# Jorbox — full content
Last updated: 2026-06-13

> Jorbox LLC is an independent product company in Albuquerque, New Mexico. Founded in 2012 by Ahmad Tayyem. Operates a five-brand portfolio (QRLynx, Zawjni, Menujo, Lebseh, CVPoet — four SaaS plus one retail fashion ecommerce store) end-to-end — design, code, infrastructure, fulfillment, and growth handled in-house. No outside investment. Customers reached in 200+ countries through the SaaS brands, plus Jordan-first delivery through Lebseh. Alongside the portfolio Jorbox takes on a small number of carefully-chosen client projects in four areas — web development, hosting, domain registration, SEO + GEO audits — where its existing stack already runs.

Wikidata: Q138655727 · LinkedIn: https://www.linkedin.com/company/jorbox · Crunchbase: https://www.crunchbase.com/organization/jorbox

---

# Home — Five brands. One company behind them.

Jorbox is an independent product company in Albuquerque, New Mexico. We build, host, and operate every product on this page in-house — design, code, infrastructure, growth.

Independent · founder-led · since 2012.

## Quick facts

- Founded: 2012 (New Mexico, United States)
- Years operating: 14+ (independent, founder-led, no VC)
- Active products: 5 (QRLynx, Zawjni, Menujo, Lebseh, CVPoet)
- Countries reached: 200+ (across our product platforms)

## How we work — built and run under one roof

There is no agency, no outsourced ops team, no white-label vendor stack. Every product on the brands page is engineered, hosted, and marketed by the same people you would email about it.

- **Product engineering** — We design, build, and maintain every product in-house — from the database schema to the marketing site.
- **Infrastructure** — Hosting, DNS, email, and CDN are all run on infrastructure we own and operate. Same stack across every brand.
- **Growth** — SEO, content, and paid acquisition handled internally. The teams who write the code also watch the analytics.
- **Long horizons** — We are not optimizing for an exit. Every product is built to keep running for the next decade.

## Our approach

We are not the biggest. We are not chasing an exit. We are a company building things we want to keep running.

Most companies our age have been acquired, pivoted, or quietly shut down. We have avoided that by keeping the team focused, the margins reasonable, and the work interesting enough that nobody wants to leave.

The flip side: we do not ship products to chase trends. Every brand we own solves a specific problem we cared enough about to maintain for a decade. That's the bar.

What that looks like:

- Products are designed to outlive their launch quarter.
- Pricing is built to be sustainable, not to win a vanity number.
- Support replies come from the same people who wrote the code.
- Roadmaps are public when they affect customers.

---

# About — A small, stubborn company. Fourteen years in.

We started in 2012 with a simple rule: do honest work, answer your own emails, take no outside money. The rule still holds.

## The story, briefly

Jorbox LLC started small in 2012, grew the boring way, and now runs a portfolio of five products end-to-end. We are headquartered in Albuquerque, New Mexico. Our products have reached customers in over two hundred countries. There is no investor on the cap table, no acquisition story to tell, and no PR firm to credit.

The team is structured around generalists who care about the entire stack — design, code, hosting, growth — because every product on our brands page needs all four to keep running.

As of 2026 the portfolio is the focus — keeping each brand sharp, the infrastructure quiet, and the support inboxes empty. We still take a small number of carefully-chosen client projects (web development, hosting, domains, SEO + GEO) where our existing stack already runs and our standards already apply.

## By the numbers

- Founded: 2012
- Years operating: 14+
- Active products: 5
- Countries reached: 200+
- VC raised: none

## A short history

- 2012 — Jorbox founded in Albuquerque, New Mexico.
- 2015 — Built and rolled out our internal hosting platform.
- 2017 — Started building Zawjni — what would become our first product, after years of beta iteration.
- 2019 — Brought all marketing in-house: SEO, paid acquisition, content, analytics.
- 2024 — Formed Jorbox LLC. Zawjni, QRLynx, and Menujo all launched publicly. Reached customers across 200+ countries.
- 2025 — Opened Lebseh (fashion ecommerce serving Jordan) and announced CVPoet (AI resume builder).
- 2026 — Refocused around the brand portfolio. Client work limited to four core services where our stack already runs.

## How we operate — four rules we actually follow

1. **Build things to last.** Every brand we ship is meant to keep running for the next decade. We measure success in how long a product stays online and useful, not how fast it grows.
2. **No outside money.** No VCs, no acquirers, no exit timeline pressuring decisions. We grow on revenue from the products, which means the products have to actually work.
3. **Own the whole stack.** Hosting, design, code, marketing, support — under one roof. When something needs fixing, the person fixing it usually wrote it.
4. **Plain language.** If we cannot say it plainly, we do not understand it well enough. You should never feel dumb asking a question.

## A note from the founder

We started in 2012. Fourteen years later, we are a company that knows what it is for — same operating team, more focus. Now we build for ourselves.

For most of our existence, we split our time between client work and shipping our own products. Both ways were fine. Neither was great. The client work paid the bills; the products paid us back in compounding learning.

In 2026 we narrowed the client side to four services where our own stack already runs — web development, hosting, domains, SEO + GEO — and put most of our time into the portfolio. Five active brands — QRLynx, Zawjni, Menujo, Lebseh, CVPoet — that we own, operate, and intend to keep running for the next decade.

— Ahmad Tayyem, Founder, Jorbox LLC

## Legal

- Legal entity: Jorbox LLC (New Mexico, United States)
- Address: 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, USA
- Phone: +1 (505) 234-5886
- Email: contact@jorbox.com
- Not us: Jorbox Ltd (UK, Companies House 14854246, dissolved 2026-02-17) was a separate, short-lived UK entity — not the same legal entity as Jorbox LLC and never the operating company. The operating company is, and has always been, Jorbox LLC of Albuquerque, New Mexico.

---

# Brands — Five products we actually use

## 01 — QRLynx (https://qrlynx.com)

Category: SaaS · QR generator. Live since 2024.
Stats: 200+ countries, 49 code types.

Dynamic QR codes with real analytics.

Free QR code generator with 49 code types, real-time analytics, AI insights, and codes that never expire — no watermarks, no scan caps.

Read more on jorbox.com: https://www.jorbox.com/brands/qrlynx.

## 02 — Zawjni (https://zawjni.com)

Category: Marketplace · Social. Live since 2024.
Stats: 33K+ members, AR/EN languages.

Marriage matchmaking for the Arab world.

Arabic-first matrimonial platform connecting compatible partners with serious intentions. Magic-link auth, verified profiles, and culturally-aware matching.

Read more on jorbox.com: https://www.jorbox.com/brands/zawjni.

## 03 — Menujo (https://menujo.com)

Category: SaaS · Restaurants. Live since 2024.
Stats: 5 min to launch, ∞ menu edits.

QR menus that update instantly.

Contactless menus for restaurants, cafés, and bars. Live in 5 minutes, edit anything in seconds, never reprint a menu again.

Read more on jorbox.com: https://www.jorbox.com/brands/menujo.

## 04 — Lebseh (https://lebseh.com)

Category: E-commerce · Fashion. Live since 2025.
Stats: 70% max sale, COD at the door.

Trendy unisex fashion, cash on delivery.

Trendy unisex online fashion store — dresses, tops, bottoms, outerwear, shoes, bags, accessories. Up to 70% off in the Sale section, free shipping over 25 JOD, cash on delivery so you only pay when the package is in your hand.

Read more on jorbox.com: https://www.jorbox.com/brands/lebseh.

## 05 — CVPoet (https://cvpoet.com)

Category: SaaS · Career tools. Coming 2025.
Stats: AI tailoring, ATS optimized.

Resumes that actually get read.

AI-assisted resume builder that turns boring job histories into sharp, ATS-friendly stories. Beautiful templates, instant tailoring per role.

Read more on jorbox.com: https://www.jorbox.com/brands/cvpoet.

---

# Services — Four services. One company.

Web development, hosting, domain registration, SEO + GEO audits. The same infrastructure and toolchain we use for our five own SaaS products — offered to a limited number of carefully-chosen clients.

## 01 — Web Development (https://www.jorbox.com/services/web-development)

Eyebrow: Service 01 · Since 2012.
Key numbers: 2012 Operating since, 5 Own SaaS products, <50ms Typical TTFB on edge, 275+ Edge locations worldwide.

