WordPress, infrastructure, and open source.
Practical articles on performance engineering, hosting architecture, automation, and contributing to WordPress Core — written from the infrastructure side.
Triaging an Nginx 502 Bad Gateway on a busy WordPress server
A Nginx → PHP-FPM stack started returning 502s under load with no error in the application logs. Here's the exact triage path I used to find the cause — checking PHP-FPM workers, the socket, the error log, and the one tuning change that fixed it for good.
Read articleHow I diagnosed a MariaDB query eating 100% CPU on a production server
A shared hosting server on our fleet started spiking to 100% CPU with no obvious cause. Here's the exact process I used to find it — from top and mysqladmin processlist to slow query log analysis and the fix that brought load back to normal.
Why your WooCommerce site dies at midnight every day
A WooCommerce store on shared hosting kept going down at the same time every night. No traffic spike, no deploy, no obvious cause — just a server falling over at 00:00. The culprit was Action Scheduler, and the fix had nothing to do with WooCommerce itself.
Why your Linux server has 90% swap usage with plenty of free RAM
A monitoring dashboard lit up red because swap usage was at 92% on a server with 8 GB of free RAM. Counterintuitive but completely fine — and explaining why is a useful exercise in how Linux memory actually works.
When wp_wc_product_attributes_lookup eats your database
A WooCommerce store with 40,000 SKUs started showing slow queries against a table most people don't think about: wp_wc_product_attributes_lookup. Here's why WooCommerce regenerates it, why large catalogs make it brutal, and how to keep it from melting your database.
When MySQL runs out of connections because everything is sleeping
A MariaDB instance hit max_connections during normal traffic. The processlist was full of Sleep entries — connections doing nothing, but holding slots. The fix wasn't raising max_connections. It was understanding what 'Sleep' actually means.
When Cloudflare's bot protection breaks your own API
A WordPress REST API that worked fine in browsers started returning 403s when called from a partner's backend. The application logs were clean. The Cloudflare dashboard was the real story — and the fix needed care, because the same protection blocking the partner was also blocking real attacks.
How to actually block a malicious /24 (instead of playing whack-a-mole)
Repeated attacks were coming from rotating IPs in the same subnet. Blocking them one at a time was pointless — by the time I added one to the deny list, three more had taken its place. The fix was understanding CIDR ranges and where to do the blocking.
Why wget https://1.2.3.4 fails with an SSL error (and what SNI has to do with it)
A common debugging mistake: trying to test an HTTPS server by hitting its IP address directly with wget or curl. It always fails certificate validation, and the reason is one of the more interesting corners of how SSL/TLS actually works on the modern web.
Why your PHP version 'didn't change' (and how CLI and FPM lie to each other)
You upgraded PHP. `php -v` confirms the new version. The website still loads with the old one. The most common cause isn't a caching issue or a config bug — it's that PHP CLI and PHP-FPM are two completely separate things, and most hosts let you upgrade one without touching the other.
robots.txt is not a security tool, and it never was
A surprising number of people still believe robots.txt blocks malicious bots from crawling sensitive paths. It doesn't. It never has. It's a polite request, and the bots you most want to keep out are the ones that don't read it. Here's what robots.txt actually does, and where to put real blocks instead.
Receiving the Yoast Care Fund — What It Meant to My WordPress Journey
In July 2024 I found out I'd been nominated for the Yoast Care Fund. Here's the honest story behind it — the contribution work that led there, the community that pushed me forward, and what it actually felt like.
What Rocket.net's Five for the Future Sponsorship Actually Looks Like
Rocket.net sponsors 23 hours of my week toward WordPress.org contribution. This is what that commitment looks like in practice — Core patches, Hosting team meetings, testing, and why I believe in it.
Organizing WordCamp Asia 2025: What Nobody Tells You
I helped organize WordCamp Asia 2025 in Manila. The spreadsheets, the late-night calls, the moments where it almost didn't come together — and why I'd do it again without hesitation.
How I Became WordPress.org's Hosting Team Representative
In early 2025 I was named one of the WordPress.org Hosting Team Reps. This is what that role actually involves, how I got there, and what bridging hosting providers with Core development means day-to-day.
Leading Contributor Day Tables at 4 WordCamps: What I Learned
I've led Hosting and Test tables at WordCamp US, Asia, Sylhet, and Malaysia. The energy is incredible every time — but there's also a craft to helping first-time contributors get their first patch in.
Nine WordCamps in Two Years: An Honest Recap
From Sylhet to Portland to Basel — I attended 9 WordCamps across Asia, Europe, and North America in 2024 and 2025. What I actually got from it, and what I'd tell anyone considering their first one.