What WordPress Actually Is (and Why Most Contractor Sites Run On It)
WordPress started as blogging software in 2003. It became the default for small-business sites because it is free to install, has a huge library of themes, and almost any web designer knows how to use it. That is the whole draw: low barrier to entry, for the builder, not necessarily for you.
A WordPress contractor site is usually a stack: WordPress core, a purchased or free theme (Astra, Divi, GeneratePress, a builder like Elementor), and a pile of plugins bolted on to do things WordPress does not do out of the box, a contact form plugin, an SEO plugin, a caching plugin, a security plugin, a page-builder plugin, sometimes ten or more. Every one of those is a separate piece of software with its own update schedule, its own compatibility quirks, and its own chance of breaking when another plugin updates.
That is not automatically bad. A well-maintained WordPress site, kept lean and updated on a schedule, can run fine for years. The problem is what actually happens in the field: most contractor WordPress sites were built once by a designer who is no longer answering calls, and nobody has logged in to update anything since. Plugins go stale. Themes stop getting security patches. That is how a site that looked fine at launch ends up slow, hacked, or both eighteen months later.
- Plugin count directly correlates with page weight and load time. Ten plugins means ten scripts loading on every page, whether that page needs them or not.
- WordPress core, the theme, and every plugin all need separate security updates. Miss one and you have an open door.
- Page builders (Elementor, Divi, WPBakery) generate bloated markup under the hood: dozens of nested
divwrappers for a single button. That markup is what a browser and a crawler both have to parse.
None of this means WordPress cannot work. It means WordPress is a platform you have to keep maintaining, not a website you build once and walk away from.
What a Hand-Coded Site Actually Is
Hand-coded means what it says: HTML, CSS, and plain JavaScript written directly for your pages, no content-management system sitting underneath, no plugin marketplace, no database of posts and templates rendering the page on every visit. The page you see is close to the file that gets served. There is nothing to update because there is no framework underneath aging out.
This is not a hobbyist approach and it is not the same as a drag-and-drop DIY builder (Wix, Squarespace, GoDaddy Builder), which is its own category with its own tradeoffs covered separately. Hand-coded means a developer writes the actual code for your business, your trades, your service areas, and your job photos, not a template with your logo swapped in.
What that buys a contractor:
- Speed. No database query has to run before the page can render. No plugin has to check a license server. The browser gets HTML and CSS and shows it. That is the single biggest lever behind under 2 seconds load times.
- Nothing to hack. WordPress sites get compromised through outdated plugins and weak admin logins more than any other vector. A hand-coded static site has no admin login and no plugin surface to exploit. There is far less attack surface, period.
- No update treadmill. Nothing ages out from underneath you. The site works the same way in year three as it did on launch day, because there is no core software quietly falling out of support.
- Clean markup. The HTML matches the content. That matters more than it used to, and the next section is why.
The tradeoff is real too: hand-coded sites are not something you edit yourself at 11pm from a phone app. Content changes go through the developer. For a contractor whose site mostly needs new job photos, an updated service area, or a new trade page added once or twice a year, that tradeoff is a fair trade for the speed and durability. For a business that wants to publish blog posts daily, it is a worse fit, and we will say so.
Load Time: Where the Difference Shows Up Fastest
A homeowner searching "emergency roof leak near me" on a phone with two bars of signal does not wait around for a slow site. Every extra second of load time costs conversions, and Google has said load speed factors into ranking, particularly on mobile. This is not theoretical for a contractor: it is the difference between a click that turns into a call and a click that bounces back to the search results and calls the next name down.
A stock WordPress install with a heavy theme and a handful of plugins commonly lands in the 3 to 6 second range on mobile before any optimization work. Getting that down to 2 seconds or under is possible, but it requires caching plugins, image optimization plugins, a CDN, and usually a developer who periodically checks that none of that has drifted or broken after the last update. It is maintainable speed, not built-in speed.
| Factor | Typical WordPress | Hand-coded static site |
|---|---|---|
| Baseline mobile load (unoptimized) | 3-6 seconds | Under 2 seconds |
| What it takes to get fast | Caching + image + CDN plugins, ongoing tuning | Built in from the first line of code |
| Stays fast after 12 months untouched | Usually degrades as plugins accumulate | Stays fast, nothing to bloat it |
| Server round trips per page | Database query + plugin hooks on every load | Static file, served directly |
For a roofer or an HVAC contractor running paid ads to a landing page, load time is not a nice-to-have. Slow pages burn ad spend on clicks that never convert. A hand-coded page starts fast because there is nothing heavy to strip out later. That is the built-in advantage, not a maintenance project you have to keep funding.
Security and Upkeep: Who Is Watching the Site After Launch
WordPress powers a large share of the web, which is exactly why it is the most targeted CMS for automated attacks. Bots scan constantly for outdated plugin versions with known vulnerabilities. A contractor site running an old contact-form plugin or an abandoned page builder is a soft target, and the owner usually finds out only when Google flags the site for malware or a client calls asking why the site is redirecting to a pharmacy ad.
