Agency
Why Page Builders Are Becoming Optional Again (And What That Means for Agencies)
alex

Why Page Builders Are Becoming Optional Again (And What That Means for Agencies)

A quiet thing happened in WordPress over the past eighteen months. Block themes plus the Site Editor became good enough that a meaningful percentage of new sites we build do not need a page builder at all. Here is what changed, what that means for agency workflows, and what is still worth keeping the page builder for.

What block themes finally got right

  • Reusable patterns. The pattern library replaced 70 percent of what we used Elementor templates for. Clients edit them in the same UI they edit posts.
  • Global styles via theme.json. Colours, typography, spacing, button styles. Changes feel atomic, do not require touching a builder’s settings panel.
  • Template parts. Header, footer, query loop, 404 — editable in the Site Editor by anyone with the right capability.
  • Performance. Block-theme sites ship measurably less CSS and JS than typical page-builder sites. The default Lighthouse score is higher with no extra work.

What this means for agencies

Three shifts we have made over the past year:

  1. New brochure sites default to a block theme. No Elementor unless the client specifically asks. Build time is the same; maintenance burden is lower.
  2. Existing page-builder sites stay on the page builder. Migration cost is not worth the marginal benefit. We do not refactor working sites.
  3. Page-builder skills still matter, just for different sites. Stores, landing pages, anything with heavy custom layout per page — the builder still wins. The “every site needs a page builder” assumption is what changed.

Where page builders still win

  • Landing pages with bespoke layout per page. The Site Editor is designed for templated content; landing pages are by definition not templated.
  • WooCommerce product page customisation at the per-product level. Builders handle this well; block themes still feel awkward.
  • Clients who want to drag. Some non-technical editors genuinely prefer the visual builder UX. That is a valid reason on its own.

Where neither wins and you should hand-code

Sites with a strong design system that the client will not edit. A small custom theme is faster to build, ships less code, and is easier to debug than fighting either the block editor or a page builder. This is a smaller portion of work now than it was, but it has not gone away.

The honest take

Page builders are not dying. They are becoming optional for a class of sites where they used to be the default. That is a real shift, and the agencies that adapted their tooling around it are shipping faster sites with less code. The agencies that did not are paying license fees for builders they no longer needed.

Audit your default build stack at the start of every year. If it has not changed in three years, the ecosystem changed and you missed it.

WordPress
Block Theme vs Classic Theme in 2026: An Honest Comparison After 18 Months
alex

Block Theme vs Classic Theme in 2026: An Honest Comparison After 18 Months

Block themes promised the end of functions.php, the death of page builders, and a future where every editor was a designer. After 18 months running them in production alongside classic themes, here is the honest no-hype comparison.

Where block themes won

  • Template editing in the admin. Editing the footer or 404 page in the Site Editor without touching code is real and works. Designers love this.
  • Global styles. One JSON file (theme.json) controls colours, typography, spacing across the whole site. Changes feel atomic and predictable.
  • Asset weight. Block themes ship less CSS by default. Lighthouse scores nudge up.

Where classic themes still win

  • Deep customisation. If your design has bespoke layouts, custom post type templates, or specific hook integrations, classic theme files are still faster to write and easier to debug.
  • Ecosystem. The plugins and theme add-ons you have used for ten years almost all still target classic patterns. Block-theme integrations are catching up but lag.
  • Client comfort. Clients trained on Elementor or Divi do not necessarily benefit from the Site Editor. Some find the block paradigm slower.

The honest middle

Most production sites we manage now are hybrid: a block theme for the chrome (header, footer, post templates, 404, search) and a classic-style child theme for the bespoke template parts. This is not a fence-sit; it is a load-balance. The block side gets the editing convenience, the classic side handles the cases that genuinely need PHP.

Migration is the gotcha

Moving an established site from classic to block is rarely worth it. The migration eats weeks, breaks integrations, and the visible benefit to the client is small. New builds are a different story — start with block, fall back to classic templates where you need them.

The short version

Block themes are now the default we reach for on new builds. Classic themes are not dead — they are the right tool for sites that need deep custom work and for established sites where migration is more risk than benefit. The “block themes are the future” framing was true; the “classic themes are obsolete” framing was not.

