The 12 Web Standards Every Modern Site Should Hit in 2026

A practical checklist of the technical, design and SEO baselines every new website should meet - the ones that separate a 'real' site from a brochure.

The 12 Web Standards Every Modern Site Should Hit in 2026 - Web Development article cover by Defyn

When clients ask us “what does a properly built website actually mean?”, they’re really asking for a quality bar. Here’s the one we work to internally. If your current site fails more than three of these, you’re below the modern threshold.

1. LCP under 2.5 seconds on mobile (75th percentile)

Page-load isn’t a single number - Google measures it at the 75th percentile of your real visitors. That means even if your fast-fibre desktop test looks good, mid-range Android phones over 4G need to render the largest content element within 2.5 seconds. Anything slower and you’re below Google’s “good” threshold.

This is the single biggest technical lever for SEO and conversion. Get this right first.

2. Cumulative Layout Shift under 0.1

No jumping content. No text reflowing as fonts load. No buttons sliding away as ads insert. The page should settle within a frame or two.

The fix is mostly hygiene: image dimensions explicit in HTML or CSS, fonts with matched-metric fallbacks, embeds reserved at fixed heights.

3. INP under 200 milliseconds

When the user clicks, taps, or types - anywhere on the site - the next paint should happen within 200ms. This isn’t just buttons; it includes form fields, navigation toggles, search.

INP killers: heavy GTM containers, React components re-rendering large trees, long-running event handlers, third-party chat widgets running on every interaction.

4. Accessible at WCAG 2.1 AA

In Australia, accessibility is increasingly a legal expectation under the Disability Discrimination Act. Beyond compliance, it’s just good practice. The baseline:

  • Colour contrast ratios of at least 4.5:1 for body text, 3:1 for large text and UI components
  • All interactive elements reachable and usable with keyboard alone
  • Every image has descriptive alt text (or alt="" if decorative)
  • Form fields have associated labels
  • Headings used semantically (one H1, then H2/H3 nesting properly)
  • Focus styles visible (not removed by outline: none without replacement)
  • Live regions announced for dynamic content (form errors, loading states)

Run axe DevTools and Lighthouse Accessibility once a sprint. A score of 95+ is reasonable to maintain.

5. Proper semantic HTML

Use the elements the browser actually has: <header>, <nav>, <main>, <article>, <section>, <aside>, <footer>. Not just <div> everywhere.

This isn’t pedantry. Screen readers, search engines, and the browser’s reader mode all use these semantics. A site that uses them properly is more usable, more accessible, and more crawlable.

6. Complete OpenGraph and Twitter card meta

Every page should have:

  • <title> (50–60 chars, keyword-bearing)
  • <meta name="description"> (140–160 chars, written for click-through)
  • <meta property="og:title">, og:description, og:image, og:url, og:type
  • <meta name="twitter:card"> set to summary_large_image
  • <link rel="canonical"> pointing to the canonical URL

The OG image specifically should be 1200×630px, under 1MB, with key copy at large enough size to be readable as a social thumbnail. Most sites get this wrong.

7. JSON-LD structured data on every page

At minimum:

  • Organization schema sitewide with logo, name, contact info, sameAs (social links)
  • WebSite schema with site search action
  • BreadcrumbList on every page below the homepage
  • Article schema on blog/insight pages
  • LocalBusiness schema on the homepage if you have a physical location
  • FAQPage schema where you have FAQ content
  • Product, Offer, Review schemas for e-commerce

This is what powers rich snippets in search results - stars, breadcrumbs, FAQ accordions, product prices. It’s also increasingly important for AI search (Perplexity, ChatGPT search) which reads structured data preferentially.

8. XML sitemap and clean robots.txt

A submitted sitemap.xml at /sitemap.xml or /sitemap-index.xml, listing every public URL with <lastmod> dates. Submit it in Google Search Console. Most static-site frameworks generate this automatically.

robots.txt should disallow /api/, admin routes, search result pages, and faceted-navigation URLs - but never /wp-content/ or /_astro/ (you need bots to load CSS and JS for rendering).

9. HTTPS, HSTS and modern security headers

HTTPS is table stakes. Beyond that, every response should set:

  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN (or use Content-Security-Policy: frame-ancestors)
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=() (deny by default)

Run securityheaders.com on your site. A grade should be A or A+. Lower than that and you’re inviting trouble.

10. Forms that actually deliver

Half the contact forms we audit are broken in one of these ways:

  • Submitting to a Gmail address (lands in spam)
  • No server-side validation (relying on client-side only)
  • No honeypot or rate limiting (drowning in spam)
  • No confirmation email to the sender (looks broken to the user)
  • No CRM integration (leads vanish into an inbox nobody reads)

A real form is sent via a transactional email service (Brevo, SendGrid, Postmark), confirmed back to the sender, routed to the right team member, and logged somewhere (a CRM, an analytics event, a Slack channel).

11. Tracking that survives modern privacy controls

Third-party cookies are gone in Safari and Firefox, and going in Chrome. Old GA4 setups that rely on default cookie-based tracking lose 30–60% of conversion data on iOS.

The modern setup:

  • GA4 with server-side tagging via Google Tag Manager
  • A consent banner that honours user choice (and works in Australia for European visitors - relevant under GDPR if you serve anywhere internationally)
  • Conversion events sent server-side as well as client-side
  • First-party cookies for session tracking where possible

This is what separates a tracking setup that holds up to scrutiny from one that quietly leaks data over time.

12. A maintenance plan, not just a launch

Websites rot. WordPress plugins go stale. Frameworks deprecate methods. Browsers change. Without a maintenance plan, every site is on a 24-month decay curve.

The minimum maintenance baseline:

  • Monthly: dependency updates, broken link check, plugin updates, security patches
  • Quarterly: Core Web Vitals review, search console errors review, accessibility scan
  • Annually: a full design and content audit. What still resonates? What’s drifted?

Most agencies will offer this as a retainer at $200–$600/month for a typical small-business site. It’s not optional unless you have an in-house developer.

How to use this list

Run it as an audit on your current site. Score 1 point for each item you can confidently say “yes” to.

  • 10–12: You’re at modern web standards. Pour your effort into content and conversion.
  • 7–9: Solid foundation. The remaining items are usually a 2–4 week fix-up engagement, not a rebuild.
  • 4–6: You have a brochure, not a website. There’s a real conversation to have about a rebuild.
  • 0–3: You’re losing money daily. Stop reading this and fix something.

Want us to score your site for free? Send us your URL and we’ll send back a one-page audit against this list within 48 hours.

Keep reading

Booking or Enquiry: Which Does Your Sydney Business Need? - Web Development article cover by Defyn
Web Development

Booking or Enquiry: Which Does Your Sydney Business Need?

Should your website let customers book instantly or send an enquiry? The wrong choice quietly costs conversions. Here is how Sydney businesses pick the right path.

Why Your Google Reviews Belong on Your Website, Not Just Google - Web Development article cover by Defyn
Web Development

Why Your Google Reviews Belong on Your Website, Not Just Google

Your best reviews are working hard on Google and doing nothing on your website. Here is why Sydney businesses should put social proof where it actually converts.

How Aged Care and NDIS Providers Build Trust Online - Web Development article cover by Defyn
Web Development

How Aged Care and NDIS Providers Build Trust Online

Families choose a care provider on trust, and they decide online first. Here is how Sydney aged care and NDIS providers use their website to earn that trust and grow.