SEO
WordPress SEO in 2026: The 12 Settings That Still Matter
alex

WordPress SEO in 2026: The 12 Settings That Still Matter

A lot of WordPress SEO advice is from 2018. A lot of it is wrong now. Here are the 12 settings that still actually move organic traffic in 2026, in rough order of impact.

The high-impact 6

  1. Title tag format. Site name first or last? Use %title% — %sitename% for content sites, %sitename% — %title% for brand-led sites. Set it in Yoast or RankMath, not in your theme.
  2. Canonical URLs. Self-referencing canonicals on every post and page. Especially important if your store uses filtered URLs that share content.
  3. XML sitemap with only indexable content. Strip out tag archives, attachment pages, and any noindex content. A clean sitemap helps Google prioritise the URLs you want indexed.
  4. Internal linking on cornerstone pages. Every important page should have at least three internal links from related content. This is the single highest-leverage thing you can do for an existing site.
  5. Schema on the right post types. Article schema on blog posts, Product on WooCommerce, FAQ where it genuinely applies. Skip schema you do not earn.
  6. Image alt text. Boring, important, still measurable. Write it for screen readers and Google reads it too.

The medium-impact 4

  1. Open Graph and Twitter Card metadata. Does not affect ranking but affects click-through from social shares. Same engineering effort, real conversion win.
  2. Robots.txt that does not block what you need indexed. Audit yours. Sites accidentally block their own assets every week.
  3. Breadcrumb schema. Visible breadcrumbs plus structured data. Earns the breadcrumb display in search results, modest CTR boost.
  4. 404 page that suggests next steps. Reduces bounce, signals the page is intentional rather than broken.

The low-but-still-worth-doing 2

  1. Hreflang for multi-language sites. If you have one language, skip this. If you have two or more, do it right.
  2. Last-modified headers. Helps Google crawl efficiently. Trivial to set up, no ongoing maintenance.

The things people still chase that do not matter

  • Keyword density. Has not been a real signal since approximately 2014.
  • Meta keywords. Ignored by every major search engine for over a decade.
  • Article word count as a ranking signal. Quality of coverage matters; absolute count does not.

Run through the 12 above. Most sites have 8 already and 4 they forgot. Fix the 4 and move on to writing the content that the next 5 will reward.

Spam Protection
WooCommerce Checkout Spam: The Card-Testing Attack That Is Killing Your Stripe Account
alex

WooCommerce Checkout Spam: The Card-Testing Attack That Is Killing Your Stripe Account

If you run a WooCommerce store and Stripe or PayPal has flagged your account, there is a strong chance it was not your customers. It was a card-testing attack on your checkout. This is the spam that costs money — chargeback fees, processor-side risk scoring, and in the worst cases a frozen merchant account. Here is how it works on WooCommerce and what to do about it.

What card testing actually looks like

A card-testing attack is automation that runs stolen card numbers against a low-risk public checkout to find out which ones still work. The attacker does not want your product. They want the success response from Stripe. They buy or generate a list of card numbers and need a checkout that does not stop them from trying.

WooCommerce is a popular target for three reasons: the checkout endpoint is well-known, there is rarely a CAPTCHA in front of the pay button, and most stores accept very small order totals (a $5 product is enough to validate a card). A typical burst looks like 80 to 400 attempts in a window of 2 to 15 minutes, often at 3am local time.

Why your processor flags you, not them

Stripe and PayPal score risk at the merchant level. A spike of declined charges, especially in a tight window, looks identical to a compromised merchant on their side. Their automated response is to:

  • Raise your risk score
  • Throttle your account
  • Hold your payouts
  • In severe cases, freeze the account pending review

The card tester moves on. You spend a week on the phone with risk teams. This is why “we accept the chargebacks” is not a strategy.

What does not work

Three things people try first that do not stop card-testing bursts:

  • reCAPTCHA on checkout. Solvers handle it. It mostly annoys real buyers.
  • IP rate limits. Attackers rotate residential IPs and you cannot tell them apart from real visitors on shared NAT.
  • Stripe Radar alone. Helpful, but it sees individual charges. It does not see your checkout as a pattern.