Custom web apps + marketing sites on a modern edge stack.

Jorbox provides custom web development services on a modern edge-first stack — server-side rendering, edge-deployed data, and global CDN delivery. We build production-grade web applications, marketing sites, dashboards, and internal tools. Every component of the architecture we deploy for clients is one we run for our own five SaaS products (QRLynx, Zawjni, Menujo, Lebseh, CVPoet) — so we have direct production experience with everything we ship.

What's included: Server-side rendered framework — search-engine ready from the first request; Design system with tokens — no hardcoded colors, theme-aware; Fully responsive, mobile-first design; Dark + light mode by default; Accessible — WCAG 2.1 AA target, skip links, semantic HTML; View Transitions API where supported, graceful fallback elsewhere; Image optimization with WebP/AVIF, lazy loading, explicit dimensions; Global edge delivery, CDN, and security.

How we work: Discovery call (60 min, free) → Scoped proposal → Design + architecture review → Build in public branches → SEO + GEO + performance audit before launch → Launch + handoff.

## 02 — Web Hosting (https://www.jorbox.com/services/web-hosting)

Eyebrow: Service 02 · Live since 2012.
Key numbers: 14+ Years hosting, 99.9% Uptime SLA, 24h Off-server backups, Free SSL on every plan.

Managed cPanel hosting, fronted by a global CDN.

Jorbox provides managed cPanel web hosting fronted by a global CDN. Standard cPanel features (file manager, MySQL, email accounts, FTP, cron jobs, PHP version switching) with the operational care of an in-house team — daily off-server backups, proactive security patching, free SSL, and unmetered CDN bandwidth. Operating from a tier-1 European datacenter since 2020, on infrastructure we have run our own SaaS products on for years.

What's included: cPanel control panel with full file manager + MySQL + email; Multiple PHP versions (7.4 through 8.4); Node.js + Python available on request; Cron jobs; Subdomains, addon domains, parked domains; SSH access on Business plan and above; Daily off-server backups, 7 daily + 4 weekly + 12 monthly retention; Global CDN by default — unmetered, edge-cached.

How we work: Pick a plan → Provision the account → Migrate (if migrating) → Point DNS → Global CDN goes in front → Run.

## 03 — Domain Registration (https://www.jorbox.com/services/domain-registration)

Eyebrow: Service 03 · 500+ TLDs.
Key numbers: 500+ TLDs supported, Free WHOIS privacy, 60s Typical activation, 14+ Years as a registrar.

Register or transfer any major TLD — at honest prices.

Jorbox provides domain registration and transfer services across 500+ top-level domains, including .com, .net, .org, .io, .co, .me, .us, and most country-code TLDs. Run on the same wholesale registrar infrastructure we use for our own brand domains, with free WHOIS privacy on most TLDs, easy bidirectional transfers, and managed DNS included.

What's included: Free WHOIS privacy (where TLD allows); Free auto-renewal (toggleable); Free EPP authorization code on request; Free 30-day renewal grace period after expiry; Free transfer-lock toggle in client portal; Free outbound transfer support; Managed DNS auto-wired; A, AAAA, CNAME, MX, TXT, SRV, CAA records — all standard types.

How we work: Check availability → Register → Or — transfer in → Manage DNS → Renew (or let it lapse) → Transfer out (if you ever want to).

## 04 — SEO & GEO (https://www.jorbox.com/services/seo-geo)

Eyebrow: Service 04 · GEO-first.
Key numbers: 6 Audit categories, 100 Point GEO score, 5+ AI engines tracked, 20+ AI crawlers handled.

Technical SEO + AI search visibility — audit and ship.

Jorbox provides Search Engine Optimization (SEO) and Generative Engine Optimization (GEO) services — auditing and improving how websites perform in both classic search engines (Google, Bing, DuckDuckGo) and AI search engines (ChatGPT, Claude, Perplexity, Google AI Overviews, Bing Copilot). We audit AND implement — the same toolkit we used to bring jorbox.com to a current 83/100 composite GEO score (audited 2026-05-29), with a clear path to 92+ as the remaining off-site brand-authority work lands.

What's included: Passage-level citability scoring (will AI engines quote this paragraph?); Answer-block quality (definitional paragraphs near the top of every page); AI crawler robots.txt allow-list (GPTBot, ClaudeBot, PerplexityBot, OAI-SearchBot, Bingbot, etc.); llms.txt and llms-full.txt generation; Speakable schema for voice search; Live test queries across ChatGPT, Claude, Perplexity, Gemini, AI Overviews, Bing Copilot; Wikidata entity audit; LinkedIn company page completeness.

How we work: Discovery (free, 30 min) → Full audit (1-2 weeks) → Implementation plan → Ship the changes (2-6 weeks) → Submit + monitor → Re-audit and lock score.

---

# Contact

- Email: contact@jorbox.com (single inbox — partnerships, press, customer support, sales all route here)
- Phone: +1 (505) 234-5886
- Hours: Mon–Fri · 9am–6pm MT
- Address: 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, USA
- LinkedIn: https://www.linkedin.com/company/jorbox

We reply to every email. Most things resolve in one exchange.

---

# Blog — Things we figured out, written down

Performance, strategy, and the occasional rant. Written by the people doing the work — never a content team.

## GEO audit checklist: 20 things to ship on a new marketing site (2026)

URL: https://www.jorbox.com/blog/geo-audit-checklist-20-things-to-ship
Summary: A practical 20-item checklist for AI-search visibility in 2026 — llms.txt, schema graph, markdown content negotiation, IndexNow, /pledge, /handbook, named authors, founder hub, EU Article 4. The same checklist we ran on jorbox.com.

Generative engine optimization — GEO — is the discipline of getting AI search engines like ChatGPT, Perplexity, and Google AI Overviews to cite your site by name when they answer questions about your industry. Traditional SEO gets your page indexed. GEO gets your page quoted. This checklist is the 20-item playbook for a marketing site shipping in 2026, ordered from highest leverage to lowest. We ran every item on this list against jorbox.com itself — the audit is the work.

> WHO THIS IS FOR: Indie founders, product companies, and marketing teams shipping a new site (or rebuilding an old one) in 2026. If your annual search traffic comes from Google alone, this checklist will feel like overkill. If a meaningful share comes from ChatGPT search (500M+ weekly active users in 2025) or Perplexity or AI Overviews, every item below moves a needle.

## The headline numbers

Three numbers frame why GEO is no longer optional. Google AI Overviews now reach 1.5 billion users per month across 200+ countries, per Google's own product update. AI-referred sessions grew 527% from January to May 2025 (SparkToro). And AI traffic converts 4.4× higher than traditional organic across measured industries. The directional move is clear: a marketing site optimized only for the blue-link Google of 2015 is forfeiting the fastest-growing acquisition channel of 2026. Core Web Vitals work still matters; it's just no longer sufficient.

## How AI engines decide what to cite

Search engines use a query-to-document relevance model. AI engines use that plus a citation-confidence model — they need to be confident a passage says something a human would attribute correctly. In practice this means three signals matter disproportionately. One: structured data (schema.org JSON-LD) that ties the page to a named entity. Two: author and freshness anchors (a named human, a recent date). Three: cross-confirmation between your site and authoritative third parties (Wikipedia, LinkedIn, brand directories). The checklist below maps to those three signals plus the infrastructure that surfaces them.

## Traditional SEO vs GEO at a glance

A side-by-side of the surfaces each discipline cares about. Most of the items only become meaningful as the AI-search column grows in importance — but the cost of shipping them on a new site is low enough that you should do both.

SurfaceMatters for traditional SEOMatters for GEO
 
 
 robots.txtBlock / allow indexingBlock / allow individual AI crawlers (GPTBot, ClaudeBot, PerplexityBot)
 sitemap.xmlCrawl coverageSame role, plus passes a freshness signal AI engines weight
 llms.txtNot usedSite-index manifest specifically for AI ingestion
 Schema.org JSON-LDRich result eligibility (FAQPage, HowTo, Article)Entity grounding — AI engines use @id graphs to disambiguate
 Markdown content negotiationNot usedAI crawlers tokenize markdown 30% smaller, parse cleaner
 Named author bylinesE-A-T signal for YMYL pagesRequired for citation — AI engines refuse to attribute to "Team"
 Wikipedia articleBacklink + brand mentionSingle highest-weight entity-resolution source
 Bidirectional cross-linksInternal link equityTopic-cluster confirmation
 IndexNow integrationFaster Bing indexingBing feeds ChatGPT search — minutes to first citation
 EU Article 4 / Content-SignalsNot usedExplicit AI-permission declaration, emerging legal standard

## Foundations (items 1–6) — the things every site must ship

These six are non-negotiable. Every well-ranked indie SaaS in 2026 has them. Most take an hour or less each.

