I ran an audit last October for a regional services firm that had spent $48,000 the previous year on a site refresh and was watching organic traffic decline anyway. The brief was simple: figure out what's broken, scope the fix.
Forty-two minutes in, we had nine real problems. Not aesthetic ones. Not "your hero copy could be sharper" ones. Nine specific things bleeding revenue the firm couldn't see because none of them are visible to the eye, and the agency that built the site hadn't surfaced any of them in the redesign conversation.
That audit became the template for the list below. After running this same audit about a thousand times over twelve years, the same nine mistakes show up everywhere. None of them are in the obvious-website-rules listicles you've already read. None of them get fixed by another redesign. Each one is quietly costing you leads.
Mistake one: a Largest Contentful Paint over 2.5 seconds on mobile
LCP is the time it takes for the biggest visible element on the page to render. Google ranks it as a Core Web Vitals signal, and prospects abandon based on it whether they know that's what they're doing or not. The threshold for "Good" is 2.5 seconds. For "Poor" it's over 4 seconds.
Most service-business sites I audit are between 3.8 and 5.2 seconds on mobile. The cause is almost always one of three things: a hero image that wasn't compressed (often a 4MB JPG masquerading as a WebP because the export setting was wrong), a third-party tag manager loading sixteen scripts before the page can paint, or a cookie-consent banner that blocks render until the user clicks accept.
The fix is plumbing, not redesign. Compress hero images to under 200KB. Defer non-critical tags. Render the cookie banner without blocking. We hold every site we ship through our managed hosting tier at LCP under 2 seconds, and we monitor every regression inside Orbit so it doesn't drift after launch. Performance is not a launch project. It's a contract.
Mistake two: contact paths that break on mobile
Every audit, I open the site on a phone. About half the time, the primary CTA on the contact page either: requires pinch-zoom to tap, scrolls into the keyboard when the email field is focused, or routes through a third-party form widget that loads after the page is visible, so users tap empty space.
The mobile contact path is the only mobile path that matters on a service-business site. If a prospect can't request a consult on their phone in under thirty seconds, they're going to a competitor's site that lets them.
What we test: tap the primary CTA on every key page. Fill the form on a mid-tier Android phone. Submit and confirm the success state appears without surprise. The whole audit takes ten minutes. Most sites fail at least one step.
Mistake three: forms with no spam protection
The form on the contact page that has no reCAPTCHA, no honeypot field, and no rate limiting. The first month after launch it gets twelve real leads and three spam submissions. The sixth month after launch it gets twelve real leads and four hundred spam submissions. By month nine, the firm stops checking the inbox because every email is a Russian crypto bot. The next real lead sits unread for two weeks.
The fix is a one-line honeypot field plus a server-side validation rule. Five hundred dollars of work, well under an hour for someone who knows what they're doing. We bake this into every site we ship and route the routing through Hello Automations so spam never makes it to the firm's inbox in the first place.
Mistake four: a fifteen-plugin WordPress page builder
Elementor, Divi, WPBakery. Three plugins for sliders. Two for popups. One for caching that fights the one for image optimization. A "site speed" plugin layered over the page builder that broke when the theme updated. Total: sixteen plugins, none of which the firm understands, half of which are out of date, and the whole stack falls over when WordPress core updates.
I am not anti-WordPress. We ship WordPress for clients whose editorial team works there daily, and we do it cleanly. But a WordPress install with a page-builder Frankenstein on top is structurally hostile to performance, security, and maintainability. Every audit I run on a stack like that finds two or three actively-exploited vulnerabilities, three or four broken redirects from prior plugin migrations, and a load time over four seconds.
If your site is on this stack, you don't need a redesign. You need a rebuild on the right platform for your team, sometimes that's still WordPress (clean, with a custom block library instead of a page builder), sometimes Next.js, sometimes Sitefinity. The platform decision is the engineering decision. The aesthetic decision is downstream.
Mistake five: analytics that don't actually work
The number of GA4 properties I audit that aren't tracking what the firm thinks they're tracking is a wonder. The most common patterns:
The GA4 property is collecting events but the conversions aren't configured. The firm thinks they have a 4 percent conversion rate. The dashboard says they have a 0 percent conversion rate. Nobody noticed because the report was being skimmed for traffic, not analyzed for outcomes.
Two GA4 properties are running on the same site, splitting traffic randomly between them. The firm sees half the data on each. Neither is the truth.
The Google Ads tag is firing on the page-load event instead of the form-submit event, so every page view counts as a conversion. The bidder is optimizing against page views. The CPL on paper looks impossibly good. The CPL on closed cases is six times higher than reported.
