A vulnerability in the TablePress WordPress plugin enables attackers to inject malicious scripts that run when someone visits a compromised page. It affects all versions up to and including version 3.2.
TablePress WordPress plugin
The TablePress plugin is used on more than 700,000 websites. It enables users to create and manage tables with interactive features like sorting, pagination, and search.
What Caused The Vulnerability
The problem came from missing input sanitization and output escaping in how the plugin handled the shortcode_debug parameter. These are basic security steps that protect sites from harmful input and unsafe output.
“The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping.”
Input Sanitization
Input sanitization filters what users type into forms or fields. It blocks harmful input, like malicious scripts. TablePress didn’t fully apply this security step.
Output Escaping
Output escaping is similar, but it works in the opposite direction, filtering what gets output onto the website. Output escaping prevents the website from publishing characters that can be interpreted by browsers as code.
That’s exactly what can happen with TablePress because it has insufficient input sanitization , which enables an attacker to upload a script , and insufficient escaping to prevent the website from injecting malicious scripts into the live website. That’s what enables the stored cross-site scripting (XSS) attacks.
Because both protections were missing, someone with Contributor-level access or higher could upload a script that gets stored and runs whenever the page is visited. The fact that a Contributor-level authorization is necessary mitigates the potential for an attack to a certain extent.
Plugin users are recommended to update the plugin to version 3.2.1 or higher.
An advisory was issued for the Ocean Extra WordPress plugin that is susceptible to stored cross-site scripting, which enables attackers to upload malicious scripts that execute on the site when a user visits the affected website.
Ocean Extra WordPress Plugin
The vulnerability affects only the Ocean Extra plugin by oceanwp, a plugin that extends the popular OceanWP WordPress theme. The plugin adds extra features to the OceanWP theme, such as the ability to easily host fonts locally, additional widgets, and expanded navigation menu options.
According to the Wordfence advisory, the vulnerability is due to insufficient input sanitization and output escaping.
Input Sanitization
Input sanitization is the term used to describe the process of filtering what’s input into WordPress, like in a form or any field where a user can input something. The goal is to filter out unexpected kinds of input, like malicious scripts**,** for example. This is something that the plugin is said to be missing (insufficient).
Output Escaping
Output escaping is kind of like input sanitization but in the other direction, a security process that makes sure that whatever is being output from WordPress is safe. It checks that the output doesn’t have characters that can be interpreted by a browser as code and subsequently executed, such as what is found in a stored cross-site scripting (XSS) exploit. This is the other thing that the Ocean Extra plugin was missing.
Together, the insufficient input sanitization and insufficient output escaping enable attackers to upload a malicious script and have it output on the WordPress site.
Users Urged To Update Plugin
The vulnerability only affects authenticated users with contributor-level privileges or higher, to a certain extent mitigating the threat level of this specific exploit. This vulnerability affects versions up to and including version 2.4.9. Users are advised to update their plugin to the latest version, currently 2.5.0.
“In earlier testing, we’ve seen that AI Max can be effective for accounts of varied sizes… And there’s no minimum conversion recommendation to enable AI Max, but keep in mind that you do need to use a conversion-based smart bidding strategy in order for search term matching to work.”
This smart bidding requirement ensures the system has signals to work with, even if conversion volume is low.
Hear hear full response in the video below:
Where Smaller Accounts May See Gains
Google says advertisers “mostly using exact and phrase match keywords tend to see the highest uplift in conversions and conversion value” after enabling AI Max.
Keywordless matching can help smaller advertisers find opportunities without extensive research. AI Max identifies relevant search terms based on landing page content and existing ads.
For local campaigns, advertisers can use simple keywords instead of creating separate ones for each location. AI Max handles the geographic matching.
How AI Max Works In Search
AI Max pulls from more than just landing pages. It also uses ad assets and ad-group keywords to expand coverage and tailor RSA copy.
For English content, it’s capable of generating ad variations within brand guardrails.
Product manager Karen Zang described AI Max as an enhancer to existing work:
“I would view AI Max as an amplifier on the work that you’ve already put in… we’re just leveraging that to customize your ads.”
Product manager Tal Kabas framed AI Max as bringing Performance Max-level technology into Search:
“If you’re using all the best practices with AI Max… then it is PMax technology for Search. We wanted to basically bring that value to advertisers wherever they want to buy.”
Implementation Considerations
Small advertisers considering AI MAX should take these preparation steps into account.
First, ensure landing pages are current, as the AI uses them to generate ad variations. Poor or outdated landing page content can negatively impact the output, regardless of account size.
Second, use conversion tracking even if volume is low. While there are no minimums, having any conversion data helps. Smart bidding strategies, such as Target CPA or Target ROAS, must be in place for full functionality.
Third, start with campaigns that use exact and phrase match keywords, as Google’s data shows they benefit the most from AI Max.
Looking Ahead
AI Max is accessible to advertisers of all sizes.
The one-click implementation allows you to test AI Max without restructuring your campaigns. If results don’t meet your expectations, the feature can be disabled.
Google indicated this is the first phase of AI Max development, with more features planned.
Thinking about building a website? Whether you are a small business owner, a freelancer, or launching a side project, one of the first questions you will want answered is: how much does it cost to build a website? This is not just about curiosity, understanding your website costs early on can help you budget effectively and avoid any unpleasant surprises.
The truth is that the answer is rarely simple. Ask ten business owners about their website building costs and you will probably get ten completely different answers. That is because website costs can range from almost nothing to tens of thousands of euros. The variation comes down to what you need your website to do. A small brochure site with a few pages can be built on a modest budget, whereas an ecommerce store with thousands of products and secure payment facilities will always cost more. The good news is that once you understand where the costs lie, you can make better decisions. And while Yoast SEO will not directly reduce your build costs, it will help you avoid expensive SEO mistakes, improve site performance, and keep your long-term marketing budget under control.
What are you actually paying for when building a website?
Design and user experience: This sets the tone for how visitors feel about your site. Good design is more than colors and fonts, it is about navigation, site structure, and encouraging visitors to stay and explore. Read more about user experience.