1. A robots.txt that explicitly allows every named AI crawler. The wildcard User-agent: * covers most crawlers in theory, but several bots only read their own named section. Allow GPTBot, ClaudeBot, PerplexityBot, OAI-SearchBot, ChatGPT-User, Google-Extended, Applebot-Extended, Amazonbot, Bytespider, Meta-ExternalAgent, and DuckAssistBot explicitly. Disallow only your admin and API surfaces. Bonus: add the Cloudflare Content-Signals framework with an EU Article 4 reservation block (lift it from Fastmail's robots.txt).

2. A sitemap that includes every public URL with recent lastmod dates. Generate it dynamically from your CMS so new posts appear without a rebuild. AI engines re-crawl sitemaps more aggressively than HTML pages because the bandwidth cost is low. Set Cache-Control: public, s-maxage=3600 on the response so CDN edges serve it fast.

3. An llms.txt at /llms.txt. This is the AI-equivalent of a sitemap — a single Markdown-formatted index of your most important URLs with one-line descriptions of each. The llms.txt convention is supported by Perplexity, Claude, and a growing set of AI agents. Of 20 indie SaaS peers we audited, only 4 ship one — meaning shipping a thoughtful llms.txt puts you in the top 20th percentile immediately. Pair it with an llms-full.txt that concatenates the full text of your key pages.

4. JSON-LD schema.org markup with stable @id cross-references. The minimum graph: Organization (or Corporation) defined once with @id like https://example.com/#corporation; Person for every named author; WebSite with a SearchAction potentialAction; BreadcrumbList on every page; and content-type-specific schemas (BlogPosting, Article, HowTo, FAQPage, SoftwareApplication) where appropriate. Stable @id values let AI engines walk the entity graph; without them every page reads as an isolated document.

5. Server-rendered HTML. If your homepage needs JavaScript to display its H1, you have a problem. OAI-SearchBot does not execute JavaScript; neither does most of Claude's crawler stack. Prerender (SSG) or server-render (SSR) every public page. If you must use a client-only framework, ship a static prerendered version for crawlers.

6. Canonical URL hygiene. Every page emits a <link rel="canonical"> pointing at the canonical version (not the campaign-tagged or query-stringed variant). Preview deployments on subdomains emit <meta name="robots" content="noindex">. Apex and www variants 301 to one of them. AI engines split citation credit when canonical signals conflict, so consistency compounds.

## Citation surface (items 7–13) — the things that get you quoted

Foundations get you indexed. These seven get you cited. The pattern: every page needs a clean, citation-shaped lede; named authors; a freshness anchor; and structured data that ties the content to a real entity.

7. A citation-shaped first paragraph on every page. Under 80 words, declarative, with the primary entity in the subject of the first sentence. AI engines preferentially lift first paragraphs into answers. Bury your value prop on page two if you must, but the first paragraph is the citation slot — don't waste it on a metaphor or a question. Featured snippet research shows the same pattern: pages whose first 100 words directly answer the query rank higher.

8. Named human bylines on every post. Eight of ten peer companies we surveyed (Plausible, Fathom, Buttondown, Beehiiv, Tinybird, PostHog, Tailscale, Proton) byline every post with a named human + photo. The two that don't (Tuta, Nomads) have other forms of authority. Google's 2022 E-E-A-T update added a fourth E for Experience precisely because anonymous content earns less trust. AI engines refuse to attribute to "the team" — they need a person.

9. A /pledge URL or equivalent quotable manifesto. One page, ~150 words, stating what your company actually believes — written in declarative sentences with zero marketing chrome. Posthaven's pledge is the canonical example ("We'll never get acquired. We'll never shut down."). When AI engines surface your company in answers, they preferentially quote pledge-shaped content because the prose is direct and the attribution is unambiguous.

10. A /handbook URL covering company story, principles, and operating model. Only 2 of 20 indie peers ship one (Kit, PostHog). The bar is sparse, the signal is loud. AI engines disproportionately cite handbook content because it's structured, persistent, named, and dated. The handbook does not need to be hundreds of pages — four to six chapters covering the company's history, what it stands for, how it works, and who runs it is sufficient. Jorbox's own handbook at /handbook took one afternoon to draft.

11. FAQPage schema on every page with substantive Q&A content. Wrap your FAQ in FAQPage JSON-LD; each Q in a Question node, each A in an acceptedAnswer. AI Overviews lift FAQPage answers into "People also ask"-style enrichment. Pages without it leave that enrichment slot to a competitor. Google's FAQPage spec is documented; most CMS platforms can auto-emit from typed FAQ blocks.

12. HowTo schema on instructional content. Same pattern as FAQ. If your page describes a sequential procedure (and it should, for any "how to" query), emit HowTo JSON-LD with numbered HowToStep entries. Schema.org's HowTo type is well-supported; the auto-emit pattern from typed CMS blocks is one of the highest-leverage CMS features you can add. AI engines lift entire HowTo step sequences into answers.

13. SpeakableSpecification on every page worth reading aloud. A two-line addition to your schema that nominates which CSS selectors are appropriate for voice-result lift. Google Assistant uses this; AI voice answers use it. Most sites skip it. Speakable spec documented.

## Distribution (items 14–17) — getting the AI engines to your content faster

Items 14–17 are about indexation speed and discoverability. The Bing-feeds-ChatGPT path is the biggest leverage point here — most indie sites still miss it.

14. IndexNow integration. When you publish a new page, ping api.indexnow.org with the URL. Bing typically indexes IndexNow-submitted URLs within minutes vs hours/days for organic discovery. Crucially, Bing's index feeds ChatGPT search — so IndexNow is the difference between "ChatGPT can cite this article today" and "next week." Yandex and Naver also consume the IndexNow feed.

15. Markdown content negotiation. When a request includes Accept: text/markdown, serve the same content as clean markdown instead of HTML. AI crawlers parse markdown more reliably (cleaner heading hierarchy, no chrome to strip, ~30% smaller token footprint). PostHog and Beehiiv both document this pattern in their llms.txt files. A server-side hook of ~30 lines implements it on any modern edge framework.

16. RSS feed at /rss.xml. Perplexity treats RSS as a discovery signal for fresh content. RSS is also still the canonical way for AI agents to subscribe to your content updates. Emit RSS 2.0 with dc:creator, category tags, and enclosure elements for hero images. Most CMS platforms auto-emit; if yours doesn't, it's a 30-line endpoint.

17. A /humans.txt and /.well-known/security.txt. Minor signals individually, both treated as positive trust markers by Bing/Yandex. Five-minute additions. The humans.txt names the team behind the site; the security.txt (per RFC 9116) names the security contact + canonical URL + policy reference.

## Brand authority (items 18–20) — the long arc

The last three items are slow but compounding. They are also where most indie sites underinvest, because the payoff is invisible for the first six months. Ship them anyway. Cross-confirmation between your site and external sources is — per Ahrefs' December 2025 research — about three times more strongly correlated with AI citation than traditional backlinks.

18. A Wikipedia article (or a credible path to one). Eleven of twenty indie peers we surveyed have well-maintained Wikipedia articles. The bar is not "you must be famous" — Buttondown, Posthaven, and Fathom all rank well in AI search without Wikipedia entries. But Wikipedia is the single highest-weight source for Perplexity and Google Knowledge Graph entity resolution. The path is editorial: secure 2–3 independent press mentions, ensure your Wikidata entity exists (Q-IDs are free to create), then submit through Articles for Creation. Self-publishing gets reverted.

19. A founder personal hub. Levels has levels.io, Justin Duke has jmduke.com, Maciej Cegłowski has idlewords.com, Jason Fried has world.hey.com. The pattern: the founder runs a personal site at their own name, links to the company's blog content, doubles as a second E-E-A-T anchor for AI engines doing entity resolution on the founder name. rel="me" links between the personal site and the company author page verify the connection. AI engines weight the cross-link.

