Blog & lab notes

Long-form articles and shorter “ship notes” from our staging environments. Anchor IDs match in-page links from the homepage.

Core Web Vitals in 2026: what still matters after INP

Interaction to Next Paint (INP) pushed teams to audit event handlers and third-party widgets. We re-ran 40 production URLs through CrUX and lab traces on throttled 4× CPU slowdown.

Finding: long single-page templates with sticky headers and auto-playing carousels still dominate poor INP scores. Deferring non-critical block hydration cut median INP by 34% without removing features.

Practical step: split “marketing-only” blocks into lazy-loaded islands; keep checkout and forms eager.

xmlrpc.php: disable, rate-limit, or WAF?

Brute-force amplification via system.multicall is old news but still shows up in botnets. We prefer removing the endpoint at the web server when the site does not require remote publishing.

Disable: nginx location = /xmlrpc.php { return 444; } or equivalent — zero PHP cost.
Rate-limit: when Jetpack or remote apps need the endpoint, cap requests per IP at the edge.
WAF: use when you need visibility and gradual rollout; tune false positives on pingbacks.

Form plugins under load: honeypots vs turnstiles

We replayed 50k spam submissions against Contact Form 7 + honeypot, Fluent Forms + Turnstile, and Gravity Forms + reCAPTCHA v3.

Honeypots stayed lightweight but leaked on aggressive bots; Turnstile cut spam the most with acceptable accessibility trade-offs when paired with clear labels.

PHP-FPM pools: pm.max_children without guesswork

Rule of thumb: (available RAM - MySQL/Redis overhead) / average per-worker RSS. On a 2 GB VM with MySQL co-hosted, we often land between 8–12 children for mixed WP admin + front traffic.

Always validate with pm.status_path and slow logs — not just top snapshots during quiet hours.

Dark mode toggles that respect prefers-color-scheme

Use CSS variables on :root and [data-theme="dark"]. Persist user choice in localStorage but apply the media query first to reduce flash.

Checkout field plugins vs custom templates

Field plugins win when marketing iterates weekly. Custom templates win when you need deterministic markup for A/B tests and LCP budgets.

Snippet: defer non-critical blocks on singular posts

Register a small mu-plugin that wraps “related posts” block output in a placeholder div; hydrate via requestIdleCallback with a fetch to a lightweight REST route. Falls back to immediate render when the API is unavailable.

Privacy-first analytics for publishers

Self-hosted Matomo gives SQL ownership; lightweight proxies reduce third-party requests; log-based metrics work when JS is off the table entirely. Pick based on legal review and editorial KPIs — not hype.

Schema: FAQ and Article markup that passes Rich Results

Validate in Search Console’s rich results tests; avoid duplicate JSON-LD from theme and SEO plugin — choose one source of truth.

Hreflang without duplicate thin pages

Use x-default carefully; ensure reciprocal annotations; avoid machine-translated thin categories that only exist for SEO.

NewsArticle schema for breaking posts

Include datePublished / dateModified, author organization, and logo dimensions that meet guidelines.

Redis object cache for WooCommerce

Watch session and cart fragment keys; flush selectively after deploys; never flush entire Redis in production without a maintenance window.

Typography scale systems for long reads

Fluid clamp() for body and display; cap line length with ch units; test tab order on “read more” expansions.

SMTP via API for cloud VMs

Port 25 is often blocked; API-based transactional mail improves password-reset delivery. Rotate API keys per environment.