What are the most common problems found in small business website audits?

The most common problems found in small business website audits are missing security headers, outdated CMS plugins with known vulnerabilities, GDPR violations from tracking scripts firing before consent, wasted spending on duplicate or ineffective tools, and poor performance from unoptimised images and bloated code. Many of these issues go unreported because the developer or agency that built the site has no incentive to flag their own mistakes.

How much do small businesses waste on unnecessary website tools?

Small businesses regularly waste between £200 and £500 per month on website tools that either duplicate each other or produce no measurable results. Common examples include paying for multiple SEO tools that do the same thing, premium hosting plans that offer no benefit over standard plans, and SEO retainers where no ranking improvements can be demonstrated. Over a year, this adds up to £2,400 to £6,000 in avoidable spending.

Are small business websites GDPR compliant?

Most small business websites are not fully GDPR compliant. Common violations include Google Analytics tracking users before cookie consent is given, contact forms that store personal data without linking to a privacy policy, no documented data retention policy, and third-party marketing scripts loading without user permission. Many business owners are unaware their website is breaking UK data protection law because no one has flagged it to them.

Can AI replace website agencies for small businesses?

AI cannot fully replace website agencies, but it can now handle a significant portion of the work that small businesses pay agencies thousands of pounds for. Automated security scanning, performance monitoring, SEO analysis, and content updates are all tasks that AI tools can perform at a fraction of the cost. The key is knowing which tools to use and how to interpret their output. A knowledgeable developer using AI tools can deliver more value than a traditional agency at a lower cost.

How can I check if my website is secure?

You can check your website's security for free using several online tools. SecurityHeaders.com scans your HTTP security headers and grades your site from A to F. Qualys SSL Labs tests your SSL certificate configuration. Google PageSpeed Insights checks performance and flags some security issues. You should also verify that your CMS and all plugins are running the latest versions, that your admin login URL has been changed from the default, and that your site uses HTTPS on every page.

Website Audits

What I Found Auditing Small Business Websites (And Why Most Developers Won't Tell You)

Most small business websites have hidden security flaws, wasted monthly spending, and GDPR violations that nobody has flagged. The people who built them have no reason to tell you.

Nicholas Hartnell · 16 March 2026 · 10 min read

I've looked under the hood of dozens of small business websites. The patterns I keep finding are alarming — and most developers will never tell you about them.

Not because they're bad people. Because they're in an awkward position. The agency that built your site isn't going to ring you up and say "by the way, we left a few security holes open and you're technically breaking data protection law." That phone call doesn't happen.

So these problems sit there. Quietly. For months. Sometimes years. And the business owner has no idea.

Why don't developers tell you about these problems?

There are really only two reasons, and neither of them is malicious.

They built the problems. If your agency set up your WordPress site with seventeen plugins, half of which haven't been updated in two years, they're not going to call you and admit that. They'd be admitting they did a poor job. No one does that voluntarily.

They're profiting from the status quo. If you're paying a monthly retainer for "SEO management" and your rankings haven't moved in six months, the person taking that money isn't going to suggest you stop paying. They'll send you a report full of graphs that go up and to the right and hope you don't ask too many questions.

This isn't a conspiracy. It's just human nature. The person who built your house isn't the best person to do the survey. You need someone independent who has nothing to lose by telling you the truth.

What are small businesses actually wasting money on?

This is the one that frustrates me most, because the money involved is real and most of it is completely avoidable.

I regularly find businesses spending £200-500 per month on tools that either duplicate each other or do nothing measurable. That's £2,400 to £6,000 a year, quietly draining out of the business, and nobody's questioning it because "that's just what the website costs."

Here's what I keep seeing:

Duplicate SEO tools. Paying for Yoast Premium and an SEO agency's proprietary tool and a separate rank tracker. Three tools doing roughly the same job. Nobody noticed because they were set up at different times by different people.
SEO retainers with no results. Monthly payments of £300-800 to an agency that sends a PDF report every month but can't point to a single keyword ranking improvement in six months. When I ask the business owner what they're getting for the money, they usually say "I'm not really sure."
Premium hosting they don't need. A brochure site with 500 visitors a month sitting on a £50/month hosting plan when a £5/month plan would handle it identically. Someone upsold them at some point and they've never questioned it.
Plugin and subscription overlap. A security plugin, a backup plugin, a performance plugin, and a maintenance plugin — when their hosting already includes security scanning, automatic backups, and a CDN. Four subscriptions doing work that's already covered.

A simple exercise: list every monthly payment connected to your website. Every plugin, every subscription, every retainer. Then ask yourself: what does each one actually do, and can I see evidence that it's working? If you can't answer that for every line item, you're probably overpaying.

How bad is the security problem really?

Bad. Genuinely bad. And the smaller the business, the worse it tends to be, because small businesses assume they're not a target.

They are a target. Automated bots don't care how big your company is. They scan every site on the internet looking for known vulnerabilities, and they find them constantly.