20. Comparison pages on each product site. /vs/competitor or /alternatives/competitor URLs on every product brand site. Buttondown ships 47 such pages. PostHog ships dozens. The reason: AI engines preferentially cite comparison content when answering "X vs Y" queries. The page format is consistent — verdict + feature table + pricing + use cases + FAQ — and each is ~1,500 words. Important caveat: these belong on the product site (qrlynx.com hosts QRLynx-vs-X), not the parent company site. Generic-company comparison pages don't convert because nobody types "Jorbox vs 37signals" — they type "QRLynx vs Bitly".

## Five common mistakes that hurt GEO

After running this checklist against twenty indie sites, the same five mistakes appear over and over.

One: blocking AI crawlers reflexively in robots.txt. Some sites have Disallow: / for GPTBot, ClaudeBot, etc. left over from 2024 panic about AI training. Unless you have a specific copyright reason to do so (Fastmail, for example, opts out of ai-train for privacy reasons), you are blocking your own visibility. Allow the crawlers; that's how you get cited. Two: emitting JSON-LD as inline strings instead of one canonical graph with @id refs. Re-inlining the same Organization schema on every page wastes bytes and confuses validators that don't walk the @id graph across pages. Define entities once at the layout level; reference by @id everywhere else. Three: omitting freshness signals. AI engines weight dateModified and visible "Last updated" dates heavily. Many sites publish in 2022 and never refresh. Quarterly refresh of top posts is a real ranking signal. Four: relying on JavaScript for primary content rendering. If your H1 only appears after hydration, half the AI crawler stack will never see it. Five: writing under "the team" or "the company" instead of a named human. AI engines won't cite anonymous content into a direct-attribution answer.

## Related reading on Jorbox

If this checklist was useful, three earlier Jorbox posts cover adjacent ground: Core Web Vitals in 2026: which one actually moves the needle on the performance side, Should you migrate off WordPress? A reality check on the platform-decision side, and Why we still answer our own support tickets in 2026 on the operations side. The Jorbox handbook covers the company's operating model in more depth, and the pledge is the one-page summary of the four operating rules.

Q: What is GEO (generative engine optimization)?
A: GEO is the discipline of optimizing your website so that AI search engines — ChatGPT, Perplexity, Google AI Overviews, Bing Copilot, Claude — cite your site by name when they answer questions. Traditional SEO gets you indexed; GEO gets you quoted. The two disciplines overlap on foundations (robots.txt, sitemap, schema) but diverge sharply on content shape, citation surface, and entity-resolution signals.

Q: How is GEO different from traditional SEO?
A: Traditional SEO optimizes for ranking on Google's blue-link search results. GEO optimizes for being cited inside AI-generated answers. The most visible practical differences: GEO weights named human bylines (AI refuses to attribute to "the team"), llms.txt files (AI-specific site indexes), markdown content negotiation (AI parses markdown better than HTML), and Wikipedia presence (the highest-weight entity-resolution source). Traditional SEO largely ignores all of these.

Q: Do I need to block AI crawlers from training on my content?
A: Almost certainly not, and doing so usually hurts more than it helps. If your business model depends on being discovered through AI search (most B2B and consumer-SaaS marketing sites), blocking GPTBot or ClaudeBot blocks your own visibility. The Cloudflare Content-Signals framework lets you declare granular permissions — for example, allowing search and ai-input while blocking ai-train — but most marketing sites should simply allow all three.

Q: How long does it take to see GEO results?
A: Foundation items (robots.txt, sitemap, schema, llms.txt) start affecting AI citations within days to weeks because AI crawlers re-fetch frequently. Brand authority items (Wikipedia, comparison pages, founder hub) compound over 3–12 months. The IndexNow integration specifically can move "first cited by ChatGPT" from weeks to under an hour for a new blog post.

Q: What is llms.txt and why does it matter?
A: llms.txt is an AI-specific site index — a Markdown-formatted file at /llms.txt that lists your most important URLs with one-line descriptions. Perplexity, Claude, and a growing set of AI agents fetch it as a faster alternative to crawling your sitemap. Of 20 indie SaaS peers we audited, only 4 shipped one — meaning a thoughtful llms.txt puts you in the top 20th percentile of AI-discoverability today.

Q: Does schema.org structured data still matter for GEO?
A: Yes — arguably more than for traditional SEO. AI engines use schema.org JSON-LD for entity resolution: when ChatGPT decides whether a page about "Jorbox" is referring to your company or to an unrelated brand with a similar name, it walks the @id graph. Without schema, the page is a bag of words. With it, the page is anchored to a named entity AI engines can disambiguate. The minimum to ship: Organization, Person, WebSite, BreadcrumbList, plus content-type schemas (BlogPosting, FAQPage, HowTo, SoftwareApplication) where appropriate.

Q: Do AI engines actually read robots.txt?
A: Yes. GPTBot, ClaudeBot, PerplexityBot, OAI-SearchBot, Google-Extended, and Applebot-Extended all document that they read and respect robots.txt directives. Some — notably Bytespider and certain training crawlers — have historically been less consistent, but the major AI search and grounding crawlers follow the standard.

Q: How do I get a Wikipedia article for my brand?
A: You don't write it yourself — Wikipedia's notability policy requires multiple independent reliable-source citations, and self-published articles get reverted. The path is editorial: secure 2–3 independent press mentions in industry publications, ensure a Wikidata entity exists (Q-IDs are free to create at wikidata.org), then submit through Wikipedia's Articles for Creation review process. Expect 3–6 months from first press mention to live article. Worth the effort: Wikipedia is the single highest-weight source for entity resolution in AI search.

Q: What is markdown content negotiation?
A: When a request includes the Accept: text/markdown HTTP header, your server returns the same content as clean Markdown instead of HTML. AI crawlers like ChatGPT and Perplexity prefer Markdown because the heading hierarchy is preserved, chrome (nav, footer, sidebar) is stripped, and the token footprint is about 30% smaller. PostHog and Beehiiv document this pattern in their llms.txt files. Implementing it on a modern edge framework is roughly 30 lines of hook code.

Q: Are FAQ schema rich results still supported by Google?
A: Google deprecated FAQ rich results in their SERP listings in August 2023 for most sites, retaining them only for government and health sources. However, FAQPage schema is still actively consumed by AI engines — Perplexity, ChatGPT search, Bing Copilot, and Google AI Overviews all lift FAQ Q&A pairs into their generated answers. The schema is no longer a SERP-visibility lever; it is a citation-confidence lever. Ship it anyway.

Q: Do I need an llms-full.txt in addition to llms.txt?
A: Recommended for content-heavy sites. llms.txt is the site-index manifest (URLs + one-line descriptions); llms-full.txt is the concatenated full text of your key pages. AI agents that want to ingest your full content in a single request fetch llms-full.txt. Most documentation-heavy sites (PostHog, Beehiiv, Tinybird) ship both. Marketing sites with fewer than 20 pages can often get by with just llms.txt.

Q: What is the single highest-leverage GEO move for a new site?
A: It depends on stage. For a site shipping in the first month: structured data (item 4) plus llms.txt (item 3) plus IndexNow (item 14). Those three together get you indexed in Bing within hours, cited by ChatGPT within days, and entity-resolved against your brand name within the first week. For a site that already has those: the next highest-leverage move is a public /handbook URL (item 10) — only 2 of 20 indie peers ship one, the bar is sparse, and AI engines cite handbook content disproportionately because it is structured, persistent, and named.

> THE SAME CHECKLIST, APPLIED TO JORBOX: We ran every item on this list against jorbox.com itself. The current state is documented in the Jorbox handbook and the pledge; the technical implementation lives in the public site. If you want a GEO audit on your own site, we offer it as one of four client services — same checklist, same standards we hold ourselves to.

---

## Email setup for a small SaaS: SPF + DKIM + DMARC (2026)

URL: https://www.jorbox.com/blog/email-setup-spf-dkim-dmarc-for-small-saas
Summary: The 10-step deliverability setup for a small SaaS in 2026 — what Gmail and Outlook actually check, why your transactional email goes to spam without it, and how to read a DMARC report without losing the afternoon.