What works on WooCommerce

The defence that has held up in production is checkout-level burst detection, not per-payment scoring. You watch the woocommerce_checkout_order_processed hook for velocity (orders per IP, per device fingerprint, per email domain, per amount range) and stop the burst before it gets to Stripe. You also score the customer-side fields (random-looking emails, mismatched billing data) before submission.

🛡

QWeb Spam Shield protects WooCommerce checkout out of the box

Spam Shield ships with WooCommerce-specific velocity rules and AI risk scoring on checkout submissions. It stops card-testing bursts at the form layer, before they hit your payment processor and put your account at risk. No code, no per-form configuration, free 7-day trial.

See how it works →

What to do this week

Two things you can do today even without a plugin: in your Stripe dashboard, turn on the Radar rule “Block if CVC check fails” and set a per-IP attempt limit on the checkout endpoint at the web-server level (Cloudflare rate-limit rules are free for one rule). That removes the smallest, fastest bursts. The next tier — the sophisticated bursts that rotate IPs and look like real traffic — is where a dedicated checkout-aware filter pays for itself in the first month.

Card testing is not the spam that fills your inbox. It is the spam that quietly costs you your merchant account. Treat it that way.

Performance
Database Bloat in WordPress: How to Find It, How to Kill It
alex

Database Bloat in WordPress: How to Find It, How to Kill It

If your WordPress site’s time-to-first-byte has crept up over the past year and nothing in the front-end explains it, the cause is usually autoloaded options. The wp_options table grows quietly until one day every page request is hauling 2MB of data into memory before WordPress can render a thing. Here is how to find that bloat and safely remove it.

Why autoload matters

Every WordPress request loads all options where autoload = 'yes' into memory. That set should be a few hundred KB on a healthy site. On a neglected site it can grow to tens of MB — old plugin transients that did not clean up, abandoned plugin settings, error logs stuffed into an option row.

How to measure

Run this in wp-cli or phpMyAdmin:

SELECT
  SUM(LENGTH(option_value)) / 1024 / 1024 AS autoload_mb,
  COUNT(*) AS rows
FROM wp_options
WHERE autoload = 'yes';

Anything over 1MB is worth looking at. Anything over 5MB is hurting TTFB. We have seen 40MB on a five-year-old site.

Find the worst offenders

SELECT option_name, LENGTH(option_value) AS size
FROM wp_options
WHERE autoload = 'yes'
ORDER BY size DESC
LIMIT 30;

The top of that list almost always shows three categories:

  • Transients that should not have been autoloaded
  • Plugin “stats” or “history” rows from plugins that no longer exist
  • Cache rows from defunct cache plugins

How to remove safely

  1. Back up first. Always.
  2. Identify orphans. Options whose owning plugin is no longer installed are safe to delete. The option-name prefix usually identifies the plugin.
  3. For options whose plugin is still installed, set autoload = 'no' instead of deleting. The plugin can still read them on demand; they just do not load on every request.
  4. Run wp transient delete --all to clear the transient cruft.

Example impact

On a site with 18MB of autoloaded options, the cleanup dropped TTFB from 1.4s to 480ms — no other changes. The autoload table went from 18MB to 380KB. Almost all the savings came from one defunct backup plugin’s history table left over from a 2019 install.

What to do this afternoon

Run the first query above. If your autoload_mb is over 1, schedule a 30-minute cleanup. If it is over 5, do it today. This is the single highest-leverage TTFB optimisation on most older WordPress sites and it has nothing to do with caching.

Spam Protection
Comment Spam in 2026: Why Akismet Is Not Enough Anymore
alex

Comment Spam in 2026: Why Akismet Is Not Enough Anymore

Akismet was the right answer for comment spam from 2008 to about 2022. It blocked the obvious junk — keyword stuffing, link salads, weird Cyrillic floods — and it shipped with WordPress so it was a default. In 2026 it is still useful as a first layer, but it is not enough on its own. Here is what changed and what to do about it.

What Akismet was always good at

Akismet scores each comment against a large pattern database: known spam URLs, IPs, emails, content fingerprints. It is fast, lightweight, and the false-positive rate is low. For comments that look obviously spammy, it still catches the vast majority.

What changed

The economics of comment spam shifted. The original spam was cheap to write but obvious. New comment spam is generated by language models and looks like this:

“Really enjoyed this read. The point you made about caching and TTFB matches what we saw on our last project. Have you considered looking at how this interacts with the new H3 stack?”

