5 Signs Your WordPress Website Is Costing You Customers

A client recently asked us why their enquiries had dried up. The site looked fine to them — same design, same content, nothing obviously broken. Then we opened it on a phone with mobile data. Eight seconds to load. The contact form sent submissions into a void. Half the service pages were missing from Google. They had been losing leads every day without knowing it.

This post covers five specific, fixable problems that push customers away from WordPress websites. Each one is something we find regularly when auditing sites. For each sign, we’ll tell you how to check it yourself and what a fix actually involves.

Sign 1: Your Site Takes More Than 3 Seconds to Load

Google’s research shows that 53% of mobile users abandon a page that takes longer than 3 seconds to load. For a small business site getting 500 visits a month, that could mean hundreds of visitors leaving before they see anything — not because they weren’t interested, but because they ran out of patience.

How to check it: Open your site on your phone using mobile data (not WiFi) and count. Or use PageSpeed Insights — anything below 50 on mobile is a problem, below 70 needs attention.

Common causes on WordPress sites

• Unoptimised images: A single 3MB hero image can add 2+ seconds. Converting to WebP and lazy-loading images below the fold typically brings this under control.
• Too many heavy plugins: It’s not the count that matters — 50 lightweight plugins can outperform 10 bloated ones — but poorly built plugins that run expensive queries on every page load are a common culprit.
• No caching: WordPress generates pages dynamically. Without object caching (Redis or Memcached) and page caching, every visit hits the database from scratch.
• Shared hosting: If your site shares a server with hundreds of others, you’re competing for resources. A move to a VPS or properly configured managed host often significantly improves load times.

We audited one client site running on shared hosting with unoptimised images and no caching layer. Load time: 8.2 seconds on mobile. After moving to a dedicated server, enabling Redis, and compressing images: 1.4 seconds. Same content, same design. See our WordPress speed optimisation checklist for a step-by-step breakdown of the full process.

Sign 2: Your Site Looks Broken on Mobile

More than 60% of web traffic is mobile. If your site works beautifully on desktop but has overlapping text, cut-off buttons, or a navigation menu that requires a magnifying glass on a phone — you’re turning away the majority of your visitors.

How to check it: Open your site on an actual phone, not the browser’s “responsive mode.” Check every page a customer would visit: homepage, contact page, key service pages. Tap every button and link.

What to look for

• Navigation that’s hard to open or use with a thumb
• Text that runs off the edge of the screen
• Buttons that are too small to tap accurately (under 44px height)
• Forms where the keyboard covers the input fields
• Horizontal scrolling — almost always a sign something is broken

Many of these issues come from themes built for desktop and never properly adapted for mobile. Older WordPress themes (pre-2020) often have this problem. A modern block theme built with mobile-first CSS handles this automatically; a page builder theme from 2018 may not.

Sign 3: Your Contact Form Doesn’t Work (or Goes to Spam)

This one is invisible to you unless you test it. A customer fills in your contact form, clicks submit, sees a confirmation — and you never receive the email. It can go on for months.

How to check it: Fill in your own contact form using a personal email address. Wait 10 minutes. If you don’t receive the submission, check your spam folder. If it’s not there either, your email delivery is broken.

Why this happens

WordPress uses PHP’s built-in mail function by default, which most modern email providers reject or silently drop. The standard fix is an SMTP plugin — WP Mail SMTP is the most widely used — configured to send through your actual email provider (Gmail, Outlook, or your hosting provider