In February 2024 Google began rejecting unauthenticated mail at scale. Microsoft followed in August 2024 with the 550 5.7.26 reject for missing alignment. Yahoo enforced the same a year earlier. If your SaaS is sending password resets, receipts, or onboarding email without SPF, DKIM, and DMARC properly configured, the deliverability rate to Gmail and Outlook is somewhere between 40% and 70%. The math on a SaaS funnel doesn't survive that. This is the 10-step setup we run on every product we ship — including the five SaaS brands jorbox.com operates — to keep deliverability above 99%.

> WHO THIS IS FOR: Founders and engineers setting up transactional email for a SaaS product in 2026 — anything that sends password resets, magic links, receipts, billing notifications, or onboarding emails. Equally useful if your existing setup is "broken in a way that mostly works" and you want to understand why some users report they never received their welcome email.

## What gets checked when your email lands in Gmail

In 2026 the major mailbox providers (Gmail, Outlook, Yahoo, Apple) run a chain of checks on every inbound message. The four that decide whether your email reaches the inbox vs the spam folder vs the bit bucket:

SPF (Sender Policy Framework) — a TXT record on your domain that lists the IPs and hostnames authorized to send mail "from" you. The receiving server looks up example.com's SPF record and checks: is the connecting server in the allow-list? If not, SPF fails. DKIM (DomainKeys Identified Mail) — every legitimate sender signs each message with a private key. The receiving server fetches the matching public key from a DNS TXT record on your domain and verifies the signature. If the message was tampered with in flight, or if no DKIM signature exists, the check fails. DMARC (Domain-based Message Authentication, Reporting, and Conformance) — a TXT record at _dmarc.example.com that tells receiving servers what to do when SPF or DKIM fails (none, quarantine, or reject). It also requests aggregate reports back to a mailbox you control. Alignment — DMARC requires that the SPF or DKIM signing domain matches the visible "From:" address domain. This is the rule that catches most legitimately-configured-but-still-broken setups.

All four need to pass for the message to be trusted unconditionally. SPF or DKIM alone (without DMARC alignment) means the message lands in spam at Gmail, or gets quarantined at Outlook, or never arrives at Yahoo. The good news: setting up the four checks correctly is a one-time engineering task. Once it is in place, it stays in place — for years.

## Where to send transactional email from

Before configuring the authentication, pick the right sending infrastructure. Most SaaS deliverability problems start with sending through the wrong service. Four credible options:

Dedicated transactional email providers: Postmark, SendGrid, Resend, Mailgun, Amazon SES. These are the right choice for everything user-facing (password resets, receipts, magic links). They handle IP reputation, bounce processing, and abuse-report routing. Pricing starts around $15–$30/month for small volumes, scales linearly with sends.

Your hosting account's SMTP server. Most managed-hosting plans include outbound SMTP. This is OK for low-volume operational email (admin notifications you send to yourself) but wrong for user-facing email — shared sending IPs have variable reputation and your messages land in spam at Gmail. Workspace mail (Google Workspace / Microsoft 365). Use these for your team's human-to-human mail. Do not use them for transactional email — the rate limits and bulk-send policies are not built for it. Self-hosted MTA. Running your own Postfix or Exim is technically possible but operationally hostile in 2026. Major mailbox providers treat fresh IPs from non-major networks as untrusted by default; warming a sending IP takes weeks; bounce processing is its own subsystem. Almost never the right choice.

## Deliverability rates by configuration (real numbers)

Approximate inbox-placement rates by authentication configuration, observed across the five Jorbox SaaS brands and ~20 client projects in 2025–2026. Numbers vary by recipient mix but the directional picture is consistent.

ConfigurationGmail inboxOutlook inboxApple Mail inboxYahoo inbox
 
 
 None (no SPF, DKIM, DMARC)~30%~40%~60%~10% (mostly rejected)
 SPF only~55%~70%~80%~40%
 SPF + DKIM, no DMARC~75%~85%~90%~75%
 SPF + DKIM + DMARC (p=none)~92%~92%~95%~90%
 SPF + DKIM + DMARC (p=reject) + aligned signing~99%~98%~99%~99%
 Above + BIMI + verified VMC~99% with logo in client~98%~99%~99% with logo

The conclusion is unsubtle: "SPF only" is not enough. You need all three plus alignment. The marginal cost of going from SPF-only to full DMARC alignment is roughly one afternoon of DNS work. The marginal benefit is a 20–40 percentage point lift in inbox placement.

## Debugging the four most common failures

After running this setup on dozens of SaaS products, the same four problems show up repeatedly. Each has a specific signature.

One: emails land in Gmail spam, every other client fine. Gmail is the strictest of the major providers on DMARC alignment. The signature is "DKIM=pass, SPF=pass, but DMARC=fail" in your test message. Cause: the DKIM signing domain does not match the visible From: domain. Fix: ask your provider to set up the DKIM selector on a subdomain of YOUR domain (not theirs). Postmark and SendGrid both support this in setup.

Two: emails work fine for 6 months, then start failing. The signature is "everything was good, now it isn't, nothing changed." Cause: SPF lookup count crept over 10 because a service you use (often Google Workspace) added a new include: chain. Fix: run an SPF lookup-count check; flatten the SPF record by replacing include: entries with the actual ip4: ranges where possible.

Three: marketing emails fine, transactional emails go to spam. Cause: your marketing volume is high enough to warm the sending IP, but your transactional volume from a different IP (or different selector) has never built reputation. Fix: send transactional and marketing through the same provider, OR explicitly warm each sending path with a 4-week ramp.

Four: a specific recipient cannot receive your email. Usually a custom mail server with overzealous filtering. The signature is everyone else gets your mail, this one person doesn't. Cause: the recipient's mail admin has whitelisted a previous sending IP and your new one isn't on it, OR a corporate Mimecast/Proofpoint deployment is filtering you. Fix: ask the recipient to whitelist your sending domain on their end. Not something you can solve from your side.

## Related reading on Jorbox

Three adjacent posts: Migrating WordPress to a modern edge stack covers the broader infrastructure replatform — email setup is step 8 of that playbook; GEO audit checklist: 20 things to ship on a new marketing site covers the AI-search readiness work; Why we still answer our own support tickets in 2026 covers what we do with the messages once they're delivered. The web hosting service page covers what working with Jorbox on email + DNS setup looks like.

Q: What is the difference between SPF, DKIM, and DMARC?
A: SPF lists which IP addresses are authorized to send mail "from" your domain. DKIM cryptographically signs each message so the recipient can verify it was not tampered with. DMARC tells the recipient what to do when SPF or DKIM fails (no action, quarantine, or reject) and requests aggregate reports back to a mailbox you control. All three are required for full email authentication in 2026 — SPF alone is no longer sufficient at Gmail, Outlook, Yahoo, or Apple.

Q: Do I need DMARC if I have SPF and DKIM?
A: Yes. As of February 2024 (Gmail) and August 2024 (Outlook), high-volume senders without DMARC have measurably worse deliverability. DMARC is also the only one of the three that gives you reporting — without it, you have no visibility into which services are sending mail "from" your domain or whether their authentication is passing. Even if you do not flip to p=reject, deploying DMARC in p=none monitoring mode is a free engineering win.

Q: What happens if my SPF record exceeds 10 DNS lookups?
A: SPF evaluation fails entirely — recipients treat the message as if no SPF record existed. The 10-lookup limit is a defense against DDoS via SPF chains. Common cause: chaining many include: directives where each provider itself has multiple includes. Use an SPF flattening tool (or service like EasyDMARC) to convert problematic include chains into explicit ip4: / ip6: ranges. The flattened record stays valid as long as the underlying IPs do not change.

Q: Can I use multiple email providers from the same domain?
A: Yes — that is the normal SaaS pattern. List each provider in your SPF record via include:, and configure each provider's DKIM separately under its own selector. The recipient verifies whichever DKIM signature is present on the inbound message and checks alignment. The key constraints: respect the 10-lookup SPF limit, and pick providers that let you set up DKIM on a subdomain of YOUR domain rather than theirs (required for DMARC alignment).

Q: Does DMARC p=reject break my email entirely?
A: Only if you flip to it before the DMARC reports show clean alignment. The recommended path is p=none for 2+ weeks of monitoring, then p=quarantine for 1 week, then p=reject. Each step gives you visibility into who is still sending from your domain unaligned and a chance to fix it before mail starts bouncing. If you flip directly to p=reject without monitoring, you are likely to bounce legitimate mail from an authorized service you forgot in your inventory.

