The 12 Web Standards Every Modern Site Should Hit in 2026
A practical checklist of the technical, design and SEO baselines every new website should meet - the ones that separate a 'real' site from a brochure.
When clients ask us “what does a properly built website actually mean?”, they’re really asking for a quality bar. Here’s the one we work to internally. If your current site fails more than three of these, you’re below the modern threshold.
1. LCP under 2.5 seconds on mobile (75th percentile)
Page-load isn’t a single number - Google measures it at the 75th percentile of your real visitors. That means even if your fast-fibre desktop test looks good, mid-range Android phones over 4G need to render the largest content element within 2.5 seconds. Anything slower and you’re below Google’s “good” threshold.
This is the single biggest technical lever for SEO and conversion. Get this right first.
2. Cumulative Layout Shift under 0.1
No jumping content. No text reflowing as fonts load. No buttons sliding away as ads insert. The page should settle within a frame or two.
The fix is mostly hygiene: image dimensions explicit in HTML or CSS, fonts with matched-metric fallbacks, embeds reserved at fixed heights.
3. INP under 200 milliseconds
When the user clicks, taps, or types - anywhere on the site - the next paint should happen within 200ms. This isn’t just buttons; it includes form fields, navigation toggles, search.
INP killers: heavy GTM containers, React components re-rendering large trees, long-running event handlers, third-party chat widgets running on every interaction.
4. Accessible at WCAG 2.1 AA
In Australia, accessibility is increasingly a legal expectation under the Disability Discrimination Act. Beyond compliance, it’s just good practice. The baseline:
- Colour contrast ratios of at least 4.5:1 for body text, 3:1 for large text and UI components
- All interactive elements reachable and usable with keyboard alone
- Every image has descriptive
alttext (oralt=""if decorative) - Form fields have associated labels
- Headings used semantically (one H1, then H2/H3 nesting properly)
- Focus styles visible (not removed by
outline: nonewithout replacement) - Live regions announced for dynamic content (form errors, loading states)
Run axe DevTools and Lighthouse Accessibility once a sprint. A score of 95+ is reasonable to maintain.
5. Proper semantic HTML
Use the elements the browser actually has: <header>, <nav>, <main>, <article>, <section>, <aside>, <footer>. Not just <div> everywhere.
This isn’t pedantry. Screen readers, search engines, and the browser’s reader mode all use these semantics. A site that uses them properly is more usable, more accessible, and more crawlable.
6. Complete OpenGraph and Twitter card meta
Every page should have:
<title>(50–60 chars, keyword-bearing)<meta name="description">(140–160 chars, written for click-through)<meta property="og:title">,og:description,og:image,og:url,og:type<meta name="twitter:card">set tosummary_large_image<link rel="canonical">pointing to the canonical URL
The OG image specifically should be 1200×630px, under 1MB, with key copy at large enough size to be readable as a social thumbnail. Most sites get this wrong.
7. JSON-LD structured data on every page
At minimum:
Organizationschema sitewide with logo, name, contact info, sameAs (social links)WebSiteschema with site search actionBreadcrumbListon every page below the homepageArticleschema on blog/insight pagesLocalBusinessschema on the homepage if you have a physical locationFAQPageschema where you have FAQ contentProduct,Offer,Reviewschemas for e-commerce
This is what powers rich snippets in search results - stars, breadcrumbs, FAQ accordions, product prices. It’s also increasingly important for AI search (Perplexity, ChatGPT search) which reads structured data preferentially.
8. XML sitemap and clean robots.txt
A submitted sitemap.xml at /sitemap.xml or /sitemap-index.xml, listing every public URL with <lastmod> dates. Submit it in Google Search Console. Most static-site frameworks generate this automatically.
robots.txt should disallow /api/, admin routes, search result pages, and faceted-navigation URLs - but never /wp-content/ or /_astro/ (you need bots to load CSS and JS for rendering).
9. HTTPS, HSTS and modern security headers
HTTPS is table stakes. Beyond that, every response should set:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGIN(or useContent-Security-Policy: frame-ancestors)Referrer-Policy: strict-origin-when-cross-originPermissions-Policy: camera=(), microphone=(), geolocation=()(deny by default)
Run securityheaders.com on your site. A grade should be A or A+. Lower than that and you’re inviting trouble.
10. Forms that actually deliver
Half the contact forms we audit are broken in one of these ways:
- Submitting to a Gmail address (lands in spam)
- No server-side validation (relying on client-side only)
- No honeypot or rate limiting (drowning in spam)
- No confirmation email to the sender (looks broken to the user)
- No CRM integration (leads vanish into an inbox nobody reads)
A real form is sent via a transactional email service (Brevo, SendGrid, Postmark), confirmed back to the sender, routed to the right team member, and logged somewhere (a CRM, an analytics event, a Slack channel).
11. Tracking that survives modern privacy controls
Third-party cookies are gone in Safari and Firefox, and going in Chrome. Old GA4 setups that rely on default cookie-based tracking lose 30–60% of conversion data on iOS.
The modern setup:
- GA4 with server-side tagging via Google Tag Manager
- A consent banner that honours user choice (and works in Australia for European visitors - relevant under GDPR if you serve anywhere internationally)
- Conversion events sent server-side as well as client-side
- First-party cookies for session tracking where possible
This is what separates a tracking setup that holds up to scrutiny from one that quietly leaks data over time.
12. A maintenance plan, not just a launch
Websites rot. WordPress plugins go stale. Frameworks deprecate methods. Browsers change. Without a maintenance plan, every site is on a 24-month decay curve.
The minimum maintenance baseline:
- Monthly: dependency updates, broken link check, plugin updates, security patches
- Quarterly: Core Web Vitals review, search console errors review, accessibility scan
- Annually: a full design and content audit. What still resonates? What’s drifted?
Most agencies will offer this as a retainer at $200–$600/month for a typical small-business site. It’s not optional unless you have an in-house developer.
How to use this list
Run it as an audit on your current site. Score 1 point for each item you can confidently say “yes” to.
- 10–12: You’re at modern web standards. Pour your effort into content and conversion.
- 7–9: Solid foundation. The remaining items are usually a 2–4 week fix-up engagement, not a rebuild.
- 4–6: You have a brochure, not a website. There’s a real conversation to have about a rebuild.
- 0–3: You’re losing money daily. Stop reading this and fix something.
Want us to score your site for free? Send us your URL and we’ll send back a one-page audit against this list within 48 hours.