WooCommerce has been clear about where it wants stores to go: Cart and Checkout blocks are the modern default. Its documentation says stores created after version 8.3 in November 2023 get the block cart and checkout by default, and block-theme stores can customize those templates without extra setup.
By Greg Nowak. Last updated 2026-06-18.
On May 19, 2026, Google said Search will expand agentic booking for local experiences and services, and that in select categories it will call businesses on a user's behalf in the U.S. this summer. That is more than another interface update. It moves your Google Business Profile, local landing pages, and phone setup closer to the point of sale.
For business owners, operations leads, and agency teams, the useful question is not whether Drupal CMS 2.0 looks impressive. It does. The useful question is whether it reduces delivery time without quietly increasing launch risk.
By Greg Nowak. Last updated 2026-06-17.
Most teams do not set out to create permanent credentials. Someone adds a GitHub secret so a deployment can ship, drops a Cloudflare token into a script, and moves on. Six months later the job still runs, but nobody is fully sure who can use that key, where it works, or when it is supposed to be replaced. That is usually the real problem. Rotation matters, but the bigger issue is that the credential never had an end date in the first place.
Structured outputs change what clients are really buying when they ask to automate messy intake. For a long time, these projects were framed as prompt-writing exercises: take emails, PDFs, forms, or copied text and extract the fields. In production, the expensive part was usually the cleanup afterward. You could get valid-looking JSON and still have the wrong record, with missing keys, odd nesting, or output that broke the moment it hit a CRM, spreadsheet, or back-office workflow.
By Greg Nowak. Last updated 2026-06-17.
Apache HTTP Server 2.4.68, released on June 8, 2026, is officially described by the project as a security, feature, and bug-fix release, and Apache recommends it over all previous releases. On paper, that makes it a routine upgrade. In practice, the release says something more useful for operators: the risk in older Apache estates is often buried in years of inherited proxy rules, loaded modules, and assumptions about backends that nobody has reviewed end to end.
Cloudflare Turnstile is easy to underestimate. On the surface, it looks like a cleaner CAPTCHA replacement: add a widget, avoid the old puzzle experience, move on. Cloudflare's May 2026 documentation makes it clear that the product is broader than that. Turnstile can run on sites that do not send traffic through Cloudflare, and in many cases visitors never see a challenge at all. But once you put it on a lead form, the real work shifts to validation, timing, hostname planning, analytics, secret rotation, and, for some enterprise teams, device-level signals.
By Greg Nowak. Last updated 2026-06-17.
On June 4, 2026, Tom's Hardware reported that Cloudflare's latest figures put automated HTTP requests at 57.5% of traffic, versus 42.5% for humans. Strictly speaking, that figure is about bot traffic overall, not a clean AI-only subtotal. But if you run a website, the practical conclusion is the same: crawler policy is no longer something you can leave vague. Once bots become the majority condition on the web, you need a deliberate position on who can access your content, where, and on what terms.
For years, crawler policy was a blunt instrument. If you wanted search visibility, you let the major engines in. If you did not, you blocked them. That logic breaks down once AI search enters the picture. The same site might want to appear in ChatGPT answers, keep training crawlers away from selected sections, leave Google Search alone, set a separate policy for Gemini-related use, and make sure the WAF is not quietly blocking the requests that matter.
By Greg Nowak. Last updated 2026-06-17.
Cloudflare has made stale API surface area much easier to see. API Shield can mark saved endpoints with cf-risk-zombie after 32 days without traffic, and the current docs add better ways to validate schemas, manage fallthrough behavior, and run API vulnerability scans. The hard part is still operational: deciding what is truly dead, what is just quiet, and what is still exposed because nobody owns the inventory.
By Greg Nowak. Last updated 2026-06-17.
AI crawler policy is no longer a publisher-only issue. For business websites, it is now a practical decision about lead generation, content reuse, infrastructure load, and who gets to learn from your site.
By Greg Nowak. Last updated 2026-06-17.
On June 4, 2026, WordPress core published a call for testing for client-side media processing aimed at WordPress 7.1. That may sound like a technical upgrade tucked inside the editor, but it has real operational consequences. When an image is uploaded in the block editor, the browser can now decode, resize, and encode sub-sizes locally using the VIPS library running in WebAssembly, then send those results to the server. If the browser cannot handle that work, WordPress quietly falls back to the traditional server-side path.
If you run a WordPress site for a real business, June 2026 should put an end to the idea that plugin maintenance is a light admin task. On June 1, 2026, TechRadar reported that Wordfence blocked more than 3,600 exploitation attempts in a single day against WP Maps Pro, a premium plugin flaw that let attackers create administrator accounts. On June 9, TechRadar reported active exploitation of Everest Forms Pro, where attackers were creating a rogue admin account and Wordfence had already blocked almost 30,000 takeover attempts.
As of June 16, 2026, the important thing about Let's Encrypt's May profile changes is not the announcement itself. It is what those changes reveal about your renewal setup. If your business depends on a website, app, client portal, or an agency-managed estate, certificate renewal is no longer something to leave on "it probably auto-renews."
As of June 16, 2026, HubSpot has turned an old technical shortcut into a dated risk with a clear end point. On May 12, 2026, HubSpot announced that the legacy OAuth v1 API will be deprecated on February 16, 2027. If your business relies on custom CRM integrations, agency-built HubSpot apps, lead-routing middleware, or internal reporting tools, this is no longer background maintenance. It is a scheduled remediation job.
On March 5, 2025, Google said AI Overviews had already become one of Search's most-used features, serving more than a billion people, and announced both a Gemini 2.0 upgrade and broader rollout. It also introduced AI Mode as a more conversational search experience built for follow-up questions and more complex tasks inside Search itself. For brands, that changes the operating environment. The answer layer is no longer a novelty sitting off to the side. It is increasingly the first thing a potential customer sees.
Homepage conditions look trivial until a live site picks up campaign parameters, a subfolder deployment, or an inherited rewrite rule. Then the one-line check that looked harmless starts loading the wrong hero, the wrong lead form, or the wrong analytics snippet on the page that gets the most traffic.
For business owners, operations leads, and agency teams, that is not a code-style problem. It is a delivery problem. The safest fix is to keep homepage detection short, explicit, and easy to test before launch.
Drupal CMS 2.0 changes the economics of a Drupal marketing-site rebuild. The official launch on January 28, 2026 put that shift in plain view: Drupal Canvas is now the default editing experience, AI tools are available as optional add-ons, and site templates promise a polished starting point quickly. That is genuinely useful for buyers. It also means the paid work is less about getting Drupal installed and more about making sure the finished site actually fits the organization using it.
CodeIgniter still earns its place in client portals, internal tools, and lean SaaS products because it ships quickly and stays readable for small teams. The expensive part is rarely the framework itself. It is account management: login, password resets, email delivery, session handling, rate limits, and the awkward edge cases that later become support tickets or security cleanup. For a live application, the real objective is not advanced auth. It is boring auth: predictable, reviewable, and inexpensive to maintain.
For business owners, operations leads, and agency teams, the real Drupal Commerce question is not whether it can sell online. It is whether it can support your catalog, content, integrations, and internal workflows without turning every change into custom rework. Drupal Commerce is rarely the cheapest default, but it becomes very attractive when the store is part of a broader content, B2B, membership, or integration-heavy platform.