App Development
MVP to production builds, multi-tenant, billing, AI features.
Learn moreReact Native App Development
iOS + Android in one codebase. Push, offline, OTA updates.
Learn moreWeb App to Native Mobile App
Convert your Lovable / Claude / Bolt web app to React Native or Flutter — backend reused.
Learn moreTechnical SEO for SaaS
Prerender, schema, Core Web Vitals — engineering-led SEO.
Learn moreCustom WordPress Development
B2B marketplaces, membership sites, headless WordPress.
Learn moreShopify Development Services
Custom themes, migration to Shopify, Shopify apps, supplier-feed automation.
Learn moreCustom WooCommerce Development
B2B wholesale, high-SKU catalogues, WooCommerce Subscriptions, Shopify-to-Woo migrations.
Learn moreMaintenance & Support
Post-launch stability, security, monthly improvements.
Learn moreAI App Completion
Take an AI-built prototype to a production-ready product.
Learn moreAI Prototype to Native App
Convert AI-built web prototypes into native mobile apps.
Learn moreApp Store Launch
Submit, configure and optimise for App Store + Play Store.
Learn moreTech Stack Migration
Modernise legacy systems with zero-downtime migrations.
Learn moreWhite Label Development
Engineering capacity for agencies, under your brand.
Learn moreStartup Launch Support
From idea to live product — design, build, launch, growth.
Learn moreAPI & Integration
Custom REST/GraphQL APIs and third-party integrations.
Learn moreAI SaaS Product Development
Multi-tenant AI SaaS with subscriptions and admin dashboards.
Learn moreB2B Marketplace Development
Marketplaces with credit, KYC, and trust infrastructure baked in.
Learn moreCustom LMS Development
Customised Moodle deployments and bespoke Moodle mobile apps.
Learn moreMembership & WooCommerce Subscriptions
Subscription recovery, dunning, migrations, combinatorial billing matrices.
Learn moreShopify Migration
Magento, WordPress, BigCommerce → Shopify. Redirect-engineering first.
Learn moreLaravel Development & Modernisation
Four production Laravel platforms. ERPs, contracts, tendering.
Learn moreStripe Billing Engineering
Webhooks, metering, proration, dunning, multi-currency, reconciliation.
Learn moreCloudflare Edge Engineering
Workers, R2, WAF, Bulk Redirects. The full surface, not just the orange cloud.
Learn moreInternal Tools & Admin Dashboards
Tender automation, contract operations, compliance calendars, calculators.
Learn moreSupabase Development
RLS, multi-role auth, production-hardening Lovable / Bolt / v0 prototypes.
Learn moreHeadless WordPress & WooCommerce
WP + Next.js with preview, ISR, auth handoff, media pipeline, search.
Learn moreSanity CMS Development
Schema-first builds, multilingual setups, migrations from WP / Contentful / Strapi.
Learn moreVue.js & Nuxt Development
Four production Vue platforms. Vue + Laravel as the default pairing.
Learn moreWordPress Performance Optimisation
nginx, PHP-FPM, slow-query analysis, plugin audit. Diagnostic engineering, not plugin installs.
Learn moreCustom WordPress Plugin Development
Surgical plugin work — namespaced, idempotent, version-controlled. Not functions.php.
Learn moreKnowledge Base & Community Platforms
KB + forum + adjacent surfaces. Search, version-aware routing, role-based visibility.
Learn moreEvent Ticketing Platforms
Multi-day festivals, white-label venue groups, offline-capable door-staff apps.
Learn moreAI Chatbot, RAG & Agent
Production RAG with chunking, hybrid retrieval, reranking, grounding, eval.
Learn moreWorkflow Automation
Make.com, n8n, Zapier, and custom Node workers — chosen by volume.
Learn moreProgrammatic SEO Engineering
Calculator- and location-driven SEO surfaces with real data and SSR.
Learn more