Spam Protection
CAPTCHA Is Dead: How AI-Powered Spam Filtering Works on WordPress in 2026
alex

CAPTCHA Is Dead: How AI-Powered Spam Filtering Works on WordPress in 2026

If you have ever clicked nine pictures of traffic lights to send a contact form, you already know CAPTCHA is broken. It is broken for users (drops conversions, accessibility nightmare), broken for site owners (modern solvers handle it for cents), and broken philosophically (it asks the human to prove they are human while letting the bot prove it too). In 2026, AI-powered spam filtering replaces it. Here is how that actually works.

What CAPTCHA was solving

CAPTCHA worked on the assumption that bots could not read text or recognise images. That assumption held until roughly 2015, then degraded continuously. By 2022, headless browser plus a commercial CAPTCHA-solving API got past reCAPTCHA v2 in under a second for less than a tenth of a cent per solve. v3 (the invisible “score” version) is better in spirit but still rejects real users on shared NAT and missed enough realistic spam that most production sites layered something else on top.

What AI filtering is doing differently

Where CAPTCHA asks the visitor to prove they are human, AI filtering reads the submission and decides whether it looks like a real intent. Two practical examples:

  • Contact form: the model reads the message and scores it against patterns of real enquiry vs SEO outreach vs scam vs irrelevant pitch. A well-written “Hello, do you take freelance work?” scores high. A well-written “I represent a company that helps your website…” scores low even though both are grammatical.
  • Comment: the model reads the comment in context of the post it is on. A topical follow-up question scores high. A generic “great post, also check out my SEO service” scores low.

The user does nothing. There is no puzzle. The filtering happens server-side after the submission lands and decides whether to deliver, hold, or reject it.

Why this is better in production

  • Conversion stays clean. CAPTCHA on a contact form drops conversions 5-15 percent on most sites we have measured. Removing it adds the same percentage back.
  • Accessibility works. No more “I cannot pass the puzzle” support tickets.
  • Sophisticated spam gets caught. The realistic AI-written submissions that walk past Akismet and reCAPTCHA are exactly what intent-scoring models were trained on.

Where it still costs something

Honest tradeoffs:

  • Per-submission AI cost. Each filtered submission runs a small inference call. For most sites this is fractions of a cent and negligible at scale. Heavy traffic sites should check the math.
  • Borderline cases. Intent scoring is a probability, not a verdict. Borderline submissions need to be held for human review, not auto-rejected. A quiet “moderation queue” tab in the dashboard is the right interface.
  • Locale coverage. Models trained on English do better with English-language sites. Multilingual sites need a filter that knows it.
🛡

QWeb Spam Shield does AI filtering on every WordPress endpoint

Spam Shield runs Google Gemini against every form, comment, signup and checkout submission. No CAPTCHA anywhere. Borderline submissions land in a moderation queue. Sensible multilingual coverage. Two-minute setup, free 7-day trial.

Replace CAPTCHA with AI filtering →

The short version

CAPTCHA asked your visitor to pay for the security of your site, in attention. In 2026 you do not have to charge them anymore. Reading the submission is cheaper, more accurate, and invisible — and the realistic spam that is the actual problem on a modern WordPress site is the thing it catches that nothing else does.

Development
Custom Gutenberg Blocks Without Build Tools: The 2026 Way
alex

Custom Gutenberg Blocks Without Build Tools: The 2026 Way

Three years ago, shipping a custom Gutenberg block meant configuring webpack, setting up the wp-scripts toolchain, and managing a build/ directory you would never touch again. In 2026 you can skip all of it. Here is the build-tool-free workflow we use for client-specific custom blocks.

What changed

Three things made this possible:

  • block.json support is stable. WordPress reads metadata directly from block.json and registers your block from PHP. No JS bundle required for blocks that do not need a custom editor UI.
  • Dynamic blocks via render_callback. If your block is server-rendered, you write a PHP function. Editor preview can use the same render.
  • Iframe-isolated editor. Means inline <style> and small inline scripts work cleanly inside the block without leaking into the surrounding editor.