Here's what I find on a regular basis:

Missing security headers on sites that take card payments. No Content-Security-Policy. No X-Frame-Options. No HSTS. These headers take minutes to add and they prevent entire categories of attack. Most agency-built sites don't have them.
Default WordPress admin URLs still accessible. If your login page is at /wp-admin or /wp-login.php and it hasn't been moved, every bot on the internet is already trying passwords against it. Constantly.
Outdated plugins with known vulnerabilities. Not obscure theoretical ones. Published vulnerabilities with proof-of-concept exploit code available on GitHub. The plugin update has been available for months. Nobody's applied it.
SSL certificates configured incorrectly. The padlock shows in the browser, so the owner thinks they're secure. But an SSL Labs scan reveals TLS 1.0 still enabled, weak cipher suites, and mixed content warnings.

These aren't theoretical risks. These are doors left unlocked on the high street. The fact that nobody has walked through them yet isn't security — it's luck.

What GDPR violations are hiding on your website?

This is the one that makes business owners go pale, because GDPR violations carry real financial penalties and almost nobody is fully compliant.

Most small business owners don't even know their site is breaking the law. They trusted their developer to handle it, and their developer either didn't know the requirements or didn't prioritise them.

What I keep finding:

Tracking scripts firing before consent. Google Analytics, Facebook Pixel, Hotjar — all loading the moment the page opens, before the visitor has clicked anything on the cookie banner. Some sites don't even have a cookie banner. The scripts run anyway.
Google Analytics running without a cookie banner at all. The site owner often doesn't know it's there. A previous developer added it, or it came bundled with a template. It's been silently tracking every visitor without consent for months or years.
Contact forms storing data without a privacy policy link. You're collecting names, email addresses, phone numbers — and there's no link to a privacy policy on the form, no checkbox for consent, and no explanation of what you'll do with that data.
No data retention policy. All those contact form submissions, enquiry emails, and customer records — how long are you keeping them? If the answer is "forever, I suppose" then you're not compliant. GDPR requires you to define how long you hold personal data and delete it when that period expires.

A quick check you can do right now: open your website in a private browser window and watch the network tab in your browser's developer tools. If you see requests going to google-analytics.com, facebook.com, or any other tracking domain before you've interacted with a cookie banner, your site is violating GDPR. Today. Right now.

Could AI be doing this work instead?

This is the question most agencies really don't want you asking. And the honest answer is: yes, a lot of it.

Most businesses are paying agencies hundreds or thousands of pounds a month for work that AI tools can now handle — if someone sets them up properly and shows you how to read the output.

I'm not talking about asking ChatGPT to write your About page. I'm talking about practical, measurable tasks that used to need a specialist sitting at a desk:

Automated security scanning. Tools that check your security headers, SSL configuration, and known vulnerabilities on a schedule and alert you when something needs attention. No human needed for the monitoring — only for the fix.
Performance monitoring. Automated Lighthouse audits that run weekly and flag when your Core Web Vitals drop below thresholds. You get a plain-English summary of what changed and what to do about it.
Content updates. AI can draft blog posts, update product descriptions, and generate meta tags. A human should review them before publishing, but the heavy lifting is done in minutes instead of hours.
SEO analysis. Keyword tracking, competitor monitoring, technical SEO audits, internal link analysis — all of this can be automated. The reports are often better than what agencies produce manually because the tools check everything, every time, without getting bored or cutting corners.

The shift isn't "AI will replace your developer." It's "a good developer using AI tools will do more for you at a lower cost than a traditional agency." The skill isn't in running the tools. It's in knowing which tools to trust, how to interpret what they tell you, and what to do about it.

What should you actually do about it?

If any of this sounds familiar, here's where to start. None of this costs anything except your time.

Get an independent audit. Not from the people who built your site. From someone who has no relationship with your current setup and nothing to lose by being honest. The audit should cover security, performance, accessibility, GDPR compliance, and a breakdown of what you're paying for monthly.

Run the free tools yourself. You don't need to be technical to do this:

Google PageSpeed Insights — tells you how fast your site loads and what's slowing it down
SecurityHeaders.com — grades your security headers from A to F. Most small business sites score a D or lower
Qualys SSL Labs — tests your SSL certificate and encryption configuration

If your current developer or agency claims everything is fine, run these tools and compare the results against their claims. The tools don't have opinions. They just report what they find.

Audit your monthly spending. List every subscription, plugin, and retainer connected to your website. For each one, ask: what does this do, can I see evidence it's working, and would I notice if I cancelled it tomorrow? If you can't answer all three, it's worth investigating.

Ask your developer uncomfortable questions. When were the plugins last updated? What security headers are configured? Where is the data from contact forms stored and for how long? What measurable improvement has the SEO retainer produced in the last six months? A good developer will answer these questions clearly and without getting defensive. If they get evasive, that tells you something.

Get a free, independent website audit

This is why we offer a free audit. No obligation, no sales pitch. You get a report covering security, performance, GDPR compliance, and spending. It's yours to keep — give it to any developer you like.

Request your free audit

← Back to StagHill Software