What "WordPress" Actually Means for a Contractor Site
WordPress is a content management system: a database-backed platform with a theme layer and a plugin ecosystem. For a contractor, that usually means a purchased theme (Astra, Divi, Avada, a builder like Elementor), a form plugin, an SEO plugin, a caching plugin, a security plugin, and whatever the last agency bolted on to make the demo look good. Every one of those pieces is a separate codebase written by a separate team, running on your server, that has to be updated forever.
The pitch for WordPress is real: it's cheap to spin up, there are a million tutorials, and in theory you can log in and edit a page yourself without calling anyone. That last part is the appeal for a lot of contractors who got burned once by an agency that disappeared with the login.
The problem is what happens after launch. A typical contractor WordPress site runs 15 to 40 plugins by year two. Nobody planned that. It happened one "quick add" at a time: a popup plugin for a promo, a chat widget, a form builder, a gallery plugin, a redirect manager. Each one is a door. Most contractor sites we've audited that were built on WordPress 3+ years ago are running outdated plugin versions, because updating them risks breaking the layout, and nobody wants to touch it.
- Plugins and themes need updates constantly, and updates sometimes break the site
- Every plugin is a potential vulnerability, WordPress security patches are reactive, not preventive
- Page builders (Elementor, Divi, WPBakery) generate bloated markup that slows load time
- Hosting quality varies wildly and cheap WordPress hosting is a common root cause of slow load times
- You're licensing a premium theme and often several premium plugins on top of hosting, an ongoing cost stack
None of this makes WordPress a bad product. It makes it a maintenance commitment, and most contractors didn't sign up to run a second piece of software alongside their actual trade.
What "Custom-Coded" Actually Means
Custom-coded means the site is written directly in HTML, CSS, and JavaScript (or a modern static-site framework compiling down to the same), with no database, no admin dashboard, and no plugin layer. There's nothing for a bot to log into because there's no login. There's no plugin to go unpatched because there's no plugin. The page you load is close to the file that gets served, which is a large part of why it loads fast.
The tradeoff is upfront labor. Every page section, every form wiring, every integration has to be built by a developer rather than dragged into place by a builder plugin. That's why custom-coded sites cost more to build initially (see our full cost breakdown in the related guide below) and why turnaround is measured in weeks of build time, not an afternoon of theme customization.
What you get back for that cost: a site with almost no attack surface, load times that don't degrade as you add pages, and full ownership of the code and domain. When we build custom, you get the actual codebase and you host it on your own Cloudflare account. There's no platform to get locked into, no recurring builder-plugin license, and no agency holding your login hostage. That last point matters more than most contractors realize until they've lived through the alternative: paying a developer just to get their own site back.
| Factor | WordPress | Custom-Coded |
|---|---|---|
| Typical load time | 3-8 seconds, unoptimized | Under 2 seconds |
| Plugin/theme updates | Ongoing, indefinitely | None (no plugins) |
| Self-edit text/images | Yes, via dashboard | Requires a developer for structural changes |
| Security surface | Large (core + theme + every plugin) | Minimal (no login, no database) |
| Code/domain ownership | Depends on host and agreement | Full ownership, handed over |
| Upfront build cost | Lower | Higher |
| Recurring platform costs | Hosting + theme + plugin licenses | Domain + hosting only |
Neither column is universally right. The right column is a better fit for a contractor whose website is core infrastructure, not a side project.
Speed: Why the Gap Is Bigger Than It Looks
Speed isn't a vanity metric for a contractor site. Google uses Core Web Vitals as a ranking input, and a slow-loading page bleeds mobile leads before the phone number even renders, because a homeowner standing in their driveway with a leaking water heater isn't waiting eight seconds for a hero image to paint.
WordPress sites are slow for structural reasons, not because anyone did anything wrong. Every page request has to boot PHP, query a database, run the theme's templating logic, then run whatever the active plugins inject, before a byte of HTML reaches the browser. Add a page builder like Elementor or Divi and you're shipping extra CSS and JS frameworks the visitor's browser has to parse before the page is usable. Caching plugins paper over some of this, but they're a patch on the underlying architecture, not a fix.
A custom-coded, static-hosted site skips almost all of that. There's no database query at request time. What Cloudflare serves is close to the final HTML, cached at edge locations worldwide, so a homeowner in Phoenix and one in Charlotte both get the page from a server physically near them. That's the mechanical reason "under 2 seconds" is realistic for a static build and a stretch goal for a plugin-heavy WordPress install.
- Static HTML/CSS/JS has no server-side rendering step at request time
- No database query means no query latency, no database as a point of failure
- Edge caching (Cloudflare) puts the page physically closer to the visitor
- Fewer JavaScript frameworks loading means less to parse before the page is interactive
If your current site already runs on WordPress and is loading slow, that's fixable without a full rebuild in some cases (see our slow-load diagnostic guide below) but the ceiling on how fast a plugin-dependent site can get is lower than a static build's floor.
Security: The Attack Surface Nobody Budgets For
WordPress powers a huge share of the web, which is exactly why it's the most-targeted CMS on the internet. Automated bots scan constantly for outdated plugin versions, known vulnerabilities, and default admin paths. It's not personal. It's a numbers game, and a contractor's site with a stale contact-form plugin looks the same to a bot as anyone else's.
A hacked contractor site usually shows up one of three ways: injected spam links that tank your rankings, a defaced homepage a customer sees mid-search, or a silent malware injection that gets the whole domain blacklisted by Google, which is the version that costs actual leads because the site vanishes from search results while you're trying to figure out what happened. Recovery means a security firm, a clean reinstall, and lost search visibility while Google re-crawls and re-trusts the domain. None of that is a hypothetical for an established contractor. It's the exact scenario an owner is usually mid-panic about when they finally call a web company instead of an agency that vanished after the invoice cleared.