The pattern

// my-block/block.json
{
  "apiVersion": 3,
  "name": "wpt/team-card",
  "title": "Team Card",
  "category": "design",
  "attributes": {
    "name":  { "type": "string" },
    "role":  { "type": "string" },
    "photo": { "type": "string" }
  },
  "render": "file:./render.php"
}

Then in render.php you return the front-end markup. Register it in your theme or a small plugin with a single PHP call:

add_action('init', function () {
  register_block_type(__DIR__ . '/my-block');
});

That is the entire setup. No webpack, no JS bundle, no npm install.

When you still need JS

If your block needs a richer editor UI — sliders, repeater fields, custom controls — you still need a small JS file with registerBlockType. But for the “data in, HTML out” case that covers maybe 70 percent of custom blocks we ship, the JS is not needed at all.

The honest tradeoff

The build-tool-free pattern is faster to ship and easier to maintain, but you lose the polished editor preview. Editors see a placeholder with the attributes; clients sometimes prefer to see the real rendered block in the editor. Decide per-block whether that matters.

What to try this afternoon

Pick the simplest custom block you have shipped recently — the one you would describe as “just a div with some content fields”. Re-implement it as a server-rendered block with block.json + render.php and no JS. You will probably save 80 percent of the code and all of the build complexity.

Performance
Core Web Vitals for WordPress: The 2026 Playbook
alex

Core Web Vitals for WordPress: The 2026 Playbook

Core Web Vitals targets keep moving and the advice keeps shifting with them. INP replaced FID. LCP got stricter on mobile. CLS became less forgiving. Here is the 2026 playbook for WordPress sites, ordered by what actually moves the metric, not by what makes Lighthouse green.

LCP — the one most people get wrong

Largest Contentful Paint is almost always an image. The fix is rarely “compress harder”. The fix is to deliver the right image at the right size at the right priority.

  • Add fetchpriority="high" on the hero image. This single attribute frequently shaves 400-800ms off LCP on mobile.
  • Serve responsive variants. The default WordPress srcset is good; make sure you are not bypassing it with a custom Elementor or page-builder image widget that hard-codes a URL.
  • Preload the hero image in <head> if it lives below a JS-loaded section.

INP — the new boss

Interaction to Next Paint replaced First Input Delay because FID was too easy. INP is harder. It catches the slow handler on the second tap, the third menu open, the long task during interaction. On WordPress sites the usual offenders are:

  • Page-builder plugins running JS on every click (not just the relevant clicks)
  • Third-party chat widgets and analytics SDKs queuing up long tasks during interaction
  • Heavy synchronous theme JS waiting on full DOM ready

The single biggest INP win is deferring the chat widget and any “session replay” analytics to requestIdleCallback or a 3-second timer after first interaction. Most users do not need them in the first paint window.

CLS — invisible until it is not

Cumulative Layout Shift on WordPress is usually three things:

  • Web-font loading without font-display: optional or matched fallback metrics
  • Ads or embeds without a reserved aspect-ratio container
  • Above-the-fold image without explicit dimensions in the markup

All three are fixable in CSS or a small theme function. None require a plugin.

What to ignore

  • Lighthouse “unused JavaScript” warnings for theme files under 30KB. Not worth the engineering time.
  • “Reduce render-blocking resources” for inline critical CSS that is already under 8KB. Same.
  • Aggressive lazy-loading of above-the-fold images. This hurts LCP. Lazy-load only what is below the fold.

Order of work

If you only have one afternoon: fix LCP with fetchpriority and a preload. If you have a second: defer the chat widget. If you have a third: reserve aspect ratios for embeds and ads. That covers 80 percent of the gains on a typical WordPress site without breaking anything.

SEO
WordPress SEO in 2026: The 12 Settings That Still Matter
alex

WordPress SEO in 2026: The 12 Settings That Still Matter

A lot of WordPress SEO advice is from 2018. A lot of it is wrong now. Here are the 12 settings that still actually move organic traffic in 2026, in rough order of impact.

