What does a website audit check for?

A proper website audit checks security (SSL, headers, software updates), performance (page load speed, mobile responsiveness), SEO (sitemaps, meta data, Google Business Profile), legal compliance (GDPR, privacy policy, cookie consent), and ownership (who controls your domain and hosting). Most free audits only cover one or two of these areas.

How many UK small business websites have security problems?

Based on audits of UK small business websites, around 68% are missing basic security headers, 14% have no SSL certificate or an expired one, and roughly 40% are running outdated CMS software with known vulnerabilities. These are common, fixable problems that most business owners don't know about.

How can I check if my website has problems?

You can do a few quick checks yourself: run your URL through Google PageSpeed Insights, check your site starts with https://, Google your business name to see what appears, ask your developer who owns your domain, and read your privacy policy to see if it actually names the cookies and third-party services your site uses.

Who owns my domain name?

Your domain should be registered in your name (or your business name) with your own email address. Many small businesses discover their domain is registered to their web developer, designer, or a former contractor. This means someone else technically controls your web address. You can check by asking your developer directly or looking up your domain on a WHOIS service.

Is a free website audit worth it?

A genuine free audit is worth it if it covers security, performance, SEO, compliance, and ownership — and gives you a plain-English report you can act on. Be wary of 'free audits' that are just automated scans followed by a hard sell. A good audit should tell you what's wrong, how serious it is, and what fixing it would involve, with no obligation.

Audit

What I found auditing small business websites (the patterns are alarming)

By Nicholas Hartnell, StagHill Software — March 2026

I started offering free website audits to small businesses a while back. The idea was simple: I'd look at someone's site, check the basics, and give them a plain-English report on what was working and what wasn't. I expected to find a few issues here and there. Maybe some slow load times. Maybe a missing meta description or two.

What I actually found was much worse than that.

Almost every business I looked at had problems they didn't know about. Not minor cosmetic stuff. Real problems. Security gaps. Compliance failures. Broken functionality that was silently costing them customers. And in a few cases, things that could genuinely land them in legal trouble.

I'm going to share what I found, because I think most small business owners in the UK have no idea what state their website is actually in. And I think the people they're paying to manage it often aren't telling them.

The numbers

These are the patterns I've seen across the businesses I've audited. They're not scientific research. They're what I found by actually pulling up real websites, running real tools, and checking things properly.

14%

No SSL certificate, or an expired one. Their site loads over HTTP, meaning everything between the user and the server is sent in plain text.

73%

Failing Google's mobile performance test. Not just slightly under the threshold — properly failing, with scores below 50 out of 100.

61%

No adequate privacy policy. Either missing entirely, or a generic template that doesn't mention the actual cookies and third-party services the site uses.

34%

Domain registered to someone other than the business owner. Usually a former developer, a web agency, or a random contractor's personal email.

41%

No Google Business Profile set up, or one that was claimed years ago and never updated. Missing opening hours, old phone numbers, no reviews.

27%

Paying for SEO or marketing services with zero measurable improvement in organic traffic or search rankings over the past 12 months.

68%

Missing basic security headers. No Content-Security-Policy, no X-Frame-Options, no Strict-Transport-Security. Basics that take minutes to add.

40%

Running an outdated CMS. WordPress sites that hadn't been updated in over a year, with plugins that had known security vulnerabilities.

A few more numbers that came up consistently:

Average page load time: 6.2 seconds. Google recommends under 2.5 seconds. Most of the sites I checked wouldn't even finish loading before the average user gives up and hits the back button.
52% had no XML sitemap and 47% had no robots.txt file. These are the absolute basics of telling search engines your site exists and what to look at.
Over a third had at least one broken link on their homepage. Links to pages that no longer exist, returning 404 errors to anyone who clicks them.

What business owners think vs what I actually find

What they assume	What the audit shows
"My site is secure because it looks professional"	No SSL, no security headers, outdated WordPress with 3 vulnerable plugins
"My developer handles all that"	Domain registered to developer's personal Gmail, not the business
"We're GDPR compliant, we have a privacy policy"	Privacy policy is a 2018 template that doesn't mention Google Analytics, Facebook Pixel, or the cookie consent tool
"Our SEO company is doing great work"	12 months of invoices, zero increase in organic search traffic, changes limited to meta descriptions
"The contact form works fine"	Form submissions going to a full inbox, a deactivated email, or silently failing with a JavaScript error
"We show up on Google"	Only for the exact business name. Not for any service or location term a customer would actually search
"The site loads quickly for me"	8-second load on mobile. Their own fast broadband and cached browser hid the real performance

The worst things I found

I'm not going to name anyone. But these are real situations from real audits, and each one represents a pattern I've seen more than once.

The driving school that didn't own its own website

A driving instructor had been using the same website for about four years. Looked decent. Had his branding on it. He assumed it was his.

When I ran a WHOIS lookup on his domain, it was registered to a contractor's personal Gmail address. The hosting was on that same contractor's account. The instructor had no login credentials for anything — not the domain, not the hosting, not even the email address listed on the site.

If that contractor decided to disappear, or just forgot to renew the domain, the instructor would lose everything. His web address, his email, his search rankings, his online reviews that linked to that domain. All of it. Gone.

He had no idea.

The salon paying £500 a month for nothing

A hair salon was paying a marketing agency £500 a month for "SEO and digital marketing." They'd been paying this for over a year. That's £6,000.

