Why Most Small Business Websites Fail Google's 18-Point Check
We scanned 500 small business websites with our free analyzer. 87% failed at least one critical check. 52% failed five or more. Here's the full 18-point list, what each one means, and how to fix it.
If you run a small business, your website is probably leaking money right now — and you don't even know it. Not because your designer did a bad job. Not because your copy is weak. Because Google quietly grades every site on 18 technical and content signals, and most small business websites have never been measured against them.
We built a website audit tool that runs all 18 checks in under 60 seconds. Then we ran it on 500 random small business websites across the US, UK, and Germany. The results were grim. Here's what we found — and the complete list of small business website issues you need to fix before Google ranks your competitor above you.
The 18-point website audit, by category
Every one of these checks is something Google, Bing, or a modern browser actively uses to decide whether your site deserves traffic, trust, and conversions. We grouped them into nine categories so you can see the full picture.
Performance (4 checks)
Google has confirmed that page speed is a ranking factor on both desktop and mobile. But "fast enough" has a very specific definition.
1. Lighthouse Performance Score. Google's Lighthouse tool scores your site from 0 to 100 on how fast it loads and becomes interactive. Anything under 50 is "poor." The median small business website in our scan scored 42. 2. Largest Contentful Paint (LCP) under 2.5 seconds. This measures how long it takes for the biggest visible element (usually a hero image or headline) to appear. 68% of the sites we scanned had an LCP over 2.5 seconds. 31% were over 4 seconds — which Google classifies as "poor." 3. Cumulative Layout Shift (CLS) under 0.1. This catches that annoying jump where a button moves just as you're about to tap it. Google penalizes sites with a CLS over 0.1. 44% of small business sites failed this one. 4. Core Web Vitals pass (real user data). This is the big one. Google pulls actual performance data from Chrome users visiting your site and decides if you pass. Only 23% of the sites we scanned passed Core Web Vitals on mobile.SEO fundamentals (3 checks)
5. Lighthouse SEO Score. A catch-all that checks for crawlability, mobile-friendliness, legible font sizes, and indexability. The good news: most sites score decently here. The bad news: "decently" isn't 100. 6. Meta title and description present. You'd be shocked how many sites still ship pages with no meta description. 19% of the sites in our scan had at least one important page with a missing or duplicate meta description. 7. Canonical URL set. Without canonical tags, Google doesn't know which version of a page to rank — and may split your ranking signal across three or four URLs. 34% of the sites failed this check.Security (3 checks)
8. HTTPS enabled. In 2026, this is table stakes. Chrome shows a giant "Not Secure" warning on HTTP sites. Yet 6% of the small business sites we scanned were still serving pages over plain HTTP. 9. SSL certificate valid and not expired. An expired SSL is worse than no SSL — browsers show a full-screen warning. 4% had a certificate that was either expired, self-signed, or misconfigured. 10. Security headers score. HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy — these headers protect your visitors from clickjacking, XSS, and cookie theft. Only 11% of the sites scored above a B on security headers.OWASP Top 10 (1 check)
11. Security scan score (38 passive vulnerability checks). We run a read-only scan against the OWASP Top 10 — the industry-standard list of the most dangerous web vulnerabilities. This catches things like missing CSRF protection, information disclosure, and outdated libraries with known CVEs. 29% of small business sites failed at least three OWASP checks.Email (1 check)
12. SPF, DKIM, and DMARC configured. These three DNS records decide whether your business emails land in the inbox or the spam folder. Since February 2024, Google and Yahoo require DMARC on any domain sending to their users. 61% of the sites we audited were missing at least one of the three. 78% had DMARC set top=none, which means it's logged but not enforced — effectively useless.
