Skip to content
PAID SERVICE · FROM AUD $1,499

Security-first website builds.

Astro/static rebuilds with HSTS, CSP, MTA-STS, DMARC hardened from day one. Day-one A grade on the major security scans. Migration from WordPress included — content, redirects, dead-URL cleanup.

Talk about a build Scan this site as proof
01 — ARCHITECTURE

Static, by design

Astro generates flat HTML files at build time. There's no PHP runtime, no database, no admin panel running on the server. The attack surface is dramatically smaller than a WordPress site — and the page-load times are dramatically faster.

  • Astro static site generator — output is plain HTML / CSS / JS, deployable as files.
  • No application server, no DB — fewer moving parts, fewer attack vectors.
  • Image optimisation built-in (sharp) — automatic webp/avif, responsive sizes.
  • Content collections — type-checked Markdown for blogs, case studies, resources.
02 — SECURITY BASELINE

Hardened from day one

Security configuration that takes weeks to retrofit on an existing site is the starting position on a new one. Day-one A grade on the major scanners — including ours.

  • Strict CSP with nonces, no unsafe-inline.
  • HSTS with preload-eligible max-age + includeSubDomains.
  • MTA-STS + TLS-RPT for inbound mail (if you take email on this domain).
  • DMARC moved to p=quarantine or p=reject with reporting wired up.
  • Sensitive-path blocking at nginx — /.env, /.git, backups, admin paths return 404.
  • Frame-ancestors / X-Frame-Options, Referrer-Policy, Permissions-Policy set.
03 — PERFORMANCE + SEO

Fast pages rank

Speed is a Core Web Vitals signal that directly affects search ranking. Static beats dynamic on every benchmark — TTFB, LCP, CLS, TBT — without a CDN, and beats it more with one.

  • Sub-100ms TTFB from CDN edge.
  • Automatic JSON-LD structured data — Organization, Service, FAQ, BreadcrumbList.
  • Sitemap with per-page lastmod, robots.txt, security.txt (RFC 9116), llms.txt.
  • Open Graph + Twitter Card metadata generated per page.
  • IndexNow notification on deploy — engines learn about new content in seconds.
04 — CONTENT WORKFLOW

You can update it without us

A site is dead the moment it can only be edited by the person who built it. Every build ships with a content workflow your team can use, plus plain-language docs.

  • Brochure tier — Markdown files in a git repo. Anyone can edit, push to deploy.
  • CMS tier — Decap CMS or Sanity admin UI. Edit pages and posts in a browser.
  • Plain-language editing docs — written for the person who'll do the updates, not the developer.
  • 30-day post-launch support — we answer the questions that come up as you start using it.
PRICING

Four tiers. Fixed price.

Most SMBs land on the Expanded tier. Free 30-min discovery call confirms the fit before you commit.

Starter

AUD $1,499
1–3 pages

Home, about, contact. The fastest path to a clean, secure web presence.

  • 1–3 pages designed and built
  • Security baseline (CSP, HSTS, MTA-STS, DMARC)
  • Mobile responsive
  • JSON-LD, sitemap, security.txt, robots, llms.txt
  • Typical build time: ~1–2 weeks

Brochure

AUD $2,500
5 pages

Home, services, about, contact, privacy. The fast path off WordPress.

  • 5 pages designed and built
  • Security baseline (CSP, HSTS, MTA-STS, DMARC)
  • Markdown content workflow (git-based)
  • Migration from WordPress (content + redirects + 410s)
  • JSON-LD, sitemap, security.txt, robots, llms.txt
  • 30-day post-launch support
  • Typical build time: ~3 weeks
MOST COMMON

Expanded

AUD $4,500
10–15 pages

Brochure + blog + case studies + resources. The marketing-machine tier.

  • Everything in Brochure
  • Blog section with markdown post workflow
  • Case studies content collection
  • Resources / downloadables section
  • Programmatic city/service landing pages (if relevant)
  • Newsletter signup wired to Listmonk or similar
  • Typical build time: ~5 weeks

CMS-integrated

AUD $8,500
Custom

Browser-based content admin + custom integrations. For teams editing daily.