Development: Turns your designs into a working website. A simple build will cost less, but advanced features or integrations push the price up.
Domain and hosting: These two are essential and unavoidable. Your domain name generally costs between €10 and €50 per year and hosting keeps your site live. Shared hosting is cheapest, but dedicated hosting provides better performance and enhanced security. As a recommendation, Bluehost is a great choice for both domain registration and hosting. On top of that, it also works extremely well with WordPress.
Content: A blank page isn’t going to keep visitors on your site for very long, so you’re going to need to have something to show them. You can of course do your own content, but professional content creators can be useful in getting more conversions.
SEO: This ensures your site gets found. You can do it yourself, but Yoast SEO helps simplify the process and can reduce costs by guiding you on how to optimize pages as you write.
Here’s a chart to explain the above in a quick-check guide:
Area
Description
Design
Custom visuals, layout, user interface (UI), mobile responsiveness
User experience (UX)
Navigation logic, site structure, call-to-action placement
Development
Code, content management system (CMS), plug-ins or features
Domain and hosting
Your website’s address and where it lives online
Content and SEO
Written pages, blog posts, metadata, and optimizations
Ongoing maintenance
Plugin updates, security, backups, fixes
Upfront costs:
Of course, none of this comes for free, unless there are some things you can do yourself like copywriting or photography. This will still cost you in terms of time though, so it may be worth considering hiring a professional if there are other areas of your business that you would rather focus on. With that in mind, let’s take a quick look at some upfront costs that you will only have to pay for once at the very start.
Obviously, once your website is up and running, that’s not the end of the story. You are presumably here for the long-term and that means there are going to be recurring costs. These cover things like hosting, so your site can stay live, maintenance, to keep everything secure and updated, and you’ll need to continually post new content to engage with your site’s visitors.
Most people spend their time focusing on the look and feel of their site and while that is important, it’s not the only thing to consider. It’s understandable that things like legal technicalities and CDNs are not front-of-mind when you’re excited about growing your business but it is necessary. That means you’ll need to complete these, often overlooked, tasks to make sure that you remain on track for growth and stay compliant.
Type of cost
Low estimate
High estimate
Marketing & ads
€100/month
€10,000+/month
Accessibility & legal compliance
€200
€5,000+
Scaling & performance upgrades (plugins, CDN, extra development work)
€100
€10,000+
Website building options
There are three main ways to build a site, and your choice here will have an impact on the final cost.
1. DIY builders (like Wix or Squarespace)
These platforms, as well as some others, will let you build a site from scratch without the need for any technical skills. They’re affordable, quick to set up and ideal for portfolio sites, hobby sites, or small businesses. If you are using these site builders for business, you might find them limiting when you need to scale or want more advanced SEO.
2. WordPress + Yoast
For most successful small and medium sized businesses, WordPress is an excellent solution as it’s flexible, scalable, and widely supported. What’s more, when you pair it with Yoast SEO for WooCommerce you can start publishing optimized content from day one, making your online store more visible instantly. This makes it more affordable in the long run as there’s no need for an agency, and you can add features as you grow rather than having to rebuild every time.
3. Custom-built website via an agency
For complex businesses like advanced ecommerce or security services, a custom-built site is their best option. It’s the most expensive option but gives you complete control, giving you everything you want without having to compromise on anything. However, you may find that tailored code and features will cost a lot more.
Watch out for these hidden costs
One common misconception is that the costs end when your site goes live. That’s just not true, in fact, some of the most expensive problems show up after launch. These can include:
Non-converting content: You can have the most beautiful website in the world but if it’s not pulling in paying customers, there’s a problem. Try investing in professional copywriting and SEO-friendly content that will ensure visitors take action.
Dropped traffic: Starting off with bad SEO can really hamper your traffic. Without help, it’s easy to make errors that could take months to fix. This is very much a case of prevention is better than cure.
Technical debt: Sites built on outdated technology or poorly coded templates may work at first but become costly to maintain or upgrade after a while.
Accessibility cost: It’s important that you make sure your site caters to all, especially those who may have visual or audio impairments.
Legal costs: There are certain legal requirements to take care of. These aren’t just there to protect the customer; they protect you too. So, don’t forget that you’ll need things like a cookie consent tool and a term of service policy.
How Yoast saves you money (over time)
Yoast isn’t about saving you money on upfront costs; what it does is prevent expensive mistakes. It will save you money over time though as you’ll benefit from reduced costs of ongoing SEO and content marketing.
To get more specific though, Yoast’s real-time SEO guidance helps you write better, optimized content without needing to hire a writer. In addition, the Readability analysis and Internal linking suggestions are two features that help to reduce bounce rates by making your content perform better, which literally translates into more conversions. On top of this, adding structured data manually is time consuming and costly. Yoast automates much of this, giving you rich search results without developer costs. And if that’s not enough to whet your appetite, there are free and premium options.
Feature
How it saves you money
Real-time SEO guidance
Write better content, faster, without hiring an SEO expert
Readability analysis
Engaged readers means more conversions
Schema & structured data
Get results without coding knowledge
Internal linking suggestions
Boost traffic to key pages without external help
Budgeting tips for small business owners
By spending smart, you can get big results for less. Here are a few things to keep in mind:
Start with clarity, not complexity: Fancy animations might look nice, but if they confuse your visitors, they’re not worth the price.
Spend more on content than code: Great content = better SEO = better ROI.
Invest in tools that scale with you: WordPress and Yoast both grow with your business.
Plan for the long game: Don’t treat launch as the finish line. Content updates and SEO tweaks are ongoing.
Ecommerce vs. general website: does it change the cost?
Yes, dramatically. Ecommerce sites need:
Payment gateways.
Product listings.
Inventory management.
Legal disclaimers.
Stronger performance and security.
Expect to pay more, sometimes a lotmore, for development, plugins, and maintenance. But again, tools like Yoast SEO help make your product pages more visible and your content more persuasive.