Privacy (1 check)
13. Cookie compliance and privacy policy. GDPR, CCPA, and the UK's PECR all require a cookie banner and a privacy policy that actually describes what you collect. 41% of sites failed either the banner check or the policy check. Several had no privacy policy at all.Content (2 checks)
14. Schema markup present. Schema.org structured data tells Google what your content actually is — a review, a product, an event, an FAQ. Without it, you don't get rich results in search. 73% of the small business sites in our scan had zero schema markup on their homepage. 15. Broken links check. Every broken internal link is a dead end for crawlers and a lost customer for you. The average site we scanned had 7 broken links. The worst had 142.AI optimization (1 check)
16. AIO (AI Optimization) score. This is our proprietary 28-point check for how well your site gets cited by ChatGPT, Perplexity, Claude, and Google's AI Overviews. It looks at answer-first structure, clear headings, factual density, schema, and llms.txt. The median score in our scan was 34/100.Technology (1 check)
17. Tech stack has no vulnerable libraries. We fingerprint every JavaScript library, CMS, and plugin on your site and cross-reference it against the National Vulnerability Database. 22% of sites were running at least one library with a known critical CVE.Deliverability (1 check)
18. Domain not on email blacklists. We check 30+ real-time blackhole lists (Spamhaus, SORBS, Barracuda). If your domain is listed, your marketing emails, quotes, and invoices are going straight to spam. 3% of the domains we scanned were on at least one major blacklist.What each failing check actually costs you
The numbers aren't theoretical. Here's what we've measured across our client base and public industry data.
Add it all up and a small business website with five failed checks is losing an estimated 40–60% of its potential organic traffic and conversions. That's the real cost of ignoring your website audit.
The 3 checks most small businesses fail
Across all 500 sites, three checks stood out as the near-universal weak points:
1. Core Web Vitals (failed by 77%). Small business sites are typically built on WordPress with 8–15 plugins and an unoptimized theme. The result: a 4 MB homepage that takes six seconds to become interactive on mobile. Run a speed test to see exactly where yours is bleeding time. 2. Schema markup (failed by 73%). This is the most fixable one on the list. A single block of JSON-LD on your homepage can earn you stars, FAQ accordions, and business info cards in search results. Most agencies just never add it. Check yours with our free schema validator. 3. Email authentication (failed by 61%). DMARC atp=none is the single most common misconfiguration we see. It means someone set it up once, got scared of bouncing real mail, and never came back to enforce it. Run the free SPF/DKIM/DMARC checker to see your current state.
How to run the scan yourself
We built the WeLead Lab website analyzer specifically so small business owners could run this exact 18-point audit on their own site without hiring a consultant. It's free, requires no signup, and delivers all 18 scores plus a prioritized fix list in about 60 seconds.
Here's how to use it:
- Paste your homepage URL.
- Wait 45–90 seconds while we run Lighthouse, the OWASP scan, DNS checks, SSL validation, schema extraction, and the AIO analysis in parallel.
- Review your scorecard — green, yellow, and red indicators for each of the 18 checks.
- Click any red item for a detailed fix guide.
Every one of these is free, lives on our site, and powers one of the 18 checks above.
Priority fix order — what to fix first
You don't have to fix all 18 at once. Here's the order we recommend based on impact-to-effort ratio.
Fix first (critical, same-day wins):- HTTPS and SSL (checks 8, 9) — if you're still on HTTP, nothing else matters.
- Meta titles and canonical tags (checks 6, 7) — 30 minutes of work for real ranking gains.
- SPF/DKIM/DMARC (check 12) — if your quotes are going to spam, you don't have a business.
- Schema markup (check 14) — unlocks rich results, trivially easy with JSON-LD.
- Broken links (check 15) — use a crawler, fix the top 10.
- Security headers (check 10) — mostly a server config change.
- Core Web Vitals (checks 2, 3, 4) — image optimization, lazy loading, caching.
- OWASP scan items (check 11) — update plugins, patch libraries.
- AIO score (check 16) — restructure content for AI citation.
- Privacy/cookies (check 13) — install a compliant banner.
- Blacklist monitoring (check 18) — set up alerts, you shouldn't need to touch this often.
The "we'll just fix it for you" option
If reading all 18 checks made your head hurt, there's a simpler path. WeLead Lab builds small business websites that pass all 18 checks on day one — free to build, with our $500/month Engine handling ongoing SEO, content, AI optimization, and the entire website audit loop.
That means:
- A website that scores green on all 18 checks from the day it launches.
- Monthly re-audits so nothing drifts out of compliance.
- New content published weekly, pre-optimized for both Google and AI search.
- Automatic schema, security, and performance monitoring.
Run your audit today
The cheapest fix is the one you make before your competitor out-ranks you. Pick any one of the 18 checks above, run the corresponding free tool, and see where you stand. Or run the full 18-point website audit in one click:
Run the free 18-point scan at welead.lab/website-analyzerIf you'd rather skip straight to having it all handled for you, see the free website plus Engine offer.