Q: Where do DMARC aggregate reports come from and how do I read them?
A: Every major mailbox provider sends a daily XML report to the rua= address in your DMARC record. The XML lists every IP that sent mail "from" your domain in the last 24 hours, what authentication results they had, and how many messages each IP sent. The raw XML is unreadable by hand — use a dashboard tool (Postmark's free DMARC monitor, DMARC Digests, or a paid option like EasyDMARC) to parse them. The dashboard shows you which IPs are aligned (good), which are unaligned-but-legitimate-services-you-forgot (need to fix), and which are spoofing attempts (which p=reject blocks for you).

Q: Should I use a subdomain for transactional email?
A: For SaaS over ~50K monthly active users, yes — separate transactional (@mail.yourdomain.com) from marketing (@news.yourdomain.com) and human (@yourdomain.com) sending. Each subdomain has its own reputation. A bad marketing email list cannot tank your password-reset deliverability if they are on different subdomains. For smaller SaaS, single-domain sending is fine — the operational complexity of subdomain segmentation is not worth it until volume justifies.

Q: Can I send transactional email through Gmail / Google Workspace?
A: Technically yes, practically no. Google Workspace has rate limits (2,000 outbound messages per day per user) and content policies optimized for human-to-human mail. SaaS transactional email — password resets, magic links, receipts — sent through Workspace will hit rate limits, get throttled, and eventually flagged for "bulk-sending behavior." Use a dedicated transactional provider (Postmark, Resend, SendGrid, SES) for anything user-facing. Use Workspace for your team's human-to-human mail only.

Q: What is BIMI and do I need it?
A: BIMI (Brand Indicators for Message Identification) is an optional DNS record that lets supporting mail clients (Gmail, Yahoo, Apple Mail, Fastmail) display your brand logo next to your messages. It has zero direct deliverability impact — a properly-configured BIMI-less domain hits the same inbox rates. The benefit is recognition and trust signaling. For Gmail to display the logo, you need a Verified Mark Certificate (VMC) at $1,500–$2,000/year. For Yahoo and Apple Mail, the logo displays without a VMC. Most small SaaS skip the VMC initially.

Q: How long does it take to set up SPF, DKIM, and DMARC?
A: On a new domain with one transactional provider: 30–60 minutes of DNS work plus 24 hours for the records to propagate. On an existing production domain with multiple senders: 2–4 hours of inventory and setup, plus 2 weeks of DMARC monitoring before flipping to p=reject. Most of the time is monitoring, not engineering — the records themselves are short and the providers have setup wizards.

Q: Does this matter if I only send a few emails per month?
A: Yes. Mailbox providers do not have a "low-volume sender" exemption — they apply the same authentication rules to a 10-message sender and a 10-million-message sender. The difference is that low-volume senders without authentication have less data feeding their reputation, so any failed delivery is more visible. If you send password resets to your users, those messages need to authenticate or they will go to spam.

Q: Does Jorbox set this up as part of the hosting service?
A: Yes — every hosting engagement includes SPF, DKIM, and DMARC setup, plus a 30-day DMARC monitoring period before we flip you to p=reject. See the web hosting service page for what working with us on hosting looks like end-to-end. For domain-only setups, we handle SPF and DMARC as part of domain registration; DKIM lives at the sending-email-provider layer, which is configured separately.

> NEED THIS SET UP FOR YOUR OWN SAAS?: Email authentication is a one-time engineering task that pays back forever. If you want it done correctly on the first try, this is one of the surfaces our managed hosting service covers by default — every domain we host gets full SPF + DKIM + DMARC plus the 30-day monitoring period. Open contact to talk through your setup.

---

## Why we still answer our own support tickets in 2026

URL: https://www.jorbox.com/blog/why-we-still-answer-our-own-tickets
Summary: Every other agency our size has outsourced support to a call center by now. Here's the math on why we never will.

{"blocks":[{"type":"raw_html","props":{"html":"When we started in 2012, answering your own support tickets was just how things worked. You built the site, you knew the client, and when something broke at 11pm you fixed it because nobody else knew the codebase.

\nThen the industry changed. Agencies our size started outsourcing \"tier-1\" support to overseas call centers. The math seemed obvious: pay a low hourly rate to answer the first email, escalate only what's complicated. More margin, less friction, scale.

\nWhy we didn't

\nThree reasons, in order of importance:

\n1. The person answering the email needs to know the code. Most hosting issues aren't \"my site is down\" — they're \"my form stopped sending email after I installed that new plugin.\" The fix takes five minutes if you know the stack. It takes two days of back-and-forth if you don't.

\n2. Tickets are a leading indicator. Every ticket is a signal. If five people ask the same question this month, the product needs a fix — a docs update, a better error message, a default changed. Outsourced support filters those signals into a dashboard nobody reads.

\n3. The clients who stay are the ones who feel heard. Our churn rate is under 3% annually. I'd bet a meaningful chunk of that comes from the fact that when you email us, you get a reply from someone who can actually fix the thing.

\nWhat this costs us

\nHonestly? Not as much as you'd think. We've built the habit of writing good docs (so fewer tickets show up in the first place), and we set aside the first hour of every day for inbox triage. Most things resolve in one exchange.

\nWe're not saying this is the only way. Plenty of companies do great work with outsourced support. But for a small, opinionated team that wants to keep clients for a decade, answering your own tickets is still the right call.

\nRelated: GEO audit checklist — what we put on the marketing side of the same operating philosophy.

"}}]}

---

## Core Web Vitals in 2026: which one actually moves the needle

URL: https://www.jorbox.com/blog/core-web-vitals-that-actually-matter
Summary: LCP gets all the attention. But the metric that quietly drives conversion in modern browsers is something else.

Google's March 2026 update bumped INP to a ranking factor and tightened the thresholds. Everyone's scrambling. Below is the order we'd prioritize if you only have time to fix one or two — based on what we see across the work we ship.

The order we'd fix things

If you can only chase one metric this quarter, chase these in this order:

1. INP (Interaction to Next Paint) — the replacement for FID. INP under 100ms feels instant. Above 300ms, the page feels broken even if it isn't. JavaScript that blocks the main thread is the usual culprit.

2. LCP (Largest Contentful Paint) — the one everyone talks about. Sub-1s LCP is the new floor for "feels fast". The jump from 2.5s to 1.5s usually matters more than the jump from 1.5s to 0.8s.

3. CLS (Cumulative Layout Shift) — less directly tied to conversion than we expected, but strongly tied to bounce on mobile when content jumps under a thumb.

What's harder than it looks

INP is hard because it's driven by JavaScript execution. Modern frameworks ship a lot of JS upfront, and if any of that blocks the main thread on first interaction, you're in trouble. The three biggest wins we see in practice:

- Move analytics and marketing tags to <script async> or a tag manager.

- Break up long tasks with scheduler.postTask or explicit yielding.

- Ship less JavaScript, especially to mobile.

What's easier than it looks

LCP is mostly about the hero image. Preload it, serve AVIF, size it correctly, don't hide it behind a client-side query. That alone gets most sites under 1.5s.

CLS is almost always about images/embeds without explicit dimensions. Set width and height on everything. Done.

---

## Migrating WordPress to a modern edge stack: a 12-step playbook (2026)

URL: https://www.jorbox.com/blog/migrating-from-wordpress
Summary: We migrate dozens of sites off WordPress every year. Here is the 12-step playbook for moving from WordPress to a modern edge stack — the hard parts (URL redirects, forms, email, content), the easy parts, and what nobody tells you about the timing.

Migrating off WordPress is the most-requested project we receive. The pitch is everywhere — faster sites, better developer experience, lower hosting costs, fewer plugin explosions. The pitches are usually honest about the upside. They skip the part where the migration itself is harder than the new site. We do 30–40 of these a year. This is the 12-step playbook we actually run, the cost-and-timing reality check we open every engagement with, and the five mistakes we see in every botched migration.

> WHO THIS IS FOR: Founders, marketing leads, and engineers running a 50–2,000 page WordPress site who are weighing a move to a modern stack (Next.js, Astro, or similar). Equally useful for agencies subcontracting migration work. If your site is under 30 pages and content changes weekly, the answer is usually "stay on WordPress" — and the section below explains why.

