Real Results

Case Studies

Real-world performance and security transformations. No fluff, no cherry-picked numbers—just honest results and the lessons learned along the way.

Our Philosophy

Performance Is a Balance, Not a Number

Chasing a perfect 100 score often does more harm than good. Our case studies show the real journey—including the missteps—because understanding why matters more than the final number.

Royal Speed

PageSpeed Optimization

2 Case Studies
79 97

Royal Security

Security Headers & Hardening

1 Case Study
F C+
Elementor Pro Service Business Cloudflare

Local Tattoo Studio

Elementor Pro site with 6 Google Fonts, Trustpilot widget, and complex animations

Before
79
After
86

The Starting Point

The client came to us with a beautifully designed Elementor Pro website that was underperforming on PageSpeed. They had already installed 4 separate WordPress Performance Team plugins:

  • Embed Optimizer
  • Enhanced Responsive Images
  • Modern Image Formats
  • Optimization Detective

While these are quality plugins from the WordPress core team, managing 4 separate performance plugins felt like overkill. The client wanted to consolidate to one plugin that could handle everything.

Initial score: 83 on mobile—not terrible, but with 25+ render-blocking CSS files and jQuery still loading synchronously, there was clear room for improvement.

The Journey (Including Our Mistakes)

Here's the complete timeline—including where we went wrong. Because performance optimization isn't always a straight line up.

1 Starting point with WP Performance Team plugins 83
2 Added Royal Speed but left JS/CSS optimization disabled 79 ↓
3 Enabled JS + CSS optimization in Royal Speed 85 ↑
4 Enabled Critical CSS generation (aggressive optimization) 71 ↓
5 Disabled Critical CSS, purged Cloudflare cache 86 ↑

The Critical CSS Trap

This is where we learned an important lesson about chasing numbers. Critical CSS is an "advanced" optimization that inlines above-the-fold styles and defers the rest. In theory, it should improve scores significantly. In practice, with Elementor sites, it can backfire spectacularly.

What happened: The Critical CSS generator didn't correctly identify the LCP element's (a hero logo image) required styles as "critical." The image loaded in 30ms, but the browser couldn't render it for an additional 1,160ms because its CSS was deferred. LCP jumped from 3.5s to 6.1s—nearly doubling.

The lesson: More aggressive optimization doesn't always mean better results. Elementor's complex CSS dependencies make Critical CSS risky. The "boring" JS + CSS optimization (without Critical CSS) delivered better results.

Finding the Elementor + Royal Speed Balance

Elementor Pro has its own built-in performance features. The key is knowing which to keep and which to let Royal Speed handle:

Let Elementor Handle

Optimized Image Loading (fetchpriority), Lazy Load Background Images, Load Google Fonts Locally, Element Cache, Optimized Gutenberg Loading

Let Royal Speed Handle

JS Optimization (defer/delay), CSS Optimization (combine/minify), Page Caching, Browser Caching Headers

Skip Entirely

Critical CSS generation (conflicts with Elementor's complex CSS), WP Performance Team plugins (redundant when using Royal Speed)

Final Metrics

86
Mobile Score
99
Desktop Score
3.5s
LCP
0
CLS

Results & Configuration

PageSpeed mobile score of 86 Mobile: 86
PageSpeed desktop score of 99 Desktop: 99
Elementor performance settings Elementor Settings

Bonus Lesson: The Cloudflare Cache Gotcha

After disabling Critical CSS, scores stayed at 71 even after clearing Royal Speed's cache. The culprit? Cloudflare was serving cached pages with the old (broken) Critical CSS still embedded.

Remember: When using Cloudflare (or any CDN), always purge both your WordPress cache AND your CDN cache after making optimization changes. Otherwise, you'll test against stale cached versions and drive yourself crazy.

Ready to see results like these?

Try Royal Speed
Elementor Solo Business 97 Score

Online Coach

Clean Elementor site with no third-party widgets — proof that simplicity wins

Mobile
97
/
Desktop
93

The Setup

A solo online coach needed a professional web presence. The site was built with Elementor — the same page builder as our tattoo studio case study — but with a fundamentally different approach.

The difference? Design restraint. No review widgets. No embedded maps. No fancy sliders or carousels. Just clean, focused content that lets the coaching services speak for themselves.

The Simplicity Dividend

Every widget you don't add is performance you keep. This site proves that Elementor isn't inherently slow — it's as fast as you build it.

What Wasn't Added

  • Third-party review widgets (Trustpilot, Google Reviews)
  • Embedded Google Maps
  • Heavy slider/carousel sections
  • Multiple custom Google Fonts
  • Popup email capture forms
  • Social media feed embeds

What Was Added

  • Royal Speed with full optimization
  • Elementor's built-in performance features
  • Clean, focused content sections
  • That's it.

The Configuration

Unlike the tattoo studio which required careful tuning and rollbacks, this site was straightforward:

Royal Speed Settings

Everything enabled: JS Optimization, CSS Optimization (including Advanced CSS), Page Caching, Browser Caching — the full suite.

Elementor Settings

All performance features ON: Google Fonts locally, Lazy Load backgrounds, Improved Asset Loading. Only "Optimized DOM Output" left at default.

Time to Configure

About 15-20 minutes. No testing iterations, no rollbacks, no cache-clearing drama. Just... done.

