Skip to main content
← Back to the Journal

June 4, 2026

Fast, and hard to break

Speed and security aren't features you bolt on at the end. They fall out of how the thing is built — or they don't.

By Avery Lin, Studio Editor

You can't sprinkle speed on a slow site, and you can't add security to an insecure one at the end. Both are consequences of decisions made on day one — the architecture either produces them or it doesn't. That's the part that doesn't fit in a feature list, so most of the industry stays quiet about it. We won't.

Key takeaways

  • Speed and resilience are architecture decisions made on day one, not features bolted on at the end.
  • A lean custom build loads in well under a second and has a far smaller attack surface than a plugin stack.
  • We say "far harder to break," not "unbreakable" — and we build to WCAG 2.1 AA, checked on every deploy.

Why a custom build is fast

A custom coded site serves a page in well under a second because there's almost nothing between the request and the response. No heavyweight theme loading code for features you don't use. No stack of plugins each adding its own scripts. No database round-trip to assemble a page that didn't need to change. The page is built lean and served lean.

BookNox — the booking platform we built end to end — loads in well under a second, and that isn't a tuning achievement we squeezed out at the end. It's what you get for free when the thing is built lean to begin with. Speed you have to fight for after launch is usually speed the architecture is fighting against.

Security as craft, stated honestly

The fewer moving parts a site has, the fewer ways in. A site assembled from a dozen third-party extensions has a dozen things to keep patched and a dozen authors to trust. A custom build with no plugin marketplace and no exposed admin login surface simply has far fewer doors.

Here's the line we'll put in writing: this makes a site far harder to break into. It does not make it unbreakable. Nothing connected to the internet is unbreakable, and anyone who tells you their product is should worry you, not reassure you. The craft is in minimizing what can go wrong, keeping the small set of things that can be patched patched fast, and never pretending the risk is zero. Give us a smaller, well-understood attack surface and the truth about it over a guarantee no one can keep — every time.

Accessibility is part of the same discipline

A site that's built carefully is also a site more people can actually use. We build to WCAG 2.1 AA, and we check it on every deploy — an automated accessibility pass runs before the site ships, so a regression gets caught before it reaches anyone.

The precise wording matters here too: we build sites that are accessible and meet WCAG 2.1 AA. That's a craft standard we hold ourselves to, not a legal certification — "ADA compliant" is a legal conclusion, and we don't hand those out. What we'll tell you is exactly what we did: built to the standard, checked on every release.

The trade-off, out loud

This discipline costs more up front than spinning up a template, and we won't pretend otherwise. What it buys is a pair of properties you can't reliably retrofit later. A site that's fast because it's lean, and resilient because it's small, was made that way on purpose, early — by the time a slow, sprawling site is in production, those decisions are already behind you.

Fast and hard to break is a build decision. We make it on day one.

See the work · Start a project