The high-impact 6

  1. Title tag format. Site name first or last? Use %title% — %sitename% for content sites, %sitename% — %title% for brand-led sites. Set it in Yoast or RankMath, not in your theme.
  2. Canonical URLs. Self-referencing canonicals on every post and page. Especially important if your store uses filtered URLs that share content.
  3. XML sitemap with only indexable content. Strip out tag archives, attachment pages, and any noindex content. A clean sitemap helps Google prioritise the URLs you want indexed.
  4. Internal linking on cornerstone pages. Every important page should have at least three internal links from related content. This is the single highest-leverage thing you can do for an existing site.
  5. Schema on the right post types. Article schema on blog posts, Product on WooCommerce, FAQ where it genuinely applies. Skip schema you do not earn.
  6. Image alt text. Boring, important, still measurable. Write it for screen readers and Google reads it too.

The medium-impact 4

  1. Open Graph and Twitter Card metadata. Does not affect ranking but affects click-through from social shares. Same engineering effort, real conversion win.
  2. Robots.txt that does not block what you need indexed. Audit yours. Sites accidentally block their own assets every week.
  3. Breadcrumb schema. Visible breadcrumbs plus structured data. Earns the breadcrumb display in search results, modest CTR boost.
  4. 404 page that suggests next steps. Reduces bounce, signals the page is intentional rather than broken.

The low-but-still-worth-doing 2

  1. Hreflang for multi-language sites. If you have one language, skip this. If you have two or more, do it right.
  2. Last-modified headers. Helps Google crawl efficiently. Trivial to set up, no ongoing maintenance.

The things people still chase that do not matter

  • Keyword density. Has not been a real signal since approximately 2014.
  • Meta keywords. Ignored by every major search engine for over a decade.
  • Article word count as a ranking signal. Quality of coverage matters; absolute count does not.

Run through the 12 above. Most sites have 8 already and 4 they forgot. Fix the 4 and move on to writing the content that the next 5 will reward.

Spam Protection
WooCommerce Checkout Spam: The Card-Testing Attack That Is Killing Your Stripe Account
alex

WooCommerce Checkout Spam: The Card-Testing Attack That Is Killing Your Stripe Account

If you run a WooCommerce store and Stripe or PayPal has flagged your account, there is a strong chance it was not your customers. It was a card-testing attack on your checkout. This is the spam that costs money — chargeback fees, processor-side risk scoring, and in the worst cases a frozen merchant account. Here is how it works on WooCommerce and what to do about it.

What card testing actually looks like

A card-testing attack is automation that runs stolen card numbers against a low-risk public checkout to find out which ones still work. The attacker does not want your product. They want the success response from Stripe. They buy or generate a list of card numbers and need a checkout that does not stop them from trying.

WooCommerce is a popular target for three reasons: the checkout endpoint is well-known, there is rarely a CAPTCHA in front of the pay button, and most stores accept very small order totals (a $5 product is enough to validate a card). A typical burst looks like 80 to 400 attempts in a window of 2 to 15 minutes, often at 3am local time.

Why your processor flags you, not them

Stripe and PayPal score risk at the merchant level. A spike of declined charges, especially in a tight window, looks identical to a compromised merchant on their side. Their automated response is to:

  • Raise your risk score
  • Throttle your account
  • Hold your payouts
  • In severe cases, freeze the account pending review

The card tester moves on. You spend a week on the phone with risk teams. This is why “we accept the chargebacks” is not a strategy.

What does not work

Three things people try first that do not stop card-testing bursts:

  • reCAPTCHA on checkout. Solvers handle it. It mostly annoys real buyers.
  • IP rate limits. Attackers rotate residential IPs and you cannot tell them apart from real visitors on shared NAT.
  • Stripe Radar alone. Helpful, but it sees individual charges. It does not see your checkout as a pattern.

What works on WooCommerce

The defence that has held up in production is checkout-level burst detection, not per-payment scoring. You watch the woocommerce_checkout_order_processed hook for velocity (orders per IP, per device fingerprint, per email domain, per amount range) and stop the burst before it gets to Stripe. You also score the customer-side fields (random-looking emails, mismatched billing data) before submission.