Custom-coded static sites remove almost the entire attack surface. There's no admin login to brute-force, no plugin to exploit, no database to inject SQL into. The site is a set of files served from Cloudflare's edge network. That's not a marketing claim, it's a structural fact: you can't hack a login page that doesn't exist. There's also no wp-admin path for a bot to find in the first place, which sounds small until you realize that's the single most common entry point in every contractor-site breach we've reviewed.
This matters more for trades handling sensitive intake (deposits, financing applications, detailed customer addresses for scheduling) than for a basic brochure site, but every contractor site is a target the moment it has a contact form and a domain with any authority. The security case for custom code isn't paranoia, it's arithmetic: fewer moving parts, fewer things to patch, fewer 2am calls about a defaced homepage.
Worth saying plainly: a WordPress site can be hardened. Managed WordPress hosting, a lean plugin count, and a disciplined update schedule cut the risk considerably. But that's ongoing labor, either yours or someone you're paying for it, for the life of the site. Static hosting removes the labor by removing the surface, not by managing it better.
Ownership and Lock-In: What Happens If You Want to Leave
This is the question that gets asked after something's already gone wrong, usually with a previous web company. A contractor calls wanting their login, their files, their domain, and finds out the agency built the site inside their own account, on a theme license tied to their name, with no clean way to extract it. That's platform lock-in, and it's common enough in the WordPress agency world that it deserves saying plainly: not every WordPress build is locked down like this, but plenty are, by design or by neglect, and you often don't find out until you try to leave.
With a custom-coded build done right, you get the actual source files and the domain sits in your own Cloudflare account under your own login. If you want a different developer next year, you hand them the codebase and they can start immediately. There's no proprietary builder format to export, no theme license to re-purchase, no "you have to keep paying us $150/month or the site goes dark" arrangement.
- Ask any web company directly: "If I stop paying you, do I keep the site, the code, and the domain?"
- Get the answer in writing before you sign, not after you've paid for the build
- Confirm the domain registrar account is yours, not the agency's, this is the single most common hostage point
- Ask what format the code is in, and whether a different developer could pick it up cold
This isn't unique to WordPress vs custom code, either platform can be built with lock-in or without it. But hand-coded sites with no CMS layer have fewer places to hide a dependency, and "we hand you the codebase and the domain" is a build practice, not a marketing line, so it's worth confirming in writing regardless of who builds it.
Integrations: Booking, CRM, and Payment Wiring
Most established contractors don't just need a website, they need a website wired to the software that already runs the business: ServiceTitan, Jobber, Housecall Pro for scheduling, a CRM for lead tracking, call tracking numbers, payment processors for deposits, review platforms, live chat. This is where the two approaches diverge in a way that surprises people who assumed WordPress "has a plugin for everything."
WordPress often does have a plugin for a given integration, but that plugin is a third-party build maintained by someone outside your control, subject to the same update-and-break cycle as every other plugin on the site. When the integration is core to how leads reach your dispatch board, a broken plugin update isn't a cosmetic bug, it's a missed job.
Custom-coded sites handle integrations through direct API and webhook wiring: the form posts straight to your CRM or scheduling tool, the phone numbers route through call tracking without a plugin in between, the payment button hits the processor's own hosted checkout. Fewer intermediary layers means fewer places for a lead to silently disappear between "customer submitted the form" and "it showed up on your desk."
| Integration | WordPress approach | Custom-coded approach |
|---|---|---|
| Booking (Jobber, Housecall Pro, ServiceTitan) | Plugin or embed widget | Direct embed or API wiring |
| CRM / lead routing | Form plugin + Zapier + CRM plugin | Direct webhook to CRM |
| Call tracking | Plugin-injected tracking number swap | Native script, no plugin dependency |
| Payments / deposits | WooCommerce or payment plugin | Hosted checkout link, no plugin |
This is squarely the engineering layer: how the site talks to your tools. It's not a ranking or traffic question, it's a build-and-wire question, and it's usually the deciding factor for contractors who've already outgrown a brochure site.
So Which One Should You Actually Pick
Pick WordPress if you're just starting out, you genuinely plan to write and publish blog content yourself every week without a developer's help, your budget for the initial build is the tightest constraint, and you're willing to own the ongoing maintenance (or pay someone to own it for you) for as long as the site runs.
Pick custom-coded if you're an established contractor who has already been burned once (slow site, hacked site, hostage login), your site's main job is converting search traffic and AI-search citations into booked jobs rather than being a personal blog, you need it wired cleanly to the scheduling and CRM tools you already run the business on, and you'd rather pay more once at build time than keep paying a plugin-and-hosting tax indefinitely.
The honest middle ground: a lot of contractors don't need this decision made from scratch, because they already have a WordPress site that's slow, cluttered, or hard to maintain. A WordPress-to-static migration takes the content and structure you've already built rankings on and rebuilds it as hand-coded, hosted on your own Cloudflare account, without starting your search visibility over from zero. That's usually the right call for an owner who's already spent years building domain authority and doesn't want to gamble it on a from-scratch rebuild.
What we won't do is tell every contractor that custom code is the only right answer. If you're a one-truck operation testing the market, a well-built WordPress site with a lean plugin count and good hosting can work fine for a year or two. The pitch for custom code gets stronger in direct proportion to how much your business already depends on the site working, loading fast, and staying wired to the tools your crew uses every day. If you're not sure which category you're in, that's exactly what a real audit is for: a look at your current site's plugin count, load time, and security posture instead of a guess.