I pulled up their Google Analytics. Organic traffic was flat. Actually, it had gone down slightly over the 12 months. Their Google Business Profile hadn't been touched. The agency's monthly "work" consisted of changing a few meta descriptions and writing one blog post every couple of months that nobody read.

The salon owner thought things were going well because the agency sent a monthly report full of graphs. The graphs showed impressions, not clicks. Impressions don't mean anything. They mean Google showed a result. Nobody clicked it.

£6,000 for meta descriptions.

The tradesman with a broken contact form

A plumber's website had a contact form front and centre. "Get a free quote." He relied on it for leads. The thing is, it had been broken for about six months.

The form still looked fine. You could fill it in and click submit. It even showed a "thanks, we'll be in touch" message. But the backend had stopped working after a plugin update. The submissions weren't going anywhere. They were just vanishing.

Six months of potential customers filling in their details and getting nothing back. He thought business was just quiet. It wasn't. People were trying to contact him and being ignored. Some of them probably called a competitor instead.

The shop sending customer data over HTTP

A small retail business had an online shop. Customers could enter their name, email, address, and phone number to place an order. Standard stuff.

The site had no SSL certificate. Every piece of data customers entered was being sent across the internet in plain text. Unencrypted. Anyone on the same network — a coffee shop, a shared office — could intercept it with freely available tools.

That's not just a technical problem. Under UK GDPR, that's a data protection failure. The business owner had a legal obligation to protect that data, and they weren't. Not out of negligence. They just didn't know. Nobody told them.

Why nobody spots these problems

Business owners aren't web developers. They shouldn't have to be. When they pay someone to build a website or manage their online presence, they trust that person to get it right. That's reasonable.

The problem is that trust is often misplaced. Not because developers are dishonest, but because the relationship usually ends after the build. The developer moves on. The site sits there. Nobody checks it. Updates don't happen. SSL certificates expire. Plugins develop vulnerabilities. Contact forms break. And nobody notices because the site still looks the same.

"It looks fine" is the most dangerous phrase in web development. A site can look perfectly professional while being insecure, non-compliant, slow, and functionally broken. You can't see SSL headers. You can't see a failed form submission from the front end. You can't tell if your domain registration is about to lapse by looking at your homepage.

Agencies have a different problem. They don't audit themselves. The agency that built your site isn't going to send you a report saying "actually, we missed a few things." The agency doing your SEO isn't going to tell you they've achieved nothing in 12 months. They'll send you a report with enough graphs and jargon to keep you paying.

This isn't a rant about agencies being evil. Some are brilliant. But the incentive structure means nobody is checking the checker. And that's where things fall through the cracks.

What you can check right now

You don't need to be technical to catch the most obvious problems. Here are five things you can do in the next ten minutes.

1. Run Google PageSpeed Insights. Go to pagespeed.web.dev and type in your website address. Look at the mobile score. If it's below 50, your site is slow enough to lose you customers. If it's below 30, it's genuinely broken on mobile. Google also uses this as a ranking factor, so a slow site means worse search results too.

2. Check if your site uses HTTPS. Look at your browser's address bar. Does your URL start with https:// or just http://? Is there a padlock icon? If not, your site is not encrypted. That's a security risk for anyone using your site and a ranking penalty from Google. If you take any customer data at all — even just a contact form — this isn't optional.

3. Google your own business name. Open a private/incognito window and search for your business. What comes up? Is your Google Business Profile there with correct details? Does your website appear first? Are the description and page titles accurate? Or does Google show outdated information, a competitor's ad above you, or nothing useful at all?

4. Ask your developer: "who owns my domain?" This is the most important question on this list. Your domain name (yourcompany.co.uk) should be registered in your name, with your email address, on an account you control. If your developer registered it on their personal account, you need to get that transferred. If they push back, that's a red flag.

5. Read your own privacy policy. Actually read it. Does it mention the specific cookies your site uses? Does it name Google Analytics, Facebook Pixel, or any other third-party tools by name? Does it say who your hosting provider is? If it's a generic template that could apply to any website, it's probably not GDPR compliant. The ICO expects specifics.

What a proper audit covers

The free audits I run at StagHill check everything I've talked about here, and more. The report you get back is plain English. No jargon. No scare tactics. Just a clear list of what's good, what's not, and how serious each issue is.

Here's what I look at:

Security: SSL status, security headers, CMS version, known vulnerabilities, exposed admin panels
Performance: Page load times on mobile and desktop, image optimisation, render-blocking resources, Core Web Vitals scores
SEO: Search visibility, meta data, sitemap, robots.txt, structured data, Google Business Profile status
Compliance: Privacy policy review, cookie consent implementation, GDPR basics, accessibility red flags
Ownership: Domain registration details, hosting access, email setup, who actually controls what
Functionality: Contact forms tested, links checked, mobile responsiveness, cross-browser rendering

You get a PDF report. I'll walk you through it on a call if you want. If everything's fine, I'll tell you everything's fine. If there are problems, I'll tell you what they are and what fixing them would involve. There's no obligation and no hard sell.

Most of the issues I find are straightforward to fix. An SSL certificate is free. Security headers take 20 minutes. Transferring a domain takes a few days. The hard part isn't the fix. The hard part is knowing the problem exists in the first place.

That's what the audit is for.

StagHill Software offers free digital audits for UK small businesses at staghillsoftware.co.uk

Want to know what state your website is actually in?

We'll run a full audit and give you a clear, honest report. No jargon, no obligation, no cost. If everything's fine, we'll tell you. If it's not, we'll explain what needs fixing and why.

Request your free audit

← Back to StagHill Software