Platforms like WooCommerce give you a practical and flexible way to run your online store without having to reinvent the wheel. But the real key to success is visibility, after all, if people can’t find you, they can’t buy from you. And this is what Yoast SEO for WooCommerce does best.
Ultimately, what matters about your site most is what it does for your business. With WordPress and Yoast, you can create a professional site that looks great, enhances your online visibility, and grows with your business, without breaking the bank. One of the best things you can do to really set the wheels in motion now though is to go to this guide WordPress for beginners training course and learn how to put yourself and your company first.
Good SEO isn’t a luxury; it’s a smart investment, so start today. Good luck!
Brendan Reid
Brendan is a seasoned writer with a particular interest in SMEs. What he really enjoys is being able to provide real, actionable steps that can be taken today to start making business better for everyone.
However, WordPress isn’t just a plug-and-play CMS. If you’re in the marketing team or the CMO, you may find yourself inheriting and using a WordPress site that will most likely have a less-than-ideal stack setup.
Don’t accept that this is just the setup you have. If your tech stack isn’t aligned correctly, it could directly hinder some of your own goals.
While it may seem that you should delegate all technical decisions to the development/IT team, these decisions may overrule wider business goals.
As such, it may be time to audit your installation and setup in order to break free of these stack limitations.
If you’re a CMO, this post will cover the different considerations when thinking of the optimal WordPress tech stack that also aligns with your own goals.
What A Tech Stack Includes
From a top-level, the WordPress tech stack involves the following:
There’s a lot to consider. With that, let’s delve into what you, as a CMO, should be asking yourself and others to ensure this stack is at its best.
The Invisible Cost Of Cheap Hosting
Shared hosting might seem cost-effective, but in my experience, it’s often the most expensive choice in the long term.
When your site shares resources with hundreds of others, performance becomes unpredictable. This can affect many things, from general speed and performance, but also how search engines and large language models (LLMs) crawl/discover your site, as well as how a human may experience the site itself.
Dedicated servers or managed WordPress hosting may be a larger investment, but in turn reduces technical overheads while providing the infrastructure needed for growth and scale.
For the level up from this, WordPress-based Cloud hosting is the most robust solution, but would require more technical expertise to manage.
What CMOs Should Ask:
Are we on shared hosting or dedicated infrastructure? If the former, why?
Are all server resources, such as PHP, up to date?
What happens to site performance during traffic spikes?
Who is responsible for server-level maintenance, optimizations, and security?
For potential traffic spikes, are there solutions and safeguards in place, such as load balancers?
Can we grow and scale with our current solution?
Performance: The Business Metric Disguised As A Tech Metric
Developers and technical SEOs alike will obsess over PageSpeed/Lighthouse scores, but things such as Core Web Vitals aren’t just technical benchmarks but also conversion metrics in disguise.
A one-second delay in mobile load times can impact mobile conversions by up to 20%. If Largest Content Paint (LCP) exceeds 2.5 seconds, then your next sale is at high risk before there’s a chance to convert them.
Performance optimization in WordPress isn’t straightforward when looking forensically. Many “solutions” can create new problems. Even well-intentioned optimizations and fixes over the longer term can cause conflicts or other knock-on effects. Over time, this becomes a “Frankenstein” site of many elements patched together in an attempt to keep it ‘alive’ that becomes expensive to unravel and can cause the site to be a “write-off”. This practice is more common than you think.
What CMOs Should Ask:
How does our site perform on PageSpeed Insights, GTmetrix, and YSlow? What can be improved? How do we perform against competitors?
Is caching properly set up? Are we considering all levels (server, object, page, CDN, etc.)?
Do we have all minification tools set up correctly?
Is our database architecture the best it can be? How can this be improved?
What and how often is our database cleaned? Does this include revisions?
How are our images performing? Have they been optimized? Are we using more modern formats such as WebP?
Who owns the performance metric?
This isn’t about chasing perfect scores; it’s about ensuring your technical foundation supports rather than potentially sabotaging your marketing objectives.
Deciding On A Theme Should Be Long-Term
There are thousands of WordPress themes out there.
In a perfect scenario, the theme itself would be custom-built, incorporating WordPress’ own Gutenberg block editor, as it’s part of the core. As well as this, full site editing functionality makes this process even easier.
If your budget can’t stretch to custom-built theme development, it’s then extremely important to choose the right theme.
Ensure that you research the theme properly, making an informed choice that is performance-led to complement the stack, not convenience-led for editors.
But remember, your choice of theme is more long-term than installing a plugin you find you don’t need a month/year later. Because of this, themes should have a more considered and informed approach.
Bonus Consideration: Page Builders
Generally, the people who end up using WordPress on a day-to-day basis are not the same people who developed it or set it up.
Because of this, there can sometimes be clashes when it comes to what someone in your marketing team wants versus what should be implemented with technical best practice.
Page builders such as Elementor and Divi do offer a lot more freedom and flexibility for page creation and design, but come with the downside of potential code bloat and resource allocation.
Ensure that your decisions are not influenced too much by this request, because that is what it is, a request.
What CMOs Should Ask:
How does our current theme/builder choice impact site performance?
Is our current theme built for purpose? Is it a theme that caters to the masses, or is it developed specifically for me or my niche?
Are we locked into a specific page builder? What does the builder offer that Gutenberg and FSE don’t? What are the migration implications?
Are our choices forming a good balance between design flexibility with technical performance?
Do we have the development resources to support our chosen approach?
Are there conflicts between the page builder and other resources/assets?
Plugin-ception
“There’s a plugin for that.”
This is a phrase we’ve all heard or said before – myself included. There will be a plugin for that, yes – but it shouldn’t be the answer every time you want to extend functionality.
While I do have a select number of “core” plugins that I confidently choose to use on any site, this does not mean that I would choose to install a plugin because it solved one problem that may not be enough to substantiate installing if it warrants the technical debt the plugin will add.
Estimates suggest, the average WordPress site runs 20-30 plugins, with many serving overlapping functions or creating conflicts.