🛡

QWeb Spam Shield protects WooCommerce checkout out of the box

Spam Shield ships with WooCommerce-specific velocity rules and AI risk scoring on checkout submissions. It stops card-testing bursts at the form layer, before they hit your payment processor and put your account at risk. No code, no per-form configuration, free 7-day trial.

See how it works →

What to do this week

Two things you can do today even without a plugin: in your Stripe dashboard, turn on the Radar rule “Block if CVC check fails” and set a per-IP attempt limit on the checkout endpoint at the web-server level (Cloudflare rate-limit rules are free for one rule). That removes the smallest, fastest bursts. The next tier — the sophisticated bursts that rotate IPs and look like real traffic — is where a dedicated checkout-aware filter pays for itself in the first month.

Card testing is not the spam that fills your inbox. It is the spam that quietly costs you your merchant account. Treat it that way.

Performance
Database Bloat in WordPress: How to Find It, How to Kill It
alex

Database Bloat in WordPress: How to Find It, How to Kill It

If your WordPress site’s time-to-first-byte has crept up over the past year and nothing in the front-end explains it, the cause is usually autoloaded options. The wp_options table grows quietly until one day every page request is hauling 2MB of data into memory before WordPress can render a thing. Here is how to find that bloat and safely remove it.

Why autoload matters

Every WordPress request loads all options where autoload = 'yes' into memory. That set should be a few hundred KB on a healthy site. On a neglected site it can grow to tens of MB — old plugin transients that did not clean up, abandoned plugin settings, error logs stuffed into an option row.

How to measure

Run this in wp-cli or phpMyAdmin:

SELECT
  SUM(LENGTH(option_value)) / 1024 / 1024 AS autoload_mb,
  COUNT(*) AS rows
FROM wp_options
WHERE autoload = 'yes';

Anything over 1MB is worth looking at. Anything over 5MB is hurting TTFB. We have seen 40MB on a five-year-old site.

Find the worst offenders

SELECT option_name, LENGTH(option_value) AS size
FROM wp_options
WHERE autoload = 'yes'
ORDER BY size DESC
LIMIT 30;

The top of that list almost always shows three categories:

  • Transients that should not have been autoloaded
  • Plugin “stats” or “history” rows from plugins that no longer exist
  • Cache rows from defunct cache plugins

How to remove safely

  1. Back up first. Always.
  2. Identify orphans. Options whose owning plugin is no longer installed are safe to delete. The option-name prefix usually identifies the plugin.
  3. For options whose plugin is still installed, set autoload = 'no' instead of deleting. The plugin can still read them on demand; they just do not load on every request.
  4. Run wp transient delete --all to clear the transient cruft.

Example impact

On a site with 18MB of autoloaded options, the cleanup dropped TTFB from 1.4s to 480ms — no other changes. The autoload table went from 18MB to 380KB. Almost all the savings came from one defunct backup plugin’s history table left over from a 2019 install.

What to do this afternoon

Run the first query above. If your autoload_mb is over 1, schedule a 30-minute cleanup. If it is over 5, do it today. This is the single highest-leverage TTFB optimisation on most older WordPress sites and it has nothing to do with caching.

Spam Protection
Comment Spam in 2026: Why Akismet Is Not Enough Anymore
alex

Comment Spam in 2026: Why Akismet Is Not Enough Anymore

Akismet was the right answer for comment spam from 2008 to about 2022. It blocked the obvious junk — keyword stuffing, link salads, weird Cyrillic floods — and it shipped with WordPress so it was a default. In 2026 it is still useful as a first layer, but it is not enough on its own. Here is what changed and what to do about it.

What Akismet was always good at

Akismet scores each comment against a large pattern database: known spam URLs, IPs, emails, content fingerprints. It is fast, lightweight, and the false-positive rate is low. For comments that look obviously spammy, it still catches the vast majority.

What changed

The economics of comment spam shifted. The original spam was cheap to write but obvious. New comment spam is generated by language models and looks like this:

“Really enjoyed this read. The point you made about caching and TTFB matches what we saw on our last project. Have you considered looking at how this interacts with the new H3 stack?”