That comment is perfectly on-topic, conversational, and includes a relevant follow-up question. It will land on a post about WordPress performance. The link in the author’s URL field points somewhere mildly suspicious — usually a thin SEO site that just wants the backlink. Akismet has no signal to score this as spam. The pattern looks like a real reader.

Why this matters even if you do not care about comments

A surprising number of WordPress sites have comment forms still enabled on posts and pages where nobody reads them. Each successful spam comment that publishes drops a do-follow or no-follow link from your domain to a low-quality target. Google notices, eventually. Three years of accumulated comment spam links is a real Core Update risk.

What a layered defence looks like in 2026

  1. Akismet for the easy lift. Keep it. It is still good at the bulk.
  2. Intent scoring on the content of the comment. This is what catches the realistic AI-written stuff. The model reads the comment in context of the post and the author URL and decides whether it looks like a real reader or an SEO play.
  3. Honeypot + timing in the comment form. Catches scrapers that bypass the JS and POST directly.
  4. Author-URL reputation. If the URL field points somewhere new and thin, weight that as a signal even if the comment is well-written.
🛡

QWeb Spam Shield handles all four layers

Spam Shield runs the full stack: honeypots, timing, AI intent scoring on the comment content, and author-URL reputation — alongside whatever you already have configured for Akismet. The realistic AI-written comments that get past Akismet are exactly what its model was trained on.

Try QWeb Spam Shield free →

What to audit this week

Run this query in your wp-cli or phpMyAdmin to see how much spam is sitting approved on your site:

SELECT COUNT(*) FROM wp_comments WHERE comment_approved = 1 AND comment_author_url != '';

If the number is in the thousands and you do not have an active editorial review, you almost certainly have a pile of low-quality outbound links from your comment form. Disable comments on posts older than two years, sweep the approved-with-URL set for spam patterns, and add intent scoring on top of Akismet for the new comments going forward. That covers most sites without breaking anything that was working.

WooCommerce
Why Your WooCommerce Cart Abandonment Rate Is High (And the Fix Is Not Email)
alex

Why Your WooCommerce Cart Abandonment Rate Is High (And the Fix Is Not Email)

The standard advice for WooCommerce cart abandonment is “send abandonment emails”. That is treating the symptom, not the cause. The emails recover 5-10 percent of abandoned carts in the best case. The on-site changes that prevent the abandonment in the first place recover three to four times as much. Here is what we have measured.

What actually drives abandonment on WooCommerce

Across the WooCommerce stores we audit, the four causes of cart abandonment we see most often are:

  1. Surprise shipping cost revealed only at checkout. This is the single biggest abandonment trigger. Show shipping estimate on the cart page based on geo-IP if you ship internationally.
  2. Forced account creation. Guest checkout off doubles your abandonment rate on first-time buyers. Always offer guest checkout. Always.
  3. Slow checkout page. If checkout takes more than 2.5s to interactive, abandonment climbs noticeably. Heavy payment-gateway iframes are usually the cause.
  4. Card-testing throttles. If your processor flagged you for a card-testing attack, real customers might be getting unnecessary additional verification steps. This one is invisible without checking.

The on-site fixes that moved the metric

  • Adding a shipping estimator on the cart page dropped abandonment by 11 percent on one store with international shipping.
  • Enabling guest checkout dropped first-time abandonment from 71 percent to 58 percent on another.
  • Lazy-loading the Stripe Elements iframe until the user focuses the email field shaved 900ms off checkout TTI and dropped abandonment by 4 percent.
  • Removing a “create a password” step from guest checkout dropped abandonment by 6 percent.

Where abandonment emails do help

Abandonment emails work for the segment of users who really meant to come back. They do not work for the segment who left because of friction at checkout. The first segment is small; the second is large. Fix the second first, then send emails to the remainder.

What to audit this week

Open a private window. Add a product. Go to checkout. Time how long until you can type in the email field. If it is over 2.5 seconds, that is your work for this week. Then add a guest checkout button if you do not have one. Both changes are usually a one-evening job and visible in your funnel within a week.

Abandonment is not a marketing problem. It is a checkout problem with a marketing layer on top.