  • Everything in Expanded
  • Decap CMS or Sanity admin UI for non-technical editing
  • Custom integrations (CRM, booking system, Stripe Checkout, etc.)
  • User access control for the admin UI
  • 60-day post-launch support
  • Typical build time: ~8 weeks

Prices exclude hosting. Hosting is typically $5–$20/month on a VPS or static platform (Cloudflare Pages, Netlify) — we'll recommend what fits your setup.

LIVE EXAMPLES

Real sites. Verify them yourself.

edos.com.au itself

The site you're on is built this way. Run our own scanner on it: A grade across all four groups, every header set, MTA-STS live, DMARC enforced.

Scan this site

WordPress decommissions

We migrate WordPress sites to fast, secure Astro builds — content extracted, every URL mapped, dead pages cleaned with 410s so search engines drop them fast. edos.com.au made that move in 2026; we have another decommission running now. Security score goes from failing to A-grade on day one.

Programmatic SEO at scale

City × service landing pages generated from a single data file. 12 city/service combinations, all with unique meta + JSON-LD, indexed in 48 hours via IndexNow ping. No CMS lock-in.

SCOPE BOUNDARY

What we don't build

Knowing what we're not for is part of the offer.

  • WordPress sites — we replace WordPress, we don't build new ones. If you need WordPress specifically, we're not the right team.
  • Full e-commerce stores (Shopify, WooCommerce) — hosted Stripe Checkout for product catalogues yes, full storefronts no.
  • SaaS / web apps — building an application with auth, dashboards, data flows is a different engagement.
  • Pure design work without development — we build, we don't just hand off Figma files.
IF YOUR SITE ISN'T THAT BAD

Remediation might be enough

If your site's underlying stack is current and you're just missing the security configuration on top, a rebuild is overkill. Our Website Security Remediation service applies the fix list to your existing site for a fraction of the cost.

See remediation pricing
READY TO START

Ship a website that scans clean on day one.

Free 30-min discovery call. We confirm fit, scope, and tier before any commitment.

Talk about a build See case studies

Australian businesses only. Payment in milestones — not upfront.

Frequently asked questions

Why Astro and not WordPress?
Static beats dynamic for security maths: no PHP runtime to exploit, no database to dump, no plugin CVEs to track, no admin panel to brute-force. The site you're reading right now is built this way. WordPress has its place, but for a brochure or marketing site it's an unnecessary attack surface — and it's the #1 source of failed security scans we see.
Can I update the content myself, or do I need to call you for every typo?
Both options. The brochure tier gives you Markdown files anyone can edit (think: a Word doc with simple formatting); changes go live by pushing to a git repo, which we can teach a non-technical user in 20 minutes. The CMS-integrated tier adds a web admin UI (Decap CMS or similar) for editing pages and blog posts in your browser without touching code.
What about SEO? Won't a static site rank worse than WordPress?
Other way around — static sites typically rank better. They load faster (Core Web Vitals), have cleaner HTML, and don't drag the bloat that WordPress themes and plugins add. We bake in JSON-LD structured data, sitemaps, security.txt, robots.txt, and llms.txt by default. Migrations from WordPress almost always see ranking improvements once redirects are mapped.
Can you do e-commerce?
Hosted Stripe Checkout works well for simple product catalogues — we integrate it with the static site. Full Shopify/WooCommerce stores aren't in scope for this service; that's a different engagement. If you need 'a contact form, a few products, and Stripe at checkout', we've got you covered.
What's included in 'security-first by default'?
Strict CSP (with nonces, no unsafe-inline), HSTS preload, MTA-STS, DMARC enforcement, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP/COOP/COEP where appropriate, sensitive-path blocking at the edge, no admin panels exposed, no PHP runtime. Day-one A grade on the standard security scans.
How does migration from WordPress work?
We extract content (pages, blog posts, images) into Markdown, rebuild the site in Astro, and map every old URL to the new one — including 410 (Gone) responses for dead pages so search engines drop them quickly instead of treating them as 404 noise. Your old WordPress server stays up during the build; we cut over once you sign off on the new site.
Where does it get hosted?
Your existing infrastructure usually works fine — static HTML runs anywhere with a web server. We typically recommend nginx behind Cloudflare with strict CSP, but it's flexible. If you don't have hosting, we set it up as part of the build (usually a VPS or a static-hosting platform like Netlify/Cloudflare Pages).
Website Security Remediation Security Health Check audit Free security scan Case studies