Bonus: Some Plugins Require Attention Post-Installation
There are some plugins that have a simple “plug and play” approach. But whenever I install anything, I always delve further into its setup, configuration, and how this can impact the performance of a site.
One thing to know is that, in general, you should not approach any plugin with an “install and ignore” mindset.
Check the settings. Go through the first-time configuration (FTC). Audit the configuration.
Furthermore, plugins not only provide valuable under-the-hood optimizations and enhancements, but also present an opportunity for the site to evolve alongside your business and marketing activities.
Actively using these plugins means your stack continues to benefit from the latest features, innovations, and improvements.
What CMOs Should Ask:
How many plugins are currently active on our site?
When was our last plugin audit?
What plugins are we dependent on for our core business functions?
Have all plugins been configured correctly?
Are the plugins that require ongoing work being used?
Are there conflicts with other plugins?
Are there any incumbent plugins stopping the development of the site as a whole?
(More aggressive) What will happen to the wider business goals if [Plugin X] is no longer used?
The more plugins that are installed, the higher the risk of incompatibility, conflicts, and security vulnerabilities.
Security: Be Proactive, Not Reactive
One would think that security is always the top priority to ensure the safe operation of any website. Incorrect.
Breaches can devastate not just the site, but in turn, your brand reputation, while also incurring large immediate costs and most likely some loss of earnings in the future as a result.
While on the more extreme end of the scale, earlier this year, some hackers breached a number of large UK retailers, including Marks and Spencer, causing £300 million in lost profits, with no real measurement on how this has affected them since.
It doesn’t take long or cost much (in some cases, the solutions are free) to add some layers of security to your stack.
Whether it’s adding rules within Cloudflare or installing Sucuri or Wordfence, don’t just leave your site unprotected while you “sit tight and assess” – take proactive steps to secure your stack.
Is everything up to date? This includes not just WordPress core, themes, and plugins, but also on a server level, such as PHP.
Maintenance: Forgotten Until Required
WordPress maintenance often gets treated as a technical afterthought, but I consider this to be a critical marketing function.
Outdated plugins not only create conflicts that have knock-on effects on both the frontend and backend of the site but also expose you to security vulnerabilities that I just covered above.
The choice between manual and automatic updates reflects deeper strategic priorities.
Manual updates provide more control but require dedicated resources and staging environments for testing prior to deployment. Automatic updates may reduce maintenance overhead, but there is always a risk of conflicts during critical business periods.
What CMOs Should Ask:
Who is responsible for WordPress core, plugin, and theme updates? Do they have all the required access in case of disaster scenarios?
Who is responsible for legal, compliance, and privacy on the site?
Is everything up to date? If not, is there a reason for this?
Do we have staging environments for testing changes before anything is deployed to a production environment?
What’s our rollback plan if an update breaks critical functionality?
How do we balance security needs with stability requirements?
“Frankenstein” Sites Only Get You So Far For So Long…
If you have a theme that is now years old, perhaps five or more, it’s likely that over time the theme (unless extremely well maintained) will eventually cause issues and conflicts, more so when you want to grow and scale.
Optimizing the site over time is obviously suggested, but after a prolonged amount of time, this becomes more challenging and less possible without conflicts arising.
What CMOs Should Ask:
When was the last time a theme was chosen?
When was it last audited? Is the theme still fit for purpose today?
Is a theme update causing conflicts with other resources and plugins?
Are there legacy plugins or other functionality that prevent essential updates to WordPress or PHP, forcing the site to remain on outdated versions (therefore limiting access to new features, improved security, or better performance)?
Are ad hoc maintenance costs and “patchwork” over two to three years costing more than a potential rebuild (i.e., Is it a “write-off”)?
Key Takeaways
Below is a high-priority checklist that you can act on now:
Priority
Action Item
Stakeholder(s)
Critical
Audit the current hosting environment and audit invisible costs.
CMO, Tech Lead, Finance
Critical
Review plugin presence and usage: configuration, conflicts, necessity.
Tech, SEO, Product, Marketing
Critical
Implement and verify up-to-date security layers (e.g., Sucuri, WAF).
CTO, IT
High
Define clear responsibilities for updates, rollbacks, and compliance.
Product, Legal, Marketing
High
Schedule routine theme and plugin audits.
Dev/Project Manager
High
Set up or review staging/testing environments for changes.
Tech Lead/DevOps
Medium
Plan for a long-term theme or potential rebuild if “Frankenstein.”
CMO, CTO
Medium
Calculate ongoing maintenance costs vs possible site overhaul.
Finance, CMO, CTO
Your WordPress stack should never be considered “set and forget.”
Don’t wait for something to break, because when something does, it will most likely cause more loss than any proactive investment to ensure there isn’t one.
This post was sponsored by Cloudways. The opinions expressed in this article are the sponsor’s own.
Wondering why your rankings may be declining?
Just discovered your WooCommerce site has slow load times?
A slow WooCommerce site doesn’t just cost you conversions. It affects search visibility, backend performance, and customer trust.
Whether you’re a developer running your own stack or an agency managing dozens of client stores, understanding how WooCommerce performance scales under load is now considered table stakes.
Today, many WordPress sites are far more dynamic, meaning many things are happening at the same time:
Every action a user takes, from logging in, updating a cart, or initiating checkout, relies on live data from the server. These requests cannot be cached.
Tools like Varnish or CDNs can help with public pages such as the homepage or product listings. But once someone logs in to their account or interacts with their session, caching no longer helps. Each request must be processed in real time.
This article breaks down why that happens and what kind of server setup is helping stores stay fast, stable, and ready to grow.
Why Do WooCommerce Stores Slow Down?
WooCommerce often performs well on the surface. But as traffic grows and users start interacting with the site, speed issues begin to show. These are the most common reasons why stores slow down under pressure:
1. PHP: It Struggles With High User Activity
WooCommerce depends on PHP to process dynamic actions such as cart updates, coupon logic, and checkout steps. Traditional stacks using Apache for PHP handling are slower and less efficient.
Order creation, cart activity, and user actions generate a high number of database writes. During busy times like flash sales, new merchandise arrivals, or course launches, the database struggles to keep up.