Spam Protection
How Form Spam Is Wrecking Your Email Deliverability (And Nobody Tells You)
alex

How Form Spam Is Wrecking Your Email Deliverability (And Nobody Tells You)

You filed your DKIM record, set up SPF, configured DMARC, and your transactional emails are still landing in spam folders. There is a good chance the cause is not your mail setup. It is your contact form quietly relaying spam through your domain.

The hidden relay problem

Most WordPress sites send mail directly from the web host using PHP’s mail() function or a basic SMTP plugin. Every contact form submission that gets accepted ends up as an outbound email — to you, with the visitor’s content. That message looks, from a mail-server reputation standpoint, like it came from your domain.

When the visitor is a spammer, what they typed in the message field is now an outbound email from your domain to your inbox, containing links to dating sites or crypto scams. Mailbox providers — Gmail, Outlook, Apple — score that against your domain. Enough of it, often enough, and your sender reputation drops.

How to tell if this is happening to you

Three signs:

  • Your contact-form notification emails now go to your own spam folder, not your inbox.
  • Your order confirmations or password resets get reported as junk by customers.
  • Google Postmaster Tools shows a falling “domain reputation” score over the past 90 days.

None of these are conclusive on their own. All three at once is a strong signal that you are relaying spam content through your forms.

Why standard anti-spam plugins miss this

Most anti-spam plugins decide whether the submission is spam. They do not look at what happens after. If the submission gets accepted, the email still leaves your server with the spammy content intact. The reputation damage is identical to if the plugin had not been installed.

What actually fixes it

The fix has two pieces:

  1. Filter the inbound submission using AI intent scoring (so realistic-looking spam still gets caught).
  2. Guard the outbound mail — even for submissions that look borderline. Hold the outbound email for review instead of relaying spam content automatically.

That second piece is the part nobody talks about. It is the difference between “we blocked the spam” and “we did not damage the domain”.

🛡

QWeb Spam Shield has Mail Guard for exactly this

Spam Shield filters the submission with AI scoring and holds suspicious outbound mail before it leaves your server. The reputation hit you would have taken from relayed spam never happens. It is the bit other plugins miss.

Learn how Mail Guard works →

If you do nothing else this month

Sign up for Google Postmaster Tools and add your domain. It takes ten minutes. Once your domain has 24 hours of data, you will see a clear graph of how Gmail rates your sending reputation. If the trend is down, this article is for you. If it is flat and high, you are probably fine — but watch it, because the trend tends to drift slowly over a year until the day it does not.

Deliverability is one of those problems that looks like a mail-server problem and is almost always a content problem. The content is what is leaving your forms.

SEO
Schema Markup for WordPress: What Google Actually Reads in 2026
alex

Schema Markup for WordPress: What Google Actually Reads in 2026

Schema.org has roughly 800 types. Google reads about 30 of them with any real effect on search results, and even that list shrinks every couple of years. Adding more schema does not earn more rich results. Adding the right schema for the right post type does. Here is what still earns rich results on WordPress in 2026, by post type.

Blog posts

Use Article (or BlogPosting as a subtype). Required for rich results: headline, datePublished, image, author. Google quietly stopped showing author photos in most results but still uses the field. Skip WebPage, CreativeWork wrappers — they add nothing.

WooCommerce products

Product with offer pricing, availability, and aggregateRating. Earns the product carousel and price-in-snippet. Skip the elaborate brand sub-schema unless your brand has a Wikidata entry — Google ignores it otherwise. Your Yoast or RankMath integration handles most of this automatically; verify it actually outputs by viewing the rendered JSON-LD.

Local business pages

LocalBusiness with full address, geo, openingHoursSpecification. Required for the local-pack inclusion alongside your Google Business Profile. Worth doing once, never again unless you move.

FAQ blocks

FAQPage still earns FAQ rich results, but Google narrowed eligibility in 2024. Only authoritative how-to or definitional content earns the slot now. Stuffing fake “FAQs” on a sales page no longer works and may actively hurt CTR by triggering nothing.

How-to content

Google quietly retired HowTo rich results for most queries. Keep the schema for accessibility and for the small percentage of queries where it still triggers, but do not expect the rendered “step-by-step” treatment anymore.

Reviews and ratings

Review and AggregateRating still earn stars in results for product, recipe, and business types. Strict rules: ratings must be on first-party content (your own page about your own product), not aggregated from elsewhere.

