Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15)
Created 2026-05-22
Status: Research material — not a finished article. Compiled May 2026.
Thesis
Most SMB websites get rebuilt every 2-4 years (Orbit Media: average across the Inc 5000 is 2 years 4 months). Orbit's own client base — sites under continuous care — averages 6 years 4 months between rebuilds. Lifespan is a function of architecture and maintenance, not a fixed property of websites.
The argument is not "never rebuild." It is "build so the rebuild is a choice driven by business strategy, not a forced move driven by accumulated debt."
What kills sites in 3-4 years
- Plugin abandonment + vulnerabilities. 96% of WP vulns in 2024 were in plugins; 1,614 plugins removed from the .org repo for unpatched issues; 35% of 2024 vulns still unpatched in 2025.
- Performance decay. Median desktop page = 2.56 MB and rising YoY; only 40-59% of mobile pages pass LCP.
- Accessibility lawsuits. 5,000+ ADA filings in 2025; EAA enforceable since June 28, 2025; 95% of sites fail basic WCAG; 40% of new ADA filings are pro se (AI-assisted).
- Page-builder lock-in. Divi 4 → 5 is a one-way migration; Elementor pricing restructures force decisions; Bricks RCE shows builders are attack surface.
- Platform decay (Doctorow). Squarespace acquires Google Domains; Shopify sunsets checkout.liquid; WP Engine vs Automattic. Platforms are M&A and policy inventory.
- Content decay + link rot. Ahrefs 14B-page study: 96.55% of pages get zero Google traffic. Zittrain: 50% of Supreme Court citation URLs suffer reference rot.
What the survivors do differently
Daring Fireball (since 2002), Berkshire Hathaway (since 1997, 198 KB pages), Craigslist, Pinboard, GOV.UK Design System, Stack Overflow — see Long-lived sites worth studying: Daring Fireball, Berkshire Hathaway, Craigslist, Pinboard, GOV.UK, Stack Overflow, Wikipedia for the catalogue. Common pattern: content separated from presentation, minimal dependencies, URL stability as a design principle, boring architecture as a feature.
Honest caveats
- The recycled "average website lifespan = 2y7mo" stat is unverified at primary source (HubSpot citation could not be located).
- No primary surveyed dataset of Canadian SMB rebuild cycles exists.
- The 10-year cost model (Scenario A: rebuild every 3 years ~$115k-$185k vs Scenario B: foundation-first ~$235k-$260k) is directionally correct but ignores SEO opportunity cost of 3× 523-day recovery curves in Scenario A.
- Some rebuilds are legitimately driven by business pivots, capability ceiling growth, or compliance forcing functions — not all rebuilding is decay-driven.
Related
- reference Orbit Media: average website lifespan across Inc 5000 is 2y4mo; under continuous care, 6y4mo
- reference Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core
- reference Patchstack 2024: 1,614 plugins and themes removed from .org repo for unpatched security issues
- reference Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day
- reference Sucuri 2023: 39.1% of CMS apps outdated at point of infection (down from 50.58% in 2022)
- reference Verizon DBIR 2025: 88% of SMB breaches involved ransomware vs 39% of enterprise; median ransom $115k
- reference Web Almanac 2024: median desktop page weight — WordPress 2,252 KB, Wix 2,560, Squarespace 3,323; 90th pct crosses 8 MB
- reference Zittrain et al. (Harvard Law 2014): 50% of URLs in U.S. Supreme Court opinions suffer reference rot
- reference UsableNet 2025: 5,000+ digital accessibility lawsuits filed; 46% of federal cases involve repeat defendants
- reference Accessibility: 95% of sites fail basic WCAG; 40% of new federal ADA filings are pro se (AI-assisted)
- reference FTC (Jan 3, 2025): accessiBe ordered to pay $1M for deceptive claims its AI overlay could make sites WCAG-compliant
- reference European Accessibility Act enforcement began June 28, 2025 — penalties up to €100k (Germany), 4-5% revenue (France/Italy)
- reference Divi 5 official release Feb 26, 2026; Divi 4 → 5 is one-way migration; rollback gets harder over time
- reference Drupal 7 EOL January 5, 2025 — ~291,386 sites still on D7 in Sept 2024; migration is effectively a rebuild
- reference Long-lived sites worth studying: Daring Fireball, Berkshire Hathaway, Craigslist, Pinboard, GOV.UK, Stack Overflow, Wikipedia
- reference GDS: GOV.UK Design System pages download 2x faster than non-system pages with half the code
- reference Reference framework: which website dimensions decay vs compound over 10 years (12-dimension matrix)
- reference Reference framework: 10-year cost model — rebuild-every-3-years vs foundation-first (Canadian SMB, CAD)
- rule RULE: Design every Candid client site for a 10-year operational horizon. Rebuild is a choice, not a forced move.
- rule RULE: Treat URL/slug design as a 10-year decision. Never let a slug change without a 301 redirect.
- rule RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.
- rule RULE: Accessibility is architecture, not an overlay. Never sell or install an accessibility overlay widget.
- reference Research brief: Owning your stack — why agency-managed platforms cost more than they save (piece 4 of 15)
- reference Research brief: What makes a marketing site do something (piece on brochure vs platform)
- reference Research brief: The knowledge-base-backed website (piece 3 of 15)
- reference Doctorow: "enshittification" — the three-phase decay pattern of platforms (Word of the Year 2023 + 2024)
- reference Ahrefs (14B-page study): 96.55% of pages get zero Google traffic — supersedes older 90.63% figure
- reference HubSpot (Pamela Vaughan): historical-optimization refresh of old posts lifts organic traffic by avg 106%
Referenced by (8)
- reference Research brief: Page Speed as a Moat — why CWV separates the agencies from the freelancers (piece 9 of 15) relates-to
- reference Research brief: The Case Against Page Builders (piece 10 of 15) relates-to
- reference Research brief: Public data as a private moat — building proprietary intelligence from government open data (piece 11 of 15) relates-to
- reference Research brief: The Dataset is the Product — when a service business should own its data (piece 12 of 15) relates-to
- reference Research brief: Research Before Pages — methodology for KB-backed websites (piece 14 of 15) relates-to
- reference CANDID REFERENCE: how the 15-brief foundation roadmap connects — the throughline from strategic frame to editorial layer depends-on
- reference Research brief: Confidence Levels, Sources, and Dated Claims — why every statement on a credible site should be verifiable (piece 15 of 15) relates-to
- reference Research brief: Candid Creative 2026 Build-Standards — web stack decision framework for SMB marketing sites & lightweight apps (piece 16) relates-to