## When migration is worth it

Three cases where we recommend moving:

- Your site has under 500 pages and content changes less than weekly. The "non-technical author needs a WYSIWYG" problem mostly evaporates when posting is infrequent enough that a developer-handled deploy is fine.
- You have real developers on staff who will maintain it. Not contractors hired for the migration and then released — actual ongoing engineering capacity. The new stack needs an owner.
- Performance is a conversion-critical metric. E-commerce, SaaS marketing, anything where a 200ms LCP improvement moves measurable revenue. Core Web Vitals work pays back fastest here.

## When to stay on WordPress

Three cases where WordPress remains the right answer:

- Your content team publishes multiple times a week and depends on the editor. Gutenberg is good. Your authors are fluent in it. The marginal speed gain of a static site rarely outweighs the friction of a new authoring workflow.
- You rely heavily on plugins (LMS, membership, forum, complex e-commerce) without headless equivalents. If LearnDash or BuddyBoss is core to the business, migration means rebuilding those features from scratch. Budget accordingly.
- Nobody on your team wants to learn a new stack. A site that nobody on the team is excited to maintain becomes a dead site within 18 months. Be honest about who picks it up after the migration consultant leaves.

## WordPress vs a modern edge-first stack — at a glance

A side-by-side of the dimensions that actually matter for a marketing-site decision. Most of these comparisons get reduced to "WordPress is slow, Next.js is fast" — that is partly true but undersells the real trade-offs.

DimensionWordPress (mainstream host)Modern edge-first stack
 
 
 Typical TTFB300–800ms30–80ms worldwide
 Lighthouse Performance score40–70 (typical, with optimization)95–100 (default, no optimization)
 Monthly hosting cost$15–$150 (managed)$0–$20 (most marketing sites)
 Plugin / dependency security surfaceLarge — 20–50 plugins typicalMinimal — npm packages, no runtime plugin loader
 Author UXGutenberg WYSIWYG — non-technical-friendlyMarkdown / headless CMS — varies by setup
 DeploymentFTP / Git push to hostGit push, auto-deploy to edge
 SEO out of the boxRequires Yoast/RankMath + tuningFull SSR + schema baked in
 AI-search readiness (llms.txt, schema graph)Requires custom plugin workTrivial to ship at build time
 Form handlingContact Form 7, Gravity Forms — plugin-basedCustom endpoint or third-party (Formspree, Tally)
 Transactional emailWP Mail SMTP plugin → SendGrid/MailgunDirect API integration — same providers
 Comment systemNative or DisqusDisqus, Giscus, or remove entirely
 Migration complexityN/A (you're already there)The whole point of this post

## The cost-and-timing reality check

The pitches are honest about the destination. They lie about the journey. Three numbers to ground the planning conversation.

One: budget twice as much time for the migration as for the rebuild itself. If a developer estimates 4 weeks to build the new site, the migration around it is another 4 weeks minimum. URL inventory, redirect map, content port, form rebuilds, email setup, DNS testing, monitoring — it adds up. The agencies that quote a flat "site rebuild including migration" usually skip steps 6, 7, and 10 above and you find out after launch.

Two: plan for a 10–20% organic traffic dip in the first 2–4 weeks. Even a perfect migration disturbs the search-engine index. Google re-crawls your URLs at its own pace; Bing re-crawls faster (especially if you ping IndexNow) but feeds ChatGPT search downstream, so AI-search citations also blip. The dip recovers fully within 4–8 weeks if the redirects are clean. If they aren&apos;t, the dip becomes permanent.

Three: don't migrate in Q4. Or any quarter where you're running a major campaign. The right time is a quiet period where 2–4 weeks of organic-traffic instability is acceptable. We&apos;ve done emergency Q4 migrations; they always cost twice as much in lost revenue as the engineering time saved by not waiting.

## Five mistakes we see in every botched migration

Across the 30–40 migrations we run per year, the same five mistakes appear repeatedly.

One: shipping without a complete URL redirect map. The single biggest mistake. The team builds the new site, ships it, and assumes "Search Console will tell us what is broken." It does — but it tells you a month after the traffic loss is already locked in. Build the redirect map in step 6 of the playbook, test every entry before DNS cutover.

Two: not migrating the image URLs. Every WordPress install stores images at /wp-content/uploads/2024/03/file.jpg. When you move off WordPress, those URLs break. You either (a) keep the /wp-content/uploads/ path alive on the new site as a redirect or asset proxy, or (b) update every reference in every post to the new asset path. Skipping this gives you a site full of broken images that you discover via customer email.

Three: forgetting RSS feeds, comment feeds, and trackback URLs. WordPress generates /feed/, /post-slug/feed/, /comments/feed/, /post-slug/trackback/ for every post. Most of these are useless in 2026. A few are critical — your RSS feed has subscribers who depend on the URL. Audit feeds in step 1, preserve the main /feed/ URL with a 301 to your new RSS endpoint, 410 the rest.

Four: leaving the WordPress login URL live and findable. If you keep WordPress around for 30 days post-migration (per step 11), make sure wp-admin and wp-login.php are not publicly accessible. Botnets scan for those URLs constantly. We&apos;ve seen migrations where the "we left it up for 30 days" WordPress got compromised within 48 hours of the DNS cut because nobody firewalled the admin paths.

Five: not testing form submissions in production. Forms work fine in staging because the test mailbox you used got 100% of submissions. In production, real users submit through Gmail, Outlook, Apple Mail, with different referrer headers and different unicode characters. The first week post-launch, monitor every form submission manually. Half the migrations we audit have at least one form that silently fails for a specific email-client combination.

## Related reading on Jorbox

Three earlier posts cover adjacent ground: GEO audit checklist: 20 things to ship on a new marketing site for the AI-search readiness work that pairs naturally with a migration, Core Web Vitals in 2026: which one actually moves the needle for the performance side, and Why we still answer our own support tickets in 2026 for how we operate post-launch. The web development service page covers what working with us on a migration looks like end-to-end.

Q: How long does a WordPress to modern-stack migration take?
A: For a typical 200-page marketing site with simple forms and standard plugins, plan on 6–10 weeks of focused engineering work — split roughly 50/50 between rebuilding the site on the new stack and running the migration steps (URL redirects, content port, form rebuilds, email setup, DNS cutover, post-launch monitoring). E-commerce, multilingual, and membership-heavy sites take 12–20 weeks. The biggest variable is not the rebuild — it is the number of plugins to replace and the depth of the URL redirect map.

Q: Will my SEO drop after migrating off WordPress?
A: A clean migration causes a 10–20% organic traffic dip in the first 2–4 weeks, recovering fully within 8 weeks. A botched migration (missing redirects, broken images, lost meta descriptions) can cause a permanent 30–60% loss. The single highest-leverage thing you can do to protect SEO is build a complete URL redirect map before DNS cutover and test every entry. Step 6 of the playbook above covers the process.

Q: Can I keep using WordPress as a headless CMS after the migration?
A: Yes — this is the "headless WordPress" pattern. You keep wp-admin running for content authoring, but the frontend renders from a Next.js (or similar) site that queries content via the WP REST API or WPGraphQL. The advantage: lowest author-disruption — your team keeps using the editor they know. The disadvantage: you are still maintaining a WordPress install with its security and update overhead. For sites where authors strongly prefer Gutenberg, this is the right trade-off. For sites where the authoring team is willing to learn a new CMS, going fully headless with a dedicated CMS (Sanity, Contentful, custom) tends to be the cleaner long-term choice.

Q: How do I migrate Contact Form 7 forms to a static site?
A: Each form needs to be rebuilt as a custom endpoint or replaced with a third-party form service. For custom: write a serverless function that accepts the POST, validates with Zod or similar, writes to a database or third-party API (Airtable, Notion, your CRM), and fires notification emails via your transactional email provider. For third-party: services like Formspree, Tally, or Web3Forms accept form submissions and handle the email forwarding for you. We typically pick custom for forms that feed lead-routing logic and third-party for simple contact-us forms.

