The Mercury Blog | Ideas & Insights | Major Tom

WordPress wisdom: 3 ways to improve your website on any CMS

Written by Darren Maher, VP of Web Services | Oct 31, 2018 5:39:00 AM

Last updated: May 2026

Most WordPress sites we audit have three or four invisible problems sitting on top of the obvious one. The good news: the same three levers that improve a WordPress site improve any site, regardless of the CMS underneath. Performance, security, and structured testing are the WordPress improvements that produce the biggest gains on Drupal, Shopify, Webflow, or Whatever else you're running. This guide walks through each one: what to measure, what to fix first, and how to keep the gains compounding instead of slipping back month by month.

The three WordPress improvements that work on any CMS:

  • Performance. Measure Core Web Vitals (LCP, INP, CLS), then fix the slowest layer first.
  • Security. Automate updates, enforce two-factor authentication, run a firewall at both cloud and application levels.
  • Structured testing. Replace gut-feel design decisions with A/B tests that change one variable at a time.

WordPress earns the headline because it sets the floor for the rest of the web. W3Techs' May 2026 data puts WordPress at 41.9% of all websites and 59.5% of the CMS market. That means more than four in ten sites you'll visit today run on it. When best practice shifts in the WordPress community, the rest of the web tends to follow within a year or two. So we'll use WordPress as the worked example. The lessons apply wherever your content lives.

Why WordPress still sets the pace

WordPress' market share isn't an accident. It's open source, has the largest plugin ecosystem on the web, and has stayed accessible to non-developers while remaining flexible enough for engineering teams at scale. That dominance shapes the broader web in three ways: hosting providers optimize for WordPress first, security researchers publish WordPress fixes first, and best-practice guides for performance and accessibility tend to start with WordPress patterns before generalizing.

The practical implication: if you understand how performance, security, and structured testing work on WordPress, you understand how they work on most of the platforms WordPress competes with. Our piece on WordPress vs. Drupal covers the choice itself; this post covers what to do once the choice is made.

1. Performance: measure first, then fix

Site speed has a direct line to revenue. A slow page abandons visitors before the offer lands, sinks Google rankings, and drains the trust customers extend to a brand. The mechanics changed in March 2024, when Interaction to Next Paint (INP) replaced First Input Delay as a Core Web Vital. The "good" INP threshold is under 200 ms — measured across every interaction, not just the first.

That changes how you have to think about performance. It's no longer enough to load fast and then stand still. The page has to stay responsive as visitors click, scroll, expand menus, and submit forms.

What to measure. Run your most important pages through Google PageSpeed Insights and pull the Core Web Vitals field data from the Chrome User Experience Report. The three to watch:

  • LCP (Largest Contentful Paint). Under 2.5 seconds is "good." Usually a hero image or a slow first byte from the server.
  • INP (Interaction to Next Paint). Under 200 ms is "good." Heavy JavaScript or oversized plugins are the usual culprits.
  • CLS (Cumulative Layout Shift). Under 0.1 is "good." Late-loading images, ad slots, and web fonts cause most of the layout pops.

What to fix. The fix order matters. Server speed first. If your Time to First Byte is over a second, no amount of front-end optimization will save you. After that, work down the stack: optimize images (modern formats, lazy loading, correct dimensions), audit plugins (remove anything you don't actively use), and minify and defer JavaScript. On WordPress specifically, caching plugins like WP Rocket or the host's built-in caching layer usually take a site from "slow" to "fine" in an afternoon. Going from "fine" to "fast" takes more deliberate work on the theme and the database.

We worked with Mark Anthony Group to ship three WordPress sites in four months, and the performance baseline for every one was the same: Core Web Vitals targets agreed before development started, then measured every week through launch. The brands that treat performance as a launch gate rather than a post-launch fix end up with sites that don't need rescue projects six months later.

Security: the most under-invested improvement

Security is the area where the gap between best practice and common practice is widest. Most sites we audit are running at least one outdated plugin, one admin account without two-factor authentication, and one cron job no one remembers setting up. None of those individually causes a breach. Together they're a doorway.

The modern WordPress security baseline has four parts:

  1. Automatic updates for WordPress core, plugins, and themes. WordPress 6+ supports this natively. Turn it on. Most breaches exploit vulnerabilities that have been patched for months.
  2. Two-factor authentication on every admin account. Use a plugin like Wordfence or the Two-Factor plugin from the WordPress core team. Enforce it; don't make it optional.
  3. A firewall at both cloud and application levels. Cloud-level firewalls (Cloudflare is the default choice) catch DDoS and bot traffic before it touches the server. Application-level firewalls (Wordfence, Sucuri) inspect requests once they arrive. Run both.
  4. Regular, tested backups. A backup you've never restored from is a hope, not a backup. Run a restore test every quarter to confirm the process works.

None of this is exotic. It's the hygiene every site needs and most sites skip. We treat security as part of the same maintenance rhythm as performance (covered in detail in our ongoing website maintenance guide), and we audit it on the same cadence. If you've inherited a site without a clear security posture, start with the four items above. They'll close roughly 90% of the easy openings.

One adjacent point: if your site is still serving over HTTP, none of the above matters until you fix that first. Our piece on how to fix a website that is not secure walks through the SSL and HTTPS migration in detail.

2. Structured testing: replace gut feel with data

Most website "improvements" are someone's opinion about whether a button should be orange or blue. Structured testing (running two versions of a page in parallel and measuring which performs better) replaces that opinion with evidence. It's the layer that turns continuous improvement from a slogan into a habit.

