Core Web Vitals in 2026: what still matters after INP
We re-ran 40 production URLs through CrUX and lab traces. Spoiler: interaction delays still dominate on long single-page templates.
180+plugin write-ups
64theme deep dives
12stack recipes
Weeklychangelog notes
Editor’s picks this month
Object cache firstWhy Redis beats file cache for WooCommerce carts — and the one setting that breaks checkout if you get it wrong.
Schema without bloatThree lightweight approaches to FAQ and Article schema that pass Rich Results without tanking TTFB.
Headless-ish blocksHybrid patterns: keep the editor for marketing, offload listings to a slim API when traffic spikes.
Featured categories
Curated lists with compatibility notes for PHP 8.2–8.4, block themes, and common host panels (cPanel, RunCloud, SpinupWP).
Plugins
SEO & structured data
RankMath vs Yoast on large archives, hreflang pitfalls, and indexation hygiene for multilingual installs.
Plugins
Performance
Page cache layers, object cache, WebP/AVIF pipelines, and when a CDN is masking a slow origin.
Plugins
Security & backups
Least-privilege roles, WAF false positives, off-site backup verification drills we run quarterly.
Themes
Business & SaaS
Block patterns for pricing tables, testimonial carousels that stay accessible, and CLS-safe hero media.
Themes
Magazine & news
Typography scales, infinite scroll vs pagination for SEO, and ad-slot layouts that do not fight the grid.
Guides
Developer workflows
wp-env, Composer-managed plugins, Git deploy hooks, and safe database promotion checklists.
Latest articles & lab notes
Newest first. Dates reflect editorial publish cadence.
xmlrpc.php: disable, rate-limit, or WAF?
A decision tree for hosts that cannot remove the endpoint entirely, plus log patterns that justify a hard block.
Form plugins under load: honeypots vs turnstiles
Spam volume, false positives, and accessibility trade-offs when you bolt CAPTCHA onto legacy markup.
PHP-FPM pools: pm.max_children without guesswork
We translated traffic percentiles into concrete pool settings for 2 GB and 4 GB Lightsail-style VMs.
Dark mode toggles that respect prefers-color-scheme
CSS variables, stored overrides, and how to avoid a flash of wrong-theme on first paint.
Checkout field plugins vs custom templates
When to extend blocks with SlotFills versus shipping a child theme template — maintenance cost included.
Snippet: defer non-critical blocks on singular posts
A small mu-plugin pattern we use to lazy-hydrate “related posts” carousels below the fold.
Privacy-first analytics for publishers
Comparing self-hosted Matomo, Plausible-style proxies, and log-based metrics when you cannot use third-party JS.
| Focus | LiteSpeed Cache stack | WP Rocket + OC | Our take |
|---|---|---|---|
| HTML TTFB | Strong on LSWS / OLS | Strong on Apache/nginx + tuning | Match stack to host; do not mix duplicate page caches. |
| Image pipeline | Built-in WebP/AVIF options | Often paired with Imagify / ShortPixel | Pick one optimizer; avoid double compression. |
| Queue / cron | Server-side hooks vary | Action Scheduler friendly | Watch admin-ajax spikes during preloads. |
FAQ
Quick answers we send to readers by email — now on-page.
Do you accept sponsored reviews?
We label every sponsored placement with “Partner content” and run the same technical checklist. We do not sell placement in comparison tables.
Why do you recommend staging for security plugins?
WAF and login hardening plugins can block legitimate admin paths. We snapshot production, clone to staging, apply rules, then diff access logs before rollout.
Are block themes mandatory in 2026?
No — classic themes remain viable. We track block adoption for teams that want design-system parity between marketing and product surfaces.
How do you handle plugin abandonware?
If a plugin has not seen a release in 18 months and has open security issues, we mark it “sunset” and suggest maintained alternatives.
Launch checklist (new WordPress site)
- Unique salts in
wp-config.php, file permissions 755/644, disable file editing in production. - Separate database user with minimal grants; no
ALL PRIVILEGESunless the host requires it. - Backups to off-site object storage with monthly restore drills (not just “backup exists”).
- SMTP via API (not raw port 25) to improve deliverability for password resets and Woo emails.
- Remove unused themes/plugins; audit mu-plugins quarterly.