The Results

97
Mobile Score
93
Desktop Score
2.1s
LCP
0ms
TBT

Zero Total Blocking Time — extremely rare. No JavaScript blocking the main thread. The page is interactive the moment it loads.

Results & Configuration

PageSpeed mobile score of 97 Mobile: 97
PageSpeed desktop score of 93 Desktop: 93
Royal Speed settings Royal Speed Config

The Lesson

Same page builder. Same optimization plugin. Wildly different starting points.

The tattoo studio needed careful optimization work because of its complexity — multiple fonts, third-party widgets, rich media galleries. It landed at 86 after thoughtful tuning.

This coaching site hit 97 almost immediately because the complexity was never added in the first place. Royal Speed simply maximized what was already clean.

The takeaway: Performance optimization is easier when you start with restraint. But Royal Speed meets you where you are — whether that's rescuing a complex site or turbocharging a simple one.

Want to harden your site's security?

Try Royal Security
Royal Security Security Headers Solo Business

Online Coach (Security Audit)

Same coaching site — now audited for security with Mozilla Observatory

Before
F
After
C+

The Security Blind Spot

After optimizing this coaching site for speed (97 on PageSpeed!), we ran a security audit using Mozilla Observatory. The result? Grade F — 10 out of 100.

The site loaded fast, looked great, and functioned perfectly. But it was missing critical security headers that protect against common web attacks. This is WordPress's dirty secret: most WordPress sites have zero security headers by default.

What Was Missing

Mozilla Observatory tests for security headers that protect your visitors from various attacks. Here's what was failing:

Failed Tests (-90 points)

  • Content Security Policy — Prevents XSS attacks (-25)
  • X-Frame-Options — Prevents clickjacking (-20)
  • Strict-Transport-Security — Enforces HTTPS (-20)
  • Redirection — HTTP to HTTPS redirect (-20)
  • X-Content-Type-Options — Prevents MIME sniffing (-5)

Already Passing

  • Cookies (Secure flag)
  • Cross-Origin Resource Sharing
  • Referrer Policy
  • Subresource Integrity
  • X-XSS-Protection (deprecated but present)

The One-Click Fix

Royal Security's Security Headers feature adds all the missing headers with a single toggle. But there's a catch most security plugins miss...

Most WordPress security plugins add headers via PHP. That works — until you enable page caching. When pages are served from cache, PHP never runs, so the headers never get added. Your site looks secure in testing but serves cached pages without protection.

Royal Security writes headers directly to .htaccess, so they're applied at the Apache server level before WordPress even loads. This means headers work even with:

  • Page caching (Royal Speed, WP Rocket, etc.)
  • CDN caching (Cloudflare, BunnyCDN)
  • Full-page static caching
  • Any server-level caching

The Journey

1 Initial Mozilla Observatory scan F (10)
2 Installed Royal Security Pro
3 Enabled Security Headers feature (one toggle)
4 Purged Cloudflare cache (important!)
5 Re-scanned with Mozilla Observatory C+

Headers Added by Royal Security

Royal Security automatically configured and added these headers to the site's .htaccess file:

X-Frame-Options

SAMEORIGIN — Prevents your site from being embedded in iframes on other domains (clickjacking protection).

X-Content-Type-Options

nosniff — Stops browsers from MIME-sniffing responses, preventing content-type attacks.

Strict-Transport-Security

max-age=31536000; includeSubDomains — Forces HTTPS for 1 year, including all subdomains.

Referrer-Policy

strict-origin-when-cross-origin — Controls how much referrer info is shared with other sites.

Permissions-Policy

Restricts browser features like camera, microphone, and geolocation from being abused.

Content-Security-Policy

Moderate mode — Allows 'self' and common CDNs while blocking inline scripts without nonces.

Why C+ and Not A+?

Honesty time: Getting an A+ on Mozilla Observatory requires a very strict Content Security Policy (CSP) that can break many WordPress sites — especially those using Elementor, inline styles, or third-party scripts.

Royal Security offers two CSP modes: Moderate (compatible with most sites) and Strict (maximum security but may break functionality). We used Moderate mode here because the site uses Elementor, which relies on inline styles.

The C+ is a massive improvement — from 5/10 tests passing to 9/10 tests passing. The remaining point comes from CSP strictness, which is a trade-off between compatibility and a perfect score.

The Results

C+
Final Grade
9/10
Tests Passed
+60
Points Gained
5 min
Time to Fix

Mozilla Observatory Results

Mozilla Observatory score improved from F to C+ F → C+ on Mozilla Observatory

The Lesson

Speed and security go hand in hand. This site now loads in under 2 seconds AND has proper security headers protecting visitors from XSS, clickjacking, and protocol downgrade attacks.

Most WordPress sites are vulnerable not because WordPress is insecure, but because basic security headers simply aren't configured. It takes one plugin and one toggle to fix — but most site owners don't even know to check.

Pro tip: Run your own site through Mozilla Observatory. If you score below C, Royal Security can help.

"A site that works flawlessly with solid scores beats a perfect 100 with broken functionality. Whether it's speed or security, optimization is about real protection and user experience—not vanity metrics."
— The Royal Plugins Philosophy

Ready to Optimize Your Site?

Join hundreds of WordPress sites running faster and more securely. No bloat, no conflicts—just results.

Get Royal Speed Get Royal Security