Google Optimize, the free tool many WordPress users defaulted to, shut down in September 2023. The replacements depend on your scale:

  • VWO (vwo.com). A strong all-rounder with built-in heatmaps and session recordings.
  • Optimizely (optimizely.com). Enterprise-grade with feature flagging and personalization layered on top.
  • AB Tasty. Popular in Europe; pairs experimentation with on-site personalization.
  • Google Search Console Experiments. Limited but free, for low-traffic sites running their first tests.

What to test first. Start with the elements closest to conversion: the primary call-to-action button, the headline above the fold, the form length on lead-capture pages, and the product-page hero image. We've seen a single button-radius change lift conversions by double digits, not because the radius itself matters, but because the test forced the team to look at the page through a customer's eyes for the first time in months.

The rules. Change one variable at a time. Run the test long enough to hit statistical significance (most tools tell you when). Don't peek at results and call a winner early. And document every test, including the ones that lost — losing tests usually teach more than winning ones.

A non-exhaustive list of things worth testing:

  • Photo vs. illustration in the hero
  • Color of the primary CTA button
  • Form length: five fields vs. three
  • Headline copy: benefit-led vs. feature-led
  • Social proof placement: above the fold vs. below
  • Pricing layout: three plans side by side vs. comparison table
  • Video vs. static image on the product page
  • Microcopy on the submit button: "Get started" vs. "Get my quote"

The teams that test consistently end up with sites that improve quarter on quarter without anyone redesigning anything. The teams that don't end up with the same page they shipped two years ago, slowly losing relative ground to competitors who do.

How the three improvements compound

Performance, security, and structured testing aren't three separate projects. They're three sides of the same maintenance practice. A faster site converts more of the traffic structured testing optimizes. A secure site stays online to receive that traffic in the first place. A site that's tested without being maintained drifts back to baseline within a quarter.

In our experience, the clients who treat all three as a single, ongoing programme outpace the ones who pick one at a time. It's the same logic we apply when building an industry-leading website from scratch. The gains come from the system, not from any single fix.

The "no matter the CMS" point

Every recommendation above generalizes. Core Web Vitals apply to Drupal, Shopify, Squarespace, custom builds, anywhere a page renders in a browser. The four-part security baseline (auto-updates, 2FA, firewalls, tested backups) maps cleanly onto every CMS. Structured testing tools work platform-agnostically; the JavaScript snippet runs the same way on a WordPress page as on a Shopify product page.

The reason WordPress sets the example is volume. With 41.9% of all websites running on it, the WordPress community ships the patterns first, and the rest of the web catches up. Borrow the patterns. They don't care which CMS you use.

Find clarity in the chaos

If your WordPress site (or any other site) feels stuck (slow pages, ageing plugins, no testing programme to speak of) the way forward is usually less about a redesign and more about a discipline. Pick performance, security, and structured testing as the three things you measure every month, and the site improves itself over time. If you'd rather hand the discipline to a team that's done it before, our web design and development practice covers the full audit, fix, and ongoing maintenance loop. Find clarity in the chaos, and make every quarter the one your site got better.

FAQs

How do I improve my WordPress site's performance?

Start by measuring. Run your most important pages through Google PageSpeed Insights and pull Core Web Vitals data from the Chrome User Experience Report. Then fix the slowest layer first, usually server response time, then images, then plugins, then JavaScript. A caching plugin like WP Rocket and a content delivery network handle most baseline issues. For deeper gains, audit your theme and database, and remove plugins you don't actively use.

What is A/B testing for websites?

A/B testing runs two versions of a page in parallel (same traffic, same conditions, one variable changed) and measures which performs better. It replaces opinion-based design decisions with evidence. Most tools (VWO, Optimizely, AB Tasty) randomly split visitors between the two versions and report when one wins with statistical significance. Change one variable at a time, run the test long enough to be confident, and document the results, including the tests that lose.

How do I keep my WordPress website secure?

Four things. Enable automatic updates for WordPress core, plugins, and themes. Enforce two-factor authentication on every admin account. Run a firewall at both cloud level (Cloudflare) and application level (Wordfence or Sucuri). Take regular backups and test the restore process at least quarterly. None of this is exotic. It's the baseline hygiene that closes roughly 90% of common attack paths and the work most sites skip.

What tools can I use to A/B test my website?

Google Optimize shut down in September 2023, so the current options are VWO (strong all-rounder with heatmaps), Optimizely (enterprise-grade with feature flagging), AB Tasty (popular in Europe, pairs testing with personalization), or Google Search Console Experiments (limited but free, suitable for low-traffic sites starting their first tests). Pick the one that matches your traffic volume and budget. The discipline matters more than the specific tool.

Does website speed affect SEO?

Yes. Google's Core Web Vitals are direct ranking signals. The three to watch are LCP (under 2.5 seconds), INP (under 200 milliseconds, replacing First Input Delay as of March 2024), and CLS (under 0.1). Sites that hit all three see more stable rankings and lower bounce rates. Speed also affects conversion independently of SEO. Faster pages convert more visitors regardless of where they came from.

What are Core Web Vitals and how do I improve them?

Core Web Vitals are Google's measurement of real user experience on the web. LCP measures how quickly the largest visible element loads. INP measures how quickly the page responds to user interactions. CLS measures how much the layout shifts as content loads. Improve them by optimizing images, reducing JavaScript, deferring non-critical scripts, reserving space for images and ads, and choosing a host with fast Time to First Byte.

Why is WordPress so popular?

WordPress powers 41.9% of all websites and holds 59.5% of the CMS market as of May 2026 (W3Techs). The reasons compound: it's open source, has the largest plugin ecosystem on the web, stays accessible to non-developers, and remains flexible enough for engineering teams at scale. Hosting providers optimize for it first, security researchers publish fixes for it first, and best-practice guides tend to start with WordPress patterns before generalizing.