What to skip

  • Speakable for voice search. Never lived up to the promise.
  • Sitelinks searchbox for sites under ~5,000 indexed pages. Google rarely renders it.
  • Deeply nested schema (Article > author > Person > worksFor > Organization > ...). Past three levels Google appears to ignore the depth.

How to validate

Google’s Rich Results Test tool tells you what your specific page is eligible for. Do not trust the WordPress plugin output blindly — paste your URL into the tool, see which results actually trigger, prune the rest.

The win is not “more schema”. It is “less, correct schema”. A 2026 SEO win on WordPress almost never comes from adding markup. It comes from removing the markup that triggers nothing.

Spam Protection
Why Your WordPress Contact Form Is a Spam Magnet (And How to Actually Stop It)
alex

Why Your WordPress Contact Form Is a Spam Magnet (And How to Actually Stop It)

If you run a WordPress site for any length of time, you already know the rhythm. Quiet for a week, then forty submissions overnight that all say “Hello dear, I checked your site and would like to offer…”. The contact form is the single most-abused public endpoint on a typical WordPress site, and every form plugin — Contact Form 7, WPForms, Gravity Forms, Fluent Forms, Elementor Forms — leaks by default. Here is why, and what actually stops it.

Why your form is a magnet, not a target

Spam bots do not pick on you because of who you are. They pick on you because contact-form HTML is recognisable: a couple of <input> fields, a textarea, a submit button, and a predictable JSON or POST endpoint. Scanners crawl the open web, fingerprint the form plugin from its CSS classes, and queue your URL into a list of working targets. The form does not need to be on a busy site to attract submissions — it just needs to be discoverable.

Why the usual fixes stop working

The three traditional defences are honeypots, reputation lists, and CAPTCHAs. Each has a hole that modern spam exploits:

  • Honeypots catch lazy bots. They miss anything that runs a headless browser.
  • Reputation lists (Akismet-style) score by IP and email patterns. They do not see the content of the message and miss realistic AI-written spam that uses a clean residential IP.
  • CAPTCHA shifts the cost onto your real visitors and drops conversions 5 to 15 percent on most contact forms. Worse, modern solvers handle reCAPTCHA v2 in under a second for a fraction of a cent.

What actually works in 2026

The pattern that has held up across forty-plus client sites is layered, invisible-to-the-user defence:

  1. Honeypot + timing trap in the form itself. Catches everything dumb. Costs nothing.
  2. Server-side intent scoring on the submission. This is the bit that catches AI-written submissions: a model reads the message and decides whether it looks like a real enquiry or a sales pitch with a link.
  3. Outbound mail guard. Even if a spam submission gets through, hold the email before it relays through your domain — that is what protects your sender reputation.
🛡

This is exactly what QWeb Spam Shield does

QWeb Spam Shield is the plugin we install on every WordPress site we touch. It reads each form submission with Google Gemini, layers in honeypot and timing checks for the dumb traffic, and includes a Mail Guard for the relayed-through-your-domain case. No CAPTCHA, no puzzles for real visitors, sensible defaults out of the box, two-minute setup.

Start 7-day free trial →

What to do this afternoon

If you do not want to install another plugin, you can get most of the way with two changes: add a hidden honeypot field to your form (a CSS-hidden <input> that humans never fill), and add a timestamp comparison that rejects submissions completed in under three seconds. That removes about 60 percent of incoming spam in our measurements. The remaining 40 percent — the realistic, AI-written stuff — is the bit you need intent scoring for, and that is what QWeb Spam Shield was built for.

The takeaway is not “another tool to install”. It is that the model of who is sending the spam changed, and the defence has to change with it. CAPTCHA-and-honeypot was the right answer in 2018. In 2026 it is reading the message that matters.

Performance
How I Cut WP-Admin Load Time by 60 Percent (Without Disabling Plugins)
alex

How I Cut WP-Admin Load Time by 60 Percent (Without Disabling Plugins)

If wp-admin feels slow, the instinct is to disable plugins one by one until it speeds up. That is a long afternoon and usually answers the wrong question. The actual reason wp-admin is slow is rarely the plugin itself — it is what the plugin does on admin hooks. Here is the audit that cut admin load time 60 percent on the site I tested, with all plugins still active.