Platforms that support optimized query execution and better indexing handle these spikes more smoothly.
3. Caching Issues: Object Caching Is Missing Or Poorly Configured
Without proper object caching, WooCommerce queries the database repeatedly for the same information. That includes product data, imagery, cart contents, and user sessions.
Solutions that include built-in Redis support help move this data to memory, reducing server load and improving site speed.
4. Concurrency Limits Affect Performance During Spikes
Most hosting stacks today, including Apache-based ones, perform well for a wide range of WordPress and WooCommerce sites. They handle typical traffic reliably and have powered many successful stores.
As traffic increases and more users log in and interact with the site at the same time, the load on the server begins to grow. Architecture starts to play a bigger role at that point.
Stacks built on NGINX with event-driven processing can manage higher concurrency more efficiently, especially during unanticipated traffic spikes.
Rather than replacing what already works, this approach extends the performance ceiling for stores that are becoming more dynamic and need consistent responsiveness under heavier load.
5. Your WordPress Admin Slows Down During Sales Seasons
During busy periods like seasonal sales campaigns or new stock availability, stores can often slow down for the team managing the site, too. The WordPress dashboard takes longer to load, which means publishing products, managing orders, or editing pages also becomes slower.
This slowdown happens because both shoppers and staff are using the site’s resources at the same time, and the server has to handle all those requests at once.
How To Architect A Scalable WordPress Setup For Dynamic Workloads?
WooCommerce stores today are built for more than stable traffic. Customers are logging in, updating their carts, taking actions to manage their subscription profile, and as a result, are interacting with your backend in real time.
The traditional WordPress setup, which is primarily designed for static content, cannot handle that kind of demand.
Here’s how a typical setup compares to one built for performance and scale:
Component
Basic Setup
Scalable Setup
Web Server
Apache
NGINX
PHP Handler
mod_php or CGI
PHP-FPM
Object Caching
None or database transients
Redis with Object Cache Pro
Scheduled Tasks
WP-Cron
System cron job
Caching
CDN or full-page caching only
Layered caching, including object cache
.htaccess Handling
Built-in with Apache
Manual rewrite rules in NGINX config
Concurrency Handling
Limited
Event-based, memory-efficient server
How To Manually Setup A Performance-Ready & Scalable WooCommerce Stack
If you’re setting up your own server or tuning an existing one, are the most important components to get right:
1) Use NGINX For Static File Performance
NGINX is often used as a high-performance web server for handling static files and managing concurrent requests efficiently. It is well suited for stores expecting high traffic or looking to fine-tune their infrastructure for speed.
Unlike Apache, NGINX does not use .htaccess files. Rewrite rules, such as permalinks, redirects, and trailing slashes, need to be added manually to the server block. For WordPress, these rules are well-documented and only need to be set once during setup.
This approach gives more control at the server level and can be helpful for teams building out their own environment or optimizing for scale.
2) Enable PHP-FPM For Faster Request Handling
PHP-FPM separates PHP processing from the web server. It gives you more control over memory and CPU usage. Tune values like pm.max_children and pm.max_requests based on your server size to prevent overload during high activity.
3) Install Redis With Object Cache Pro
Redis allows WooCommerce to store frequently used data in memory. This includes cart contents, user sessions, and product metadata.
Pair this with Object Cache Pro to compress cache objects, reduce database load, and improve site responsiveness under load.
4) Replace WP-Cron With A System-Level Cron Job
By default, WordPress checks for scheduled tasks whenever someone visits your site. That includes sending emails, clearing inventory, and syncing data. If you have steady traffic, it works. If not, things get delayed.
You can avoid that by turning off WP-Cron. Just add define(‘DISABLE_WP_CRON’, true); to your wp-config.php file. Then, set up a real cron job at the server level to run wp-cron.php every minute. This keeps those tasks running on time without depending on visitors.
5) Add Rewrite Rules Manually For NGINX
NGINX doesn’t use .htaccess. That means you’ll need to define URL rules directly in the server block.
This includes things like permalinks, redirects, and static file handling. It’s a one-time setup, and most of the rules you need are already available from trusted WordPress documentation. Once you add them, everything works just like it would on Apache.
A Few Tradeoffs To Keep In Mind
This kind of setup brings a real speed boost. But there are some technical changes to keep in mind.
NGINX won’t read .htaccess. All rewrites and redirects need to be added manually.
WordPress Multisite may need extra tweaks, especially if you’re using subdirectory mode.
Security settings like IP bans or rate limits should be handled at the server level, not through plugins.
Most developers won’t find these issues difficult to work with. But if you’re using a modern platform, much of it is already taken care of.
You don’t need overly complex infrastructure to make WooCommerce fast; just a stack that aligns with how modern, dynamic stores operate today.
Next, we’ll look at how that kind of stack performs under traffic, with benchmarks that show what actually changes when the server is built for dynamic sites.
What Happens When You Switch To An Optimized Stack?
Not all performance challenges come from code or plugins. As stores grow and user interactions increase, the type of workload becomes more important, especially when handling live sessions from logged-in users.
To better understand how different environments respond to this kind of activity, Koddr.io ran an independent benchmark comparing two common production setups:
A hybrid stack using Apache and NGINX.
A stack built on NGINX with PHP-FPM, Redis, and object caching.
Both setups were fully optimized and included tuned components like PHP-FPM and Redis. The purpose of the benchmark was to observe how each performs under specific, real-world conditions.
The tests focused on uncached activity from WooCommerce and LearnDash, where logged-in users trigger dynamic server responses.
In these scenarios, the optimized stack showed higher throughput and consistency during peak loads. This highlights the value of having infrastructure tailored for dynamic, high-concurrency traffic, depending on the use case.
