The Challenge
Meridian doesn't have "a website." It has a fleet — and at enterprise scale, that fleet had quietly become one of the company's least-governed assets.
The pattern is familiar to anyone who has run web at a large healthcare company:
- Sprawl by accretion. Every brand team, every medical-affairs group, and every regional office had commissioned its own microsites through whichever agency they preferred. The result: 740+ sites spread across eleven hosting vendors and a tangle of bespoke stacks, themes, and plugins, with no two configured the same way.
- No fleet-wide security visibility. With sites scattered across agencies and hosts, nobody could answer the basic question — which of our 740 properties is compromised right now? — without contacting each agency individually. In a regulated industry, that's not a hypothetical risk.
- Glacial launch times. Standing up a new congress or campaign microsite meant a fresh agency procurement, a fresh stack, and a fresh security and compliance review — roughly six weeks from green light to live, which routinely missed real-world deadlines like a conference date.
- Accessibility exposure. A sample audit found only 38% of patient-facing sites met WCAG 2.2 AA. For a healthcare company, inaccessible patient information is both a legal and an ethical problem.
- Content governance gaps. Medical, legal, and regulatory (MLR) review existed on paper, but with every agency using a different publishing workflow, there was no consistent enforcement that approved copy was the copy that actually shipped.
Meridian didn't need another agency. They needed a platform — one standard, governed, secure base that every microsite could live on, without slowing the brand teams down.
The Approach
TopSyde migrated the fleet onto a single managed WordPress platform built around a standardized, pre-hardened base image — then layered governance and security on top so the consolidation didn't come at the cost of speed.
Step 1 — Inventory and consolidate the fleet
Before moving anything, TopSyde built a complete inventory: every microsite, its host, its stack, its traffic profile, and its compliance status. Sites were then migrated in waves onto the managed platform, each one rebased onto a common, hardened WordPress foundation — same core, same vetted plugin set, same security posture — while preserving each site's distinct design and content.
Step 2 — Standardize the launch path
A new microsite no longer starts from zero. TopSyde built a pre-approved base — hardened configuration, accessibility defaults, analytics, consent management, and the MLR publishing workflow already wired in. Brand and medical-affairs teams now request a site and get a compliant, secured starting point in days, not a six-week procurement cycle.
Step 3 — Put the whole fleet under Sentinel
Every site was connected to the TopSyde portal over an isolated, per-site SSH key and placed under TopSyde Sentinel, our AI-driven security layer. Sentinel scans from outside each site — verifying WordPress core against official checksums, diffing plugins against their official packages, and sweeping for backdoors, rogue admins, and injected content — on every site, every day. In the first 60 days it surfaced 147 critical findings across the fleet, from abandoned vulnerable plugins on long-forgotten campaign sites to injected SEO spam on a regional brand property, none of which the prior per-agency tooling had reported.
Step 4 — Bring the fleet to accessibility and governance standard
As part of the rebase, every site was brought up to WCAG 2.2 AA, with automated accessibility checks added to the publishing workflow so new content can't quietly regress. The MLR workflow became a hard gate: approved content is versioned, and what ships is provably what was reviewed.
The Results
Within the first two quarters, the fleet went from a liability to an asset:
- 740+ microsites now run on one governed platform, replacing eleven hosting vendors and an unmanageable patchwork of stacks.
- Launch time fell from roughly six weeks to five days, so campaign and congress sites finally ship on the calendar the business actually works to.
- 100% of the fleet reached WCAG 2.2 AA, up from 38%, closing a standing accessibility exposure across patient-facing properties.
- 147 critical security findings were remediated in the first 60 days — every one of them invisible to the prior per-site scanners.
- Mean time to detect a compromise dropped from ~9 days to under 24 hours, because every site is now scanned daily instead of whenever an agency happened to look.
Why It Worked
- A platform, not a project. Standardizing on one hardened base turned 740 one-off sites into a single fleet that can be secured, audited, and updated as a unit — without flattening the design freedom brand teams need.
- Governance built into the path of least resistance. Accessibility and MLR checks live inside the launch workflow, so doing it the fast way is also doing it the compliant way.
- Outside-in security at scale. Sentinel sees what in-site plugins can't once a site is compromised, and it does it on every property daily — the only way to keep a 740-site fleet honest without a standing security team.
Frequently Asked Questions
How do you consolidate hundreds of sites without disrupting brand teams?
Migration happens in waves, and each site keeps its design and content — only the underlying platform changes. Brand teams keep publishing; what changes is that they're now publishing onto a hardened, governed base instead of a bespoke agency stack.
Does standardizing the platform limit what each microsite can look like?
No. The base image standardizes security, performance, accessibility, and governance — not design. Each site keeps its own theme and creative; the common foundation sits underneath.
How does compliance review get enforced across so many sites?
The MLR workflow is wired into the publishing path on every site, so review isn't an optional side process — approved content is versioned, and what goes live is provably what was approved.
What did Sentinel find that the previous tools missed?
Across the first 60 days, 147 critical issues — abandoned vulnerable plugins on dormant campaign sites, injected SEO spam, and outdated cores — surfaced fleet-wide. Per-agency tools only ever looked at one site at a time, so the fleet-level picture had never existed before.
The Stack — Named, Not Hidden
We tell you exactly what runs underneath. No proprietary black box.
Business Outcomes
- →Replaced a sprawl of 11 hosting vendors and agency-owned stacks with one governed platform — eliminating an audit and security liability that had grown invisible at scale.
- →Cut microsite launch time from roughly six weeks to five days with a standardized, pre-hardened base, so brand and medical-affairs teams could ship congress and campaign sites on real timelines.
- →Brought 100% of the fleet to WCAG 2.2 AA, closing accessibility exposure across patient-facing properties.
- →Put all 740+ microsites under daily AI security scanning with reversible remediation — surfacing 147 critical findings in the first 60 days that prior per-site tooling had never reported.
DevOps & Security Lead
12+ years DevOps, Linux & cloud infrastructure certified
Marcus leads infrastructure and security at TopSyde, managing the server fleet and AI monitoring systems that keep client sites fast and protected. Former sysadmin turned WordPress hosting specialist.