The diagnosis

WordPress fires admin_init, admin_menu, and admin_enqueue_scripts on every admin page load. Anything a plugin hangs off those hooks runs every time you load any admin screen — even if you are on a screen that has nothing to do with that plugin. A plugin that makes an outbound HTTP request on admin_init to check for updates is adding network latency to every page in your dashboard.

How to profile in 10 minutes

Install Query Monitor temporarily. Load wp-admin/index.php. Switch to the “Hooks & Actions” panel. Sort by time spent. The top three offenders are almost always:

  • An update-check that fires an external HTTP call on every admin request
  • A backup or security plugin pre-loading its dashboard data
  • A page-builder plugin loading its asset manifest globally instead of on its own screens

The fixes that worked

  1. Throttle plugin update checks. The standard pattern is once per 12 hours, but many plugins re-implement their own check on every admin load. A small mu-plugin that short-circuits pre_http_request for the update endpoints, except every six hours, is the single biggest win.
  2. Defer dashboard widgets. Plugins that add their own widget to the WP dashboard often query their entire data set on load. Disable the widget if you do not use it; many plugins respect a filter to skip widget registration.
  3. Constrain asset enqueueing. The page-builder case can be fixed with a current_screen check that dequeues the plugin’s heavy assets on screens it does not own.

Measurable result

On the test site (38 active plugins, shared host), wp-admin dashboard TTFB went from 1.8s to 0.7s. Plugin list page went from 2.4s to 0.9s. Editor screens were unchanged because the plugins involved already only loaded on their own screens — that is the discipline you want to find.

What to do this afternoon

Add Query Monitor. Load wp-admin/index.php three times. Note the top three hooks by time. Pick the one that surprises you most and fix that one. If you do nothing else for a week, that single change usually accounts for half of the perceived “wp-admin is slow”.

You almost never need to disable plugins. You need to find out which ones are not respecting the admin context.

Agency
Managing 50+ WordPress Sites Without Losing Your Mind
alex

Managing 50+ WordPress Sites Without Losing Your Mind

Managing five WordPress sites is a side project. Managing fifty is a job that breaks ad-hoc tooling. The gap is real and it happens around the fifteen-site mark. Here is the small stack that lets a two-person team run a 50-plus-site portfolio without firefighting.

The three jobs that have to be automated

Three categories of work scale linearly with site count and are the first things to break:

  1. Updates. WordPress core, plugins, themes. Five sites: do it by hand. Fifty: you need rolling automated updates with rollback on failure.
  2. Backups. Off-site, automated, with quick-restore tested at least quarterly.
  3. Health monitoring. Not just “is the site up”, but “are there new PHP errors, slow queries, missing assets, broken cron jobs”.

The stack we run

  • WP-CLI driven from a small bastion server. Every site checked in to git. Updates triggered by a cron that runs wp core update; wp plugin update --all, then wp eval-file a smoke-test script and rolls back on non-200.
  • UpdraftPlus or BackupBuddy to S3 with weekly full + daily incremental. Restore tested monthly on a staging environment.
  • Uptime monitor (UptimeRobot, Better Uptime, anything reliable) on the home page and one deep page per site.
  • Log shipping from wp-content/debug.log to a central syslog or a service like Papertrail. Catches the silent fatal errors that uptime monitoring misses.
  • Weekly dashboard email aggregating “what changed across all sites” — outdated plugins, security alerts, traffic deltas. The fastest 30 seconds of management we do all week.

The mindset shift

At small portfolio sizes you can react to problems. At fifty plus, you cannot — by the time you notice a broken plugin update on site 12, sites 18, 23 and 34 already have it too. The shift is from reactive (“client called, fix it”) to proactive (“dashboard amber, fix it before client notices”). That is a tooling shift, not a discipline shift.

What we stopped doing

  • Logging into wp-admin on individual sites to check anything. If we cannot answer it from the central dashboard, we add it to the dashboard.
  • Per-site Slack channels. One client portfolio channel with @mentions for blocking issues.
  • Manual plugin updates. Even when “I just want to update Yoast on this one”. The exception becomes the rule.

The fifty-site mark is the size where small process investments pay back inside a quarter. Make them.

1 2 3 4 1,367