WooCommerce Runs Faster Under Load
One test simulated 80 users checking out at the same time. The difference was clear:
Scenario
Hybrid Stack
Optimized Stack
Gain
WooCommerce Checkout
3,035 actions
4,809 actions
+58%
Screenshot from Koddr.io, August 2025
LMS Platforms Benefit Even More
For LearnDash course browsing—a write-heavy and uncached task, the optimized stack completed 85% more requests:
Scenario
Hybrid Stack
Optimized Stack
Gain
LearnDash Course List View
13,459 actions
25,031 actions
+85%
This shows how optimized stacks handle personalized or dynamic content more efficiently. These types of requests can’t be cached, so the server’s raw efficiency becomes critical.
Screenshot from Koddr.io, August 2025
Backend Speed Improves, Too
The optimized stack wasn’t just faster for customers. It also made the WordPress admin area more responsive:
WordPress login times improved by up to 31%.
Publish actions ran 20% faster, even with high traffic.
This means your team can concurrently manage products, update pages, and respond to sales in real time, without delays or timeouts.
It Handles More Without Relying On Caching
When Koddr turned off Varnish, the hybrid stack experienced a 71% drop in performance. This shows how effectively it handles cached traffic. The optimized stack dropped just 7%, which highlights its ability to maintain speed even during uncached, logged-in sessions.
Both setups have their strengths, but for stores with real-time user activity, reducing reliance on caching can make a measurable difference.
Stack Type
With Caching
Without Caching
Drop
Hybrid Stack
654,000 actions
184,000 actions
-7%
Optimized Stack
619,000 actions
572,000 actions
-7%
Screenshot from Koddr.io, August 2025
Why This Matters?
Static pages are easy to optimize. But WooCommerce stores deal with real-time traffic. Cart updates, login sessions, and checkouts all require live processing. Caching cannot help once a user has signed in.
The Koddr.io results show how an optimized server stack:
Helps scale without complex performance workarounds.
These are the kinds of changes that power newer stacks purpose-built for dynamic workloads like Cloudways Lightning, built for real WooCommerce workloads.
Core Web Vitals Aren’t Just About The Frontend
You can optimize every image. Minify every line of code. Switch to a faster theme. But your Core Web Vitals score will still suffer if the server can’t respond quickly.
That’s what happens when logged-in users interact with WooCommerce or LMS sites.
When a customer hits “Add to Cart,” caching is out of the picture. The server has to process the request live. That’s where TTFB (Time to First Byte) becomes a real problem.
Slow server response means Google waits longer to start rendering the page. And that delay directly affects your Largest Contentful Paint and Interaction to Next Paint metrics.
Frontend tuning gets you part of the way. But if the backend is slow, your scores won’t improve. Especially for logged-in experiences.
Real optimization starts at the server.
How Agencies Are Skipping The Manual Work
Every developer has a checklist for WooCommerce performance. Use NGINX. Set up Redis. Replace WP-Cron. Add a WAF. Test under load. Keep tuning.
But not every team has the bandwidth to maintain all of it.
That’s why more agencies are using pre-optimized stacks that include these upgrades by default. Cloudways Lightning, a managed stack based on NGINX + PHP-FPM, designed for dynamic workloads is a good example of that.
It’s not just about speed. It’s also about backend stability during high traffic. Admin logins stay fast. Product updates don’t hang. Orders keep flowing.
Joe Lackner, founder of Celsius LLC, shared what changed for them:
“Moving our WordPress workloads to the new Cloudways stack has been a game-changer. The console admin experience is snappier, page load times have improved by +20%, and once again Cloudways has proven to be way ahead of the game in terms of reliability and cost-to-performance value at this price point.”
This is what agencies are looking for. A way to scale without getting dragged into infrastructure management every time traffic picks up.
Final Takeaway
WooCommerce performance is no longer just about homepage load speed.
Your site handles real-time activity from both customers and your team. Once a user logs in or reaches checkout, caching no longer applies. Each action hits the server directly.
If the infrastructure isn’t optimized, site speed drops, sales suffer, and backend work slows down.
The foundations matter. A stack that’s built for high concurrency and uncached traffic keeps things fast across the board. That includes cart updates, admin changes, and product publishing.
For teams who don’t want to manage server tuning manually, options like Cloudways Lightning deliver a faster, simpler path to performance at scale.
Use promo code “SUMMER305” and get 30% off for 5 months + 15 free migrations. Signup Now!
Google just announced that a typical query to its Gemini app uses about 0.24 watt-hours of electricity. That’s about the same as running a microwave for one second—something that, to me, feels virtually insignificant. I run the microwave for so many more seconds than that on most days.
I was excited to see this report come out, and I welcome more openness from major players in AI about their estimated energy use per query. But I’ve noticed that some folks are taking this number and using it to conclude that we don’t need to worry about AI’s energy demand. That’s not the right takeaway here. Let’s dig into why.
1. This one number doesn’t reflect all queries, and it leaves out cases that likely use much more energy.
Google’s new report considers only text queries. Previous analysis, including MIT Technology Review’s reporting, suggests that generating a photo or video will typically use more electricity.
When I spoke with Jeff Dean, Google’s chief scientist, he said the company doesn’t currently have plans to do this sort of analysis for images and videos, but that he wouldn’t rule it out.
The reason the company started with text prompts is that those are something many people out there are using in their daily lives, he says, while image and video generation is something that not as many people are doing. But I’m seeing more AI images and videos all over my social feeds. So there’s a whole world of queries not represented here.
Also, this estimate is the median, meaning it’s just the number in the middle of the range of queries Google is seeing. Longer questions and responses can push up the energy demand, and so can using a reasoning model. We don’t know anything about how much energy these more complicated queries demand or what the distribution of the range is.
2. We don’t know how many queries Gemini is seeing, so we don’t know the product’s total energy impact.
One of my biggest outstanding questions about Gemini’s energy use is the total number of queries the product is seeing every day.
This number isn’t included in Google’s report, and the company wouldn’t share it with me. And let me be clear: I absolutely pestered them about this, both in a press call they had about the news and in my interview with Dean. In the press call, the company pointed me to a recent earnings report, which includes only figures about monthly active users (450 million, for what it’s worth).
“We’re not comfortable revealing that for various reasons,” Dean told me on our call. The total number is an abstract measure that changes over time, he says, adding that the company wants users to be thinking about the energy usage per prompt.
