How we use AI for WordPress maintenance (the Hermes system, honestly)

Generic LLMs are trained on the public web. They do not know what a wp-adminerlzp hidden admin user looks like in your specific database, or how the August 2025 UK agency network malware persistence pattern differs from the 2024 redirect-hack family.

Hermes is a small, focused system layered on top of Lovable AI Gateway. Its value is the private corpus: every malware indicator, every incident timeline, every fix we have shipped, every Loom recording transcript. That corpus is what makes its triage useful.

Off-the-shelf AI is good at writing prose. It is poor at owning a production incident on a stranger's WordPress site. We do not let it.

Triage: when a monitoring alert fires (uptime, security scan, error spike), Hermes classifies severity and pages the right engineer with context attached, not a raw alert.

Malware classification: when a security scanner returns a hit, Hermes compares the signature against our private library and the most likely matches with confidence scores. The engineer sees 'looks like mu-plugin malware persistence family, August 2025 variant, 87% match' instead of a raw file hash.

Plan drafting: for known incident patterns, Hermes drafts a first-cut remediation plan keyed to our existing SOPs. The engineer either approves, edits, or discards. About 60 percent of drafts are usable as-is for known patterns.

Fleet pattern detection: Hermes watches across all sites in the fleet for emerging patterns. If three sites in 48 hours show the same plugin causing the same error, the team sees it as a fleet-level signal, not three isolated tickets.

It does not execute fixes. No AI writes to your production database, FTPs to your server, or pushes a deploy. Every write action is performed by a named engineer with audit trail.

It does not talk to clients. All client communication (WhatsApp, email, Loom) is from a human engineer. AI-generated client copy is banned by internal policy.

It does not generate the monthly maintenance report. Reports are written by the engineer who did the work, because a report is a trust document.

It does not replace SOPs. SOPs remain the source of truth; Hermes is a faster way to retrieve and apply them, not a replacement for the discipline.

Before Hermes (2024 baseline): median first-engineer response was 28 minutes; MTTR for security incidents was 2.1 hours; we missed roughly one cross-fleet pattern per month.

After Hermes (2026 baseline): median first-engineer response is 11 minutes; MTTR for security incidents is 42 minutes; cross-fleet patterns are caught within the first or second occurrence.

The biggest gain is not speed of typing, it is speed of context. The engineer arrives with the right pattern already on screen, instead of starting from a blank ticket.

An agency we white label for had 11 client sites hit by the same 302 redirect malware. Within 90 minutes of the first alert, Hermes had classified the family, surfaced the 410 Gone SOP, and flagged it as a cross-site pattern (not 11 independent incidents).

Two engineers worked the cleanup in parallel using a single shared plan. All 11 sites were clean within 14 days, 4,200 spam URLs were 410'd and gone from Google by day 14.

Without the fleet-pattern detection, we would have treated each site as a separate ticket and burned an extra 30 to 40 engineering hours. Hermes turned 11 incidents into 1.

You still talk to a human. The engineer who picks up your WhatsApp is the engineer fixing your site, not a bot relay.

Your site is held to the same quality bar regardless of how many sites are in the fleet that day. AI handles the fanning-out so the engineer's attention stays focused.

You get faster response times and earlier detection of cross-site patterns (e.g. 'the plugin you use just shipped a bad update' often reaches you from us before the vendor's status page is updated).

You never pay extra for AI. It is internal infrastructure, like our monitoring stack. The pricing is what it is.