These are the most common and dire problems that I find on existing client websites that I work on for the first time. Check your website for these issues today, or contact a web developer to do a site audit!
1. Your site is not getting backed up regularly
Many non-web developers (and web “designers”) often forget about setting up a backup strategy after their sites have launched. This is like walking a tightrope with no net. After investing thousands of dollars, a hack, server failure, or admin error could bring your site down for days, if not permanently if you have no backups.
I like to set up at least two backup methods: one automated (at the server level if possible), and one manual, which I do using a plugin.
2. Your backups were never verified
Backups are no good if you can’t restore the site from them. Whenever I work on a new site, I make a backup and bring it up on my local computer to confirm the integrity of the backup archive files. You don’t want to find out that your backups are flawed during an emergency.
3. Your site’s plugins / theme are grossly out of date
When I start looking at a new site that’s been around for a while, it’s not uncommon to find that the plugins and theme haven’t been updated for years. This is one of the most common ways sites get hacked.
4. Your PHP software is out of date
PHP is the server-side language that WordPress is written in. Most non-web developers don’t know anything about PHP, but it needs to be updated every year or two for security reasons. If left un-updated for long enough, things will start to break when you update your plugins and theme.
Actually updating your server is easy; often it’s a button in your hosting control panel. The harder part is testing and fixing issues that come up due to version incompatibilities.
5. Your Page sizes are huge due to unnecessarily large images files
Oh boy, I see this SO often. The user has uploaded 5MB photos straight from their camera or phone. The landing page struggles to load due to the bloat. A simple site uses multiple gigabytes of server space.
I manually resize photos before I upload them. For clients, I install a plugin that automatically shrinks down large photos.
If you switch themes, you should regenerate thumbnails so that they are properly sized for the theme; otherwise, the theme might grab the huge un-resized versions.
6. Transactional email not getting sent or delivered reliably
Another super common mistake is not testing a site’s contact form regularly. I commonly find email broken on sites… meaning: no contact form submissions have been received, sometimes for years. The whole purpose of the site has been defeated!!
The most reliable way to send transactional email from a website is to use an SMTP plugin to send email using a real email account (Microsoft, Google, or another third party). Here’s how to set up transactional emailing using a Microsoft or Google mail account.
7. Your Contact form email addresses are out of date
Another common problem I find is that the contact form submissions are being sent to someone who left the organization years ago. Another reason for regular testing of your website’s forms!
8. Your site violates web accessibility laws
This is the case for the vast majority of websites out there, and can lead to lawsuits and legal nightmares. The problem is real: trolls are targeting sites (real estate sites at the moment) that don’t meet legal accessibility standards and shaking them down for money.
Check out my web accessibility checklist for more information about this.
9. Your site violates online privacy laws
Does your site display a privacy policy? Is it up to date? Is your site compliant with privacy laws in California and Europe? When I look at sites, many times, the answer to these questions is “no”.
See more information about website privacy here.
10. Your web server is hosting video instead of using a third-party service
Similar to large images, sometimes folks plop a 50MB video file above the fold in their site’s landing page and wonder why it takes forever to load (especially on mobile).
You should upload our videos to a third party like YouTube or Vimeo, and let them stream the video from their servers, not yours.
11. Your site has layout or functional problems on mobile
Despite the mantra of “mobile first”, so many folks (including web designers) seem to only test their sites on desktop. Most sites get the majority of their traffic from mobile devices.
I often find broken functionality or layout problems when testing sites on mobile.
12. You don’t have control over your site’s domain name
This can have catastrophic results, and I’ve seen it more than a few times. Someone in your organization purchased your domain name years ago using their login and credit card. They’re long gone now and no one has access or knows anything about the domain name. One day, the site just disappears and you’ve lost the domain unless you go through a long and painful process to prove that you really do own it.
If your organization has left your domain name ownership in the hands of a third party like your marketing agency… well, here’s what I have to say about that.
13. You don’t have control over your site’s web hosting account
Same deal as the previous item, but for your web hosting.
14. One WordPress login is shared between all users
This is pretty common. All of your employees use the same login to get into website. This includes ex-employees who no longer work there! Imagine what damage a disgruntled employee who was fired could do to your site!
Give each user thier OWN login, and DELETE it when they leave! Do NOT share one login for everyone!
15. Your password / username are weak
Building on the previous issue, I still see “admin” as the username often, with an insanely weak password that could be guessed in a few tries. You know what to do.
16. Your database is bloated and hasn’t been optimized recently (or ever)
Sometimes I come across an older but simple, non-e-commerce site where the database is multiple GB in size due to out-of-control log entries or other reason. This slows down the site and makes backups tedious. There are plugins that will optimize your database, but make a backup first!
17. Your site/server has no security software installed
Sometimes I come across a site that has no security plugin or server software installed and by some miracle is not hacked yet (often times they are already hacked).
Security software is not a substitute for keeping your plugins, theme, and server updated, but it is a weapon in your battle against hackers.
18. Your site is using unlicensed images or fonts
I used to see this all of the time: whoever made your site just copied images from the first Google search they did. I know someone who did this and got a threatening letter for Getty Images and ended up paying almost $2000 to make the problem go away.
There are lots of sources of legal free stock images. Or, you can pay a little for better-quality images. Do not just copy any images you like on the web!
Ditto all of this for fonts. Just because you own the font on your desktop computer does not mean you have a license to use it on a website. Most of the time, they are different licenses requiring separate payment. More on web fonts.
19. Your site is missing SSL
If you don’t see the lock icon in the browser after your site loads (or if the web address begins with “http” instead of “https”), it means your site doesn’t have SSL (secure socket layer) security. Often, this is a pretty easy fix if you have access to the server. If you are GoDaddy, however, you’ll have to pay for the SSL certificate.
20. You haven’t set up analytics / GA 4
Wait, why is this a “critical” issue? Let’s say your boss wants to know the ROI of the website and asks you for the traffic over the last year. If you didn’t have an analytics service already installed on the site, you’re out of luck. Installing analytics now only gets you data starting from today; you can’t get it from the past.
Even if you were diligent and installed Google Analytics, the bad news is that it is going away in July 2023, to be replaced by Google Analytics 4. Now is the time to install GA4 so that you have some data going back in time because your old Google Analytics data will eventually go away.
Conclusion
I hope this list has raised some red flags and prompted you to at least look into some of these issues. Some are easy to do, like testing your contact form today. Some will require research, such as tracking down who actually owns your organization’s domain name. But, you’ll be glad you got these issues squared away now before they become disasters.
Please leave your questions or comments below! – Brian
I am a freelance web developer and consultant based in Santa Monica, CA. I’ve been designing websites using WordPress and from scratch using HTML, CSS, PHP, and JavaScript since 2010. I create websites and web applications for businesses, nonprofits, and other organizations. I have a degree in Electrical Engineering (BSEE) from California Institute of Technology and a degree in Engineering Management (MSEM) from Stanford University.