But there are people out there all over the world interacting with this technology, not just me—and what we all add up to seems quite relevant.
OpenAI does publicly share its total, sharing recently that it sees 2.5 billion queries to ChatGPT every day. So for the curious, we can use this as an example and take the company’s self-reported average energy use per query (0.34 watt-hours) to get a rough idea of the total for all people prompting ChatGPT.
According to my math, over the course of a year, that would add up to over 300 gigawatt-hours—the same as powering nearly 30,000 US homes annually. When you put it that way, it starts to sound like a lot of seconds in microwaves.
3. AI is everywhere, not just in chatbots, and we’re often not even conscious of it.
AI is touching our lives even when we’re not looking for it. AI summaries appear in web searches, whether you ask for them or not. There are built-in features for email and texting applications that that can draft or summarize messages for you.
Google’s estimate is strictly for Gemini apps and wouldn’t include many of the other ways that even this one company is using AI. So even if you’re trying to think about your own personal energy demand, it’s increasingly difficult to tally up.
To be clear, I don’t think people should feel guilty for using tools that they find genuinely helpful. And ultimately, I don’t think the most important conversation is about personal responsibility.
There’s a tendency right now to focus on the small numbers, but we need to keep in mind what this is all adding up to. Over two gigawatts of natural gas will need to come online in Louisiana to power a single Meta data center this decade. Google Cloud is spending $25 billion on AI just in the PJM grid on the US East Coast. By 2028, AI could account for 326 terawatt-hours of electricity demand in the US annually, generating over 100 million metric tons of carbon dioxide.
We need more reporting from major players in AI, and Google’s recent announcement is one of the most transparent accounts yet. But one small number doesn’t negate the ways this technology is affecting communities and changing our power grid.
This article is from The Spark, MIT Technology Review’s weekly climate newsletter. To receive it in your inbox every Wednesday, sign up here.
Over the past 20 years building advanced AI systems—from academic labs to enterprise deployments—I’ve witnessed AI’s waves of success rise and fall. My journey began during the “AI Winter,” when billions were invested in expert systems that ultimately underdelivered. Flash forward to today: large language models (LLMs) represent a quantum leap forward, but their prompt-based adoption is similarly overhyped, as it’s essentially a rule-based approach disguised in natural language.
At Ensemble, the leading revenue cycle management (RCM) company for hospitals, we focus on overcoming model limitations by investing in what we believe is the next step in AI evolution: grounding LLMs in facts and logic through neuro-symbolic AI. Our in-house AI incubator pairs elite AI researchers with health-care experts to develop agentic systems powered by a neuro-symbolic AI framework. This bridges LLMs’ intuitive power with the precision of symbolic representation and reasoning.
Overcoming LLM limitations
LLMs excel at understanding nuanced context, performing instinctive reasoning, and generating human-like interactions, making them ideal for agentic tools to then interpret intricate data and communicate effectively. Yet in a domain like health care where compliance, accuracy, and adherence to regulatory standards are non-negotiable—and where a wealth of structured resources like taxonomies, rules, and clinical guidelines define the landscape—symbolic AI is indispensable.
By fusing LLMs and reinforcement learning with structured knowledge bases and clinical logic, our hybrid architecture delivers more than just intelligent automation—it minimizes hallucinations, expands reasoning capabilities, and ensures every decision is grounded in established guidelines and enforceable guardrails.
Creating a successful agentic AI strategy
Ensemble’s agentic AI approach includes three core pillars:
1. High-fidelity data sets: By managing revenue operations for hundreds of hospitals nationwide, Ensemble has unparallelled access to one of the most robust administrative datasets in health care. The team has decades of data aggregation, cleansing, and harmonization efforts, providing an exceptional environment to develop advanced applications.
To power our agentic systems, we’ve harmonized more than 2 petabytes of longitudinal claims data, 80,000 denial audit letters, and 80 million annual transactions mapped to industry-leading outcomes. This data fuels our end-to-end intelligence engine, EIQ, providing structured, context-rich data pipelines spanning across the 600-plus steps of revenue operations.
2. Collaborative domain expertise: Partnering with revenue cycle domain experts at each step of innovation, our AI scientists benefit from direct collaboration with in-house RCM experts, clinical ontologists, and clinical data labeling teams. Together, they architect nuanced use cases that account for regulatory constraints, evolving payer-specific logic and the complexity of revenue cycle processes. Embedded end users provide post-deployment feedback for continuous improvement cycles, flagging friction points early and enabling rapid iteration.
This trilateral collaboration—AI scientists, health-care experts, and end users—creates unmatched contextual awareness that escalates to human judgement appropriately, resulting in a system mirroring decision-making of experienced operators, and with the speed, scale, and consistency of AI, all with human oversight.
3. Elite AI scientists drive differentiation: Ensemble’s incubator model for research and development is comprised of AI talent typically only found in big tech. Our scientists hold PhD and MS degrees from top AI/NLP institutions like Columbia University and Carnegie Mellon University, and bring decades of experience from FAANG companies [Facebook/Meta, Amazon, Apple, Netflix, Google/Alphabet] and AI startups. At Ensemble, they’re able to pursue cutting-edge research in areas like LLMs, reinforcement learning, and neuro-symbolic AI within a mission-driven environment.
The also have unparalleled access to vast amounts of private and sensitive health-care data they wouldn’t see at tech giants paired with compute and infrastructure that startups simply can’t afford. This unique environment equips our scientists with everything they need to test novel ideas and push the frontiers of AI research—while driving meaningful, real-world impact in health care and improving lives.
Strategy in action: Health-care use cases in production and pilot
By pairing the brightest AI minds with the most powerful health-care resources, we’re successfully building, deploying, and scaling AI models that are delivering tangible results across hundreds of health systems. Here’s how we put it into action:
Supporting clinical reasoning: Ensemble deployed neuro-symbolic AI with fine-tuned LLMs to support clinical reasoning. Clinical guidelines are rewritten into proprietary symbolic language and reviewed by humans for accuracy. When a hospital is denied payment for appropriate clinical care, an LLM-based system parses the patient record to produce the same symbolic language describing the patient’s clinical journey, which is matched deterministically against the guidelines to find the right justification and the proper evidence from the patient’s record. An LLM then generates a denial appeal letter with clinical justification grounded in evidence. AI-enabled clinical appeal letters have already improved denial overturn rates by 15% or more across Ensemble’s clients.