That comment is perfectly on-topic, conversational, and includes a relevant follow-up question. It will land on a post about WordPress performance. The link in the author’s URL field points somewhere mildly suspicious — usually a thin SEO site that just wants the backlink. Akismet has no signal to score this as spam. The pattern looks like a real reader.

Why this matters even if you do not care about comments

A surprising number of WordPress sites have comment forms still enabled on posts and pages where nobody reads them. Each successful spam comment that publishes drops a do-follow or no-follow link from your domain to a low-quality target. Google notices, eventually. Three years of accumulated comment spam links is a real Core Update risk.

What a layered defence looks like in 2026

  1. Akismet for the easy lift. Keep it. It is still good at the bulk.
  2. Intent scoring on the content of the comment. This is what catches the realistic AI-written stuff. The model reads the comment in context of the post and the author URL and decides whether it looks like a real reader or an SEO play.
  3. Honeypot + timing in the comment form. Catches scrapers that bypass the JS and POST directly.
  4. Author-URL reputation. If the URL field points somewhere new and thin, weight that as a signal even if the comment is well-written.
🛡

QWeb Spam Shield handles all four layers

Spam Shield runs the full stack: honeypots, timing, AI intent scoring on the comment content, and author-URL reputation — alongside whatever you already have configured for Akismet. The realistic AI-written comments that get past Akismet are exactly what its model was trained on.

Try QWeb Spam Shield free →

What to audit this week

Run this query in your wp-cli or phpMyAdmin to see how much spam is sitting approved on your site:

SELECT COUNT(*) FROM wp_comments WHERE comment_approved = 1 AND comment_author_url != '';

If the number is in the thousands and you do not have an active editorial review, you almost certainly have a pile of low-quality outbound links from your comment form. Disable comments on posts older than two years, sweep the approved-with-URL set for spam patterns, and add intent scoring on top of Akismet for the new comments going forward. That covers most sites without breaking anything that was working.

WooCommerce
Why Your WooCommerce Cart Abandonment Rate Is High (And the Fix Is Not Email)
alex

Why Your WooCommerce Cart Abandonment Rate Is High (And the Fix Is Not Email)

The standard advice for WooCommerce cart abandonment is “send abandonment emails”. That is treating the symptom, not the cause. The emails recover 5-10 percent of abandoned carts in the best case. The on-site changes that prevent the abandonment in the first place recover three to four times as much. Here is what we have measured.

What actually drives abandonment on WooCommerce

Across the WooCommerce stores we audit, the four causes of cart abandonment we see most often are:

  1. Surprise shipping cost revealed only at checkout. This is the single biggest abandonment trigger. Show shipping estimate on the cart page based on geo-IP if you ship internationally.
  2. Forced account creation. Guest checkout off doubles your abandonment rate on first-time buyers. Always offer guest checkout. Always.
  3. Slow checkout page. If checkout takes more than 2.5s to interactive, abandonment climbs noticeably. Heavy payment-gateway iframes are usually the cause.
  4. Card-testing throttles. If your processor flagged you for a card-testing attack, real customers might be getting unnecessary additional verification steps. This one is invisible without checking.

The on-site fixes that moved the metric

  • Adding a shipping estimator on the cart page dropped abandonment by 11 percent on one store with international shipping.
  • Enabling guest checkout dropped first-time abandonment from 71 percent to 58 percent on another.
  • Lazy-loading the Stripe Elements iframe until the user focuses the email field shaved 900ms off checkout TTI and dropped abandonment by 4 percent.
  • Removing a “create a password” step from guest checkout dropped abandonment by 6 percent.

Where abandonment emails do help

Abandonment emails work for the segment of users who really meant to come back. They do not work for the segment who left because of friction at checkout. The first segment is small; the second is large. Fix the second first, then send emails to the remainder.

What to audit this week

Open a private window. Add a product. Go to checkout. Time how long until you can type in the email field. If it is over 2.5 seconds, that is your work for this week. Then add a guest checkout button if you do not have one. Both changes are usually a one-evening job and visible in your funnel within a week.

Abandonment is not a marketing problem. It is a checkout problem with a marketing layer on top.

1 2 3 1,366