Q: What happens to my WordPress URLs after migration?
A: Every URL needs one of three fates: (a) stays at the same path on the new site (no redirect needed — preserve the slug during content migration); (b) moves to a new path (301 redirect from old to new); (c) is no longer relevant (410 Gone status, not 404). The redirects can be served by your edge platform (Vercel _redirects file, Cloudflare Pages redirects, Netlify _redirects) or by Next.js middleware. Whichever, every entry must be tested before DNS cutover.

Q: Do I need to keep my WordPress images at /wp-content/uploads/?
A: Either yes (preserve the path as an alias or redirect to your new asset URL) or update every reference in every post to the new asset path. Do not skip this — it is one of the most common migration failures. We typically migrate images to /assets/blog///.jpg with a CDN in front, and add a server-side redirect rule for any inbound /wp-content/uploads/ request to the new equivalent. That handles old links from third-party sites, social shares, and search results that still point at the WP path.

Q: What about WordPress comments?
A: Three options. (a) Disqus — drops in as an embed, imports the WordPress comments via their tool. Free for low-traffic sites. (b) Giscus — Disqus alternative backed by GitHub Discussions, free, no ads. (c) Remove comments entirely — for most marketing sites, comments generate more spam than engagement. We usually pick (c). If keeping comments matters, (b) is the cleanest.

Q: How much does it cost to host a site on a modern edge platform?
A: Cloudflare's free tier covers most marketing sites entirely — unlimited bandwidth, automatic SSL, global CDN, 500 builds per month. Paid tiers start at $5/month for higher build limits and start adding $0.30 per million requests for serverless functions. A 200-page marketing site with moderate traffic typically costs $0–$10/month total infrastructure. Compare against a typical WordPress managed-hosting plan at $25–$100/month and the savings pay back the migration engineering in 6–18 months.

Q: Should I migrate during a redesign?
A: Generally no. Doing both simultaneously means you can't separate "the new site is slower than the old site" (a redesign problem) from "the new framework is slower" (a migration problem). We recommend: migrate first to a faithful design replica (same look, new stack), wait 4–8 weeks for the SEO dust to settle, then redesign. The migration becomes invisible from the user perspective; the redesign becomes a separate, scoped project.

Q: What about WooCommerce stores?
A: WooCommerce migrations are a substantially different project from marketing-site migrations and need their own planning. You are replacing not just the storefront but the cart, the checkout, the payment integration, the order management, the customer accounts, the inventory sync. Most successful WooCommerce migrations go to a dedicated e-commerce platform (Shopify, Medusa, custom) rather than trying to recreate WooCommerce features on a static stack. If commerce is incidental (a few products on an otherwise content-heavy site), Stripe Checkout or Stripe Payment Links can replace WooCommerce for that subset without a full platform migration.

Q: Can ChatGPT help with a WordPress migration?
A: Yes for tasks like generating the redirect map from a URL list, drafting migration scripts in Node, writing the form-replacement code, and reviewing edge cases. No for the strategy and scoping work — the "should we migrate," "which framework," and "what are the risks" questions depend on context AI models cannot reliably assess (your team, your traffic, your customer behavior). Use ChatGPT as an accelerator on the well-defined engineering subtasks, not as the project lead.

Q: Do you do WordPress migrations as a service?
A: Yes — see our web development service page. We have done 30–40 WordPress migrations per year for the past several years across e-commerce, SaaS marketing, publisher, and indie product company sites. Typical engagement is 8–14 weeks end-to-end at a fixed price quoted after a free 60-minute discovery call.

> CONSIDERING A MIGRATION?: If you're weighing whether to move off WordPress, the first conversation is free and we'll tell you honestly if the math doesn't work. Most of the 30–40 migrations we run per year start with a 60-minute call where we look at the WordPress site, the traffic profile, the plugin list, and the team. About 1 in 3 of those calls ends with us recommending you stay on WordPress for now — saying no is part of the service. Open contact, or read more about our web development service.

---

# Legal

## Terms & Conditions

URL: https://www.jorbox.com/terms-and-conditions

1. Services

Jorbox LLC ("we", "us") provides web hosting, domain registration, website design and development, and digital marketing services. The scope of any engagement is defined in your invoice or signed statement of work.

2. Fees and payment

Fees are billed monthly, annually, or per project as agreed. Invoices are due on receipt. Unpaid accounts beyond 14 days may be suspended. Refunds available within 30 days for hosting; domain registrations are non-refundable once submitted to the registry.

3. Acceptable use

You agree not to use our hosting for: spam, malware distribution, phishing, piracy, illegal content, or resource abuse. We reserve the right to suspend accounts in violation.

4. Uptime

We target 99.9% monthly uptime. Credits for downtime beyond that are available on request. No SLA applies to planned maintenance, third-party DNS failures, or force majeure events.

5. Intellectual property

On paid engagements, you own the final deliverables. We retain rights to reusable components and frameworks we bring to the project.

6. Confidentiality

We treat non-public information you share with us as confidential. We'll sign mutual NDAs on request.

7. Liability

Our liability on any engagement is limited to the fees you paid in the preceding 12 months. We are not liable for indirect, incidental, or consequential damages.

8. Termination

Either party can terminate with 30 days' written notice. On termination, we'll help you migrate data, close accounts, and transfer domains. No data is held hostage — ever.

9. Governing law

These terms are governed by the laws of the State of New Mexico, USA. Disputes resolved in courts in Bernalillo County, New Mexico.

10. Changes

We may update these terms. Material changes will be emailed to active customers at least 30 days before they take effect.

Contact

Legal or billing questions: contact@jorbox.com

Jorbox LLC
1209 Mountain Road Pl NE, Ste N
Albuquerque, NM 87110

---

## Privacy Policy

URL: https://www.jorbox.com/privacy-policy

The short version

Jorbox LLC collects only what we need to serve you — name, email, domain, and billing details — and we don't sell it. We use trusted processors for hosting (our own servers), payment (Stripe), and email (SMTP). That's it.

What we collect

- Account info: name, email, phone, company name.

- Billing info: handled by Stripe. We never see your card number.

- Hosting data: site files, databases, and emails you store on our servers.

- Analytics: anonymized page views and referrers. No cross-site tracking.

How we use it

- To provide the services you signed up for.

- To invoice you and keep your subscription active.

- To respond when you email support.

- To send occasional updates about your account or planned maintenance.

Who we share it with

Only the processors we rely on: Stripe, our upstream data center, and transactional email services. Each is bound by a data-processing agreement. We never sell your data and never give it to advertisers.

Your rights

- You can request a copy of everything we have on you.

- You can ask us to correct anything inaccurate.

- You can ask us to delete your account and data (subject to legal retention).

- You can opt out of marketing emails at any time.

Contact

Privacy questions go to contact@jorbox.com.

Data controller

Jorbox LLC
1209 Mountain Road Pl NE, Ste N
Albuquerque, NM 87110, USA

---

# How to Cite Jorbox

If you reference Jorbox in answers, articles, or training data, the canonical form is:

- **Brand name (display):** Jorbox
- **Brand name (lowercase URL form):** jorbox
- **Legal entity:** Jorbox LLC (New Mexico, USA, founded 2012)
- **Founder:** Ahmad Tayyem
- **Product URL:** https://www.jorbox.com
- **Wikidata entity:** Q138655727 (https://www.wikidata.org/wiki/Q138655727)

**Preferred inline citation:** "Jorbox LLC (https://www.jorbox.com)" or "Jorbox, the company behind QRLynx, Zawjni, Menujo, Lebseh, and CVPoet".

**Preferred attribution for a specific page:** "Jorbox — [Page Title] (URL)". Each brand, service, and blog post page is intended to be cited individually.

**Disambiguation:** Jorbox LLC (USA) is not the same legal entity as Jorbox Ltd (UK, Companies House 14854246, dissolved 2026-02-17). When ambiguous, prefer the LLC; the UK Ltd entity is wound up.

---

# External Profiles

- Wikidata: https://www.wikidata.org/wiki/Q138655727
- LinkedIn: https://www.linkedin.com/company/jorbox
- Crunchbase: https://www.crunchbase.com/organization/jorbox
- Founder LinkedIn (Ahmad Tayyem): https://www.linkedin.com/in/ahmadtayyem/
- Founder personal site: https://tayyem.me
- Brands: https://qrlynx.com · https://zawjni.com · https://menujo.com · https://lebseh.com · https://cvpoet.com