Building on this success, Ensemble is piloting similar clinical reasoning capabilities for utilization management and clinical documentation improvement, by analyzing real-time records, flagging documentation gaps, and suggesting compliance enhancements to reduce denial or downgrade risks.
Accelerating accurate reimbursement: Ensemble is piloting a multi-agent reasoning model to manage the complex process of collecting accurate reimbursement from health insurers. With this approach, a complex and coordinated system of autonomous agents work together to interpret account details, retrieve required data from various systems, decide account-specific next actions, automate resolution, and escalate complex cases to humans.
This will help reduce payment delays and minimize administrative burden for hospitals and ultimately improve the financial experience for patients.
Improving patient engagement: Ensemble’s conversational AI agents handle inbound patient calls naturally, routing to human operators as required. Operator assistant agents deliver call transcriptions, surface relevant data, suggest next-best actions, and streamline follow-up routines. According to Ensemble client performance metrics, the combination of these AI capabilities has reduced patient call duration by 35%, increasing one-call resolution rates and improving patient satisfaction by 15%.
The AI path forward in health care demands rigor, responsibility, and real-world impact. By grounding LLMs in symbolic logic and pairing AI scientists with domain experts, Ensemble is successfully deploying scalable AI to improve the experience for health-care providers and the people they serve.
This content was produced by Ensemble. It was not written by MIT Technology Review’s editorial staff.
This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology.
Google’s still not giving us the full picture on AI energy use
—Casey Crownhart
Google just announced that a typical query to its Gemini app uses about 0.24 watt-hours of electricity. That’s about the same as running a microwave for one second—something that feels insignificant. I run the microwave for many more seconds than that most days.
I welcome more openness from major AI players about their estimated energy use per query. But I’ve noticed that some folks are taking this number and using it to conclude that we don’t need to worry about AI’s energy demand. That’s not the right takeaway here. Let’s dig into why.
This article is from The Spark, MIT Technology Review’s weekly climate newsletter. To receive it in your inbox every Wednesday, sign up here.
+ If you’re interested in AI’s energy footprint, earlier this year, MIT Technology Review published Power Hungry: a comprehensive series on AI and energy.
The AI Hype Index: AI-designed antibiotics show promise
Separating AI reality from hyped-up fiction isn’t always easy. That’s why we’ve created the AI Hype Index—a simple, at-a-glance summary of everything you need to know about the state of the industry. Take a look at this month’s edition here.
The must-reads
I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.
1 The White House has fired the director of the CDC But Susan Monarez is refusing to go quietly. (WP $) + Monarez is said to have clashed with RFK Jr over vaccine policy. (NYT $) + She was confirmed by the Senate to the position just last month. (The Guardian) + Vaccine consensus is splintering across the US. (Vox)
2 A Chinese hacking campaign hit at least 200 US organizations Intelligence agencies say the breaches are among the most significant ever. (WP $) + AI-generated ransomware is on the rise. (Wired $)
3 Ukraine’s new Flamingo cruise missile took just months to build Russia’s air defenses are weakening. Can this missile exploit the gaps? (Economist $) + 14 people were killed in an overnight bombardment of Kyiv. (BBC) + On the ground in Ukraine’s largest Starlink repair shop. (MIT Technology Review)
4 AI infrastructure spending is boosting the US economy Companies are throwing so much money at AI hardware it’s lifting the real economy, not just the stock market. (NYT $) + How to fine-tune AI for prosperity. (MIT Technology Review)
5 OpenAI and Anthropic safety-tested each other’s AI They found Claude is a lot more cautious than OpenAI’s mini models. (Engadget) + Sycophancy was a repeated issue among OpenAI’s models. (TechCrunch) + This benchmark used Reddit’s AITA to test how much AI models suck up to us. (MIT Technology Review)
6 Climate change exacerbated Europe’s deadly wildfires And fires across the Mediterranean are likely to become more frequent and severe. (BBC) + What the collapse of a glacier can teach us. (New Yorker $) + How AI can help spot wildfires. (MIT Technology Review)
7 911 centers are using AI to answer calls It’s helping to triage anything that isn’t urgent. (TechCrunch)
8 Wikipedia has compiled a list of AI writing tropes But their presence still isn’t a dead giveaway a text has been written by AI. (Fast Company $) + AI-text detection tools are really easy to fool. (MIT Technology Review)
9 Melania Trump has launched the Presidential AI Challenge But it’s not all that clear what the competition actually is. (NY Mag $)
10 Netflix’s algorithm-appeasing movies are bland and boring But millions of people will watch them anyway. (The Guardian)
Quote of the day
“The more you buy, the more you grow.”
—Nvidia CEO Jensen Huang conveniently sees no end to the AI chip spending boom, Reuters reports.
Inside the strange limbo facing millions of IVF embryos
Millions of embryos created through IVF sit frozen in time, stored in cryopreservation tanks around the world, and the number is only growing.
At a basic level, an embryo is simply a tiny ball of a hundred or so cells. But unlike other types of body tissue, it holds the potential for life. Many argue that this endows embryos with a special moral status, one that requires special protections.
The problem is that no one can really agree on what that status is. What do these embryos mean to us? And who should be responsible for them? Read the full story.
—Jessica Hamzelou
We can still have nice things
A place for comfort, fun and distraction to brighten up your day. (Got any ideas? Drop me a line or skeet ’em at me.)
+ Wow, that is one seriously orange shark! + TikTok is a proven way to introduce younger generations to older music—and now it’s Radiohead’s turn. + Why we’re still going bananas for Donkey Kong after all these years + This photo perfectly captures the joy of letting loose at a wedding.