Setup audits take 90 minutes. The fixes take a day. Neither is on the agency redesign quote.
Mistake six: schema markup that's wrong or missing
Schema (structured data) is the JSON-LD blob that tells search engines what kind of entity the page represents. Service business, lawyer, restaurant, healthcare provider, clinic. With clean schema, the page is eligible for rich results, knowledge panel features, and AI Overview citations. Without schema, the page is just text on a URL.
The problem isn't that most sites don't have schema. It's that the schema they have is wrong. Generated by an SEO plugin that didn't know which entity type to use. Marking up the homepage as Organization when it should be LocalBusiness plus LegalService. Or shipping schema with required fields missing, which Google's structured-data testing tool will flag but the firm has never run.
We rebuild schema from scratch on every site we ship and run it through Google's Rich Results test before launch. The lift on AI Overview citations and rich snippets in the local pack alone is worth the work. SaVida Health saw a 9 percent lead lift through the AI Overviews collapse in part because the entity-clean schema kept their content cited even as classic SERPs lost real estate to AI summaries.
Mistake seven: invisible 404s and broken redirects
Every site has them. The image moved when the CMS migrated and the path is now a 404. The blog post that was retired three years ago still has thirty-seven inbound backlinks. The redirect rule that was supposed to fire from /old-services/ to /services/ never got deployed.
What we run: a full-site crawl with Screaming Frog, all-status-code report, identify every 4xx and 5xx the site is serving and every internal link pointing to one. For a typical service-business site under a hundred pages, the audit finds between fifteen and sixty broken paths.
The fix is a one-time redirect map deployed at the edge or in next.config.mjs. Half a day of work. The lift in crawlable-link equity and user trust is meaningful and immediate.
Mistake eight: a Google Business Profile that's been dormant for a year
This isn't strictly a website mistake but it's the highest-leverage thing on the local-search side, so it ships in the same audit. The GBP that was claimed at launch and then forgotten. The categories were fine three years ago. The hours have been wrong since the firm changed its lunch break. The Q&A section has questions that haven't been answered. Reviews from 2022 sit unresponded.
In the local pack, GBP activity beats backlinks. We treat the profile like a publishing surface, weekly posts, every review answered within 24 hours, services and service areas refreshed seasonally. We track all of it inside Orbit so the cadence doesn't drift. The lift in local-pack visibility from doing this for ninety days is consistent and measurable.
Mistake nine: no closed-loop attribution from CRM back to ads
I covered this in detail in the conversion attribution piece, but it shows up in every audit so it has to be on this list. The Google Ads account is optimizing against form submissions because nobody wired the close (or lose) signal from the CRM back to the bidder.
Half the form submissions are unqualified. The bidder learns to find more unqualified leads. The CPL on paper looks fine. The CPL on closed cases is structurally higher than it should be. We saw this at our family law client before we wired offline conversion uploads from the case management system, the CPL on closed cases dropped from outlier-bad to outlier-good ($62.79 against a state average of $180-$260) once the bidder finally saw the right signal.
What this audit costs
Running the nine-point audit above on a typical service-business site takes about half a day. The fixes break down into roughly:
- Performance + LCP work: $1,500 to $4,000 depending on platform
- Mobile contact path fixes: under $1,000
- Spam protection: under $500
- Analytics / GA4 / Ads tagging cleanup: $2,000 to $5,000
- Schema rebuild: $1,500 to $3,000
- 404s + redirect map: $500 to $2,000
- GBP reactivation + 90-day program: $2,500/month
- Closed-loop attribution: $3,000 setup, then ongoing
If your site has all nine of these issues, you're looking at $15,000 to $20,000 in fixes. That's a third of what a typical agency redesign quote runs, and it addresses the actual revenue leak. If you only have three or four of the issues, the bill is a tenth of a redesign and the impact on cases-closed is roughly the same.
The reason this list of mistakes is mostly invisible isn't because it's secret. It's because it doesn't fit the agency redesign pitch. None of the items above show up in a Figma file. None of them sell easily as "we'll redesign your site." They show up in the boring middle layer, instrumentation, hosting, plumbing, that the firm has been quietly underspending on for years while overspending on the visible layer.
If any of the nine resonate, the next step is the same audit on your own site. Half a day. We do this for two to four service businesses a year as a free entry point. The audit is yours either way. If it surfaces work we can do, we'll scope it honestly. If it surfaces work that's better handled by a contractor or in-house, we'll point you there.