Keeping a WordPress site secure is an ongoing job, not a one-time setup: core updates, theme updates, plugin updates, a security plugin monitoring for intrusions, backups in case something still gets through. That is real, recurring work. Some agencies sell it as a monthly maintenance retainer. Some contractors just never do it, and their site quietly rots until something breaks visibly.
- Plugin conflicts. Update one plugin and it breaks the page builder rendering. This happens often enough that WordPress developers keep staging environments just to test updates before pushing them live.
- Abandoned plugins. A plugin the site depends on stops being maintained by its developer. It still works today. It becomes a liability the day a security hole is found and never patched.
- Login-based attacks. Every WordPress site has a login page at a predictable URL. Brute-force login attempts are constant background noise on the open web.
A hand-coded static site sidesteps most of this category of problem entirely. There is no admin login for a bot to hammer, no plugin with a forgotten CVE, no database to inject. The attack surface most WordPress security plugins exist to defend simply is not there. That does not mean zero maintenance forever, DNS, hosting, and forms still need occasional attention, but it removes the single biggest recurring liability contractors take on without realizing it at launch.
Can AI Search Engines Actually Read the Site?
This is the part most WordPress-vs-custom comparisons skip, and it is becoming the more important half of the question. ChatGPT, Perplexity, and Google's AI Overviews do not browse a page the way a human does. They pull structure: clean headings, clear service and pricing blocks, schema markup, and text that says plainly what the business does, where it works, and what it costs, without needing to click through six page-builder wrapper divs to find it.
Page builders (Elementor, Divi, and similar) generate markup for humans looking at a visual editor, not for a language model parsing structure. A single heading can be buried inside a dozen nested div and section tags with no semantic meaning attached. That markup still renders correctly in a browser. It is far messier for anything trying to extract structured facts out of the page, and messier markup means more work for a crawler to figure out what your headings, your service list, and your pricing block actually mean.
A hand-coded page is built the other way around: heading tags used correctly, an at-a-glance fact block on every service page, schema markup (Service, FAQPage, HowTo) written to match the visible content exactly, no filler markup in between. That is not a ranking trick. It is giving the AI something clean to read instead of something to untangle.
To be direct about where this silo's lane ends: building the site so it is structured for AI search is what we cover here. The ongoing work of tracking and improving how often ChatGPT and Perplexity actually cite and quote a contractor, month over month, is a separate service (AI search visibility as a program, not a one-time build decision). This guide is about whether the site itself is built in a way that makes that ongoing work possible. WordPress can be configured to get closer with the right SEO plugin and enough manual cleanup. Hand-coded starts there.
Cost: Sticker Price vs What It Actually Costs Over Three Years
WordPress often looks cheaper up front, and sometimes it is. A theme costs $60. Hosting can run $10 to $30 a month. A freelancer can assemble a WordPress site from a theme in a few days for less than a fully custom build. That comparison is fair as far as it goes, on day one.
The number that gets left out is what happens after launch. A WordPress site that nobody maintains is a WordPress site that gets slow, gets a plugin conflict, or gets compromised, and then someone has to pay to fix it, usually at a worse hourly rate than a planned maintenance contract would have cost, because now it is an emergency. Add up hosting, a security plugin subscription, a caching plugin subscription, an SEO plugin subscription, and periodic developer hours to untangle plugin conflicts, and the three-year total often lands close to, or past, what a hand-coded build cost up front with nothing recurring behind it.
- WordPress recurring costs: hosting, premium plugin licenses (forms, SEO, security, page builder), periodic update/maintenance hours, and the eventual cost of cleaning up a hack or a broken update.
- Hand-coded recurring costs: hosting (typically simpler and cheaper, since there is no database or PHP runtime to host), DNS, and developer hours only when you actually want something changed.
Real dollar ranges for a contractor build, WordPress or hand-coded, and what drives the number up or down, are covered in full in the companion guide on contractor website cost. The short version for this comparison: hand-coded front-loads the cost and then goes quiet. WordPress spreads the cost out, and the total depends entirely on whether anyone actually keeps up the maintenance, which in practice, for most contractor sites we see, nobody does.
When WordPress Is Still the Right Call
We build hand-coded sites and we will tell you plainly where WordPress still wins, because pretending otherwise would not survive first contact with your actual business.
WordPress makes sense if you or someone on staff wants to log in and publish new content constantly, multiple blog posts a week, frequent landing pages for every new promotion, a large team of non-technical people who all need editing access. That is what a CMS is for. If content velocity is the priority and someone in-house is going to own it, a well-built, well-maintained WordPress install is a legitimate tool for that job.
WordPress also makes sense if budget only allows for a low up-front cost and the business accepts the maintenance risk in exchange, with eyes open, knowing what that tradeoff means for speed and security over time.
For most contractors, though, the actual pattern of site changes is: new job photos a few times a year, an updated service area page, a new trade added when the business expands, seasonal promo swaps. That is not a publishing operation. That is occasional, planned content, exactly the kind of change a hand-coded site handles fine through a developer, without needing an in-house content team or a plugin stack humming in the background 24/7 waiting to be exploited.
The honest question to ask before choosing: who is going to be logged into this site in eighteen months, updating plugins and watching for security patches. If the answer is nobody, hand-coded removes that risk instead of accepting it and hoping.