Why We Give Away Full Website Audits for Free (And Why We Mean It)

Every agency offers a "free audit." Most of them are automated scans dressed up in a PDF with a logo on top. They find just enough problems to scare you, then hit you with a quote. That is not what we do. Here is what we actually do, and why.

What do you actually check in a free audit?

This is not a plug-and-play template scan. We do not paste your URL into an online tool and reformat the output. Every audit is done manually by a senior developer looking at your actual website, testing it the way a real user and a real attacker would.

Here is what gets checked:

• Security headers — HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. These are the first line of defence against common attacks, and most small business sites have none of them.
• SSL/TLS configuration — Is your certificate valid? Is it configured properly? Are outdated protocols still enabled? A padlock in the browser bar does not mean your setup is secure.
• GDPR compliance — Tracking scripts, cookie consent banners, privacy policy, data retention practices. We check what your site is actually sending to third parties, not just what your cookie popup claims.
• Page speed and Core Web Vitals — Google uses these as ranking signals. If your site takes four seconds to load on mobile, you are losing visitors and search visibility at the same time.
• Mobile responsiveness — How does your site actually look and behave on a phone? Not just "does it technically fit on the screen" but "can someone actually use it?"
• SEO fundamentals — Meta tags, heading structure, structured data, sitemap, robots.txt, canonical URLs. The basics that most site builders get wrong or skip entirely.
• Accessibility — Colour contrast, alt text, form labels, keyboard navigation, heading hierarchy. Under the Equality Act 2010, your website needs to be usable by everyone.
• Domain and hosting setup — Who actually owns your domain? Is it registered in your name or your developer's? What are you paying for hosting and is it appropriate for your traffic levels?
• Monthly spending review — What tools, plugins, subscriptions, and services are you paying for? Are they doing anything? We regularly find businesses spending hundreds a year on SEO tools, security plugins, or premium themes that add no value.
• Search engine presence — Are you showing up in Google and Bing? Is your Google Business Profile claimed and accurate? Are there indexing problems stopping your pages from appearing in search results?
• Competitor comparison — How does your site stack up against others in your industry and area? Not a vanity exercise — a practical look at where you are behind and where you are already ahead.

Every issue we find is rated by priority — critical, important, or worth knowing. Each one comes with a plain-English explanation of why it matters and what to do about it. No jargon for the sake of jargon. If we say "your Content Security Policy is missing," we also explain what that means in practice and what the fix looks like.

Why would you do all that for free?

Because the UK small business world is full of people getting quietly ripped off, and most of them do not know it.

I have seen businesses paying thousands a year for tools that do nothing. I have seen sites with security holes that would take ten minutes to fix. I have seen GDPR violations that could lead to ICO fines, sitting there for years because nobody checked. I have seen developers who register the client's domain in their own name, so the business owner cannot leave without losing their web address.

If I can spend a couple of hours and save someone from a hack, a fine, or just stop them wasting money — that is worth doing whether they hire me or not.

I come from financial services. In that world, security is not optional and compliance is not a suggestion. Bringing that same standard to small business websites is not charity. It is just doing the job properly.

Most small business owners are not technical. They trusted someone to build their site and they have no way of knowing if that person did a good job. The audit gives them that knowledge. What they do with it is up to them.

What is the catch?

There is not one. I know that sounds like something someone with a catch would say, so let me be specific:

• The report is yours. Keep it, share it, give it to another developer. It is your website and your data.
• I do not need your login details. Everything is checked from the outside, the same way a hacker would look at your site. You do not need to hand over credentials to get an audit.
• I will not call you repeatedly. You will get the report by email. If you want to talk about it, great. If you do not, that is also fine. I am not going to chase you.
• If your site is in good shape, I will tell you that. I am not going to invent problems to justify a quote. If the honest answer is "your site is fine, maybe update your privacy policy wording," then that is what the report will say.

Obviously I hope that some people who get the audit will want help fixing what I find. That is how the business works. But the audit has to stand on its own as something genuinely useful, or there is no point doing it. A scared customer is not a good customer. An informed one is.

What if I just need one small thing fixed?

Then I will tell you how to fix it yourself.

If turning on two-factor authentication on your Microsoft account is all you need, I will walk you through it in the report. Step by step, with screenshots if it helps. I am not going to charge you for something you can do in five minutes.

If the fix is something more involved — a security header configuration, a GDPR setup, a page speed overhaul — I will quote a fixed price for that specific job. You will know exactly what it costs before you agree to anything.

No retainers. No monthly contracts. No lock-in. If the job takes two hours, you pay for two hours. If it takes ten minutes and you can do it yourself, I will show you how and that is the end of it.

Why does this matter for UK small businesses?

There are 5.5 million small businesses in the UK. They are the backbone of the economy. Most of them do not have a technical person on staff. They rely on whoever built their website to be honest with them, and too often that trust gets abused.

I have met business owners who were told they needed a £5,000 website rebuild when the real problem was a misconfigured caching plugin. I have met people paying £200 a month for "SEO services" that amounted to a single automated report they could generate themselves for free. I have met people who did not know their site was sending visitor data to Facebook because a previous developer installed a tracking pixel and never mentioned it.

None of these people are stupid. They are busy running their businesses. They trusted the wrong person, or they never had anyone to trust in the first place.

I am not trying to build an empire. I am trying to make sure that the local plumber, the independent cafe, the one-person consultancy — they are not getting ripped off, they are not sitting on a security vulnerability, and their website is actually helping their business instead of just existing.

If every small business in the UK had a properly secured, GDPR-compliant, fast-loading website, the internet would be a better place. We are a long way from that. But every audit gets us one step closer.

How do I get a free audit?

Go to staghillsoftware.co.uk, fill in the form, and you will get a full report within a few days. No payment details. No commitment. No follow-up calls unless you want them.

If you have questions before you submit, that is fine too. The form lets you tell me what you are most worried about, and I will make sure the audit covers it.

If you know another small business owner who could use this, send them the link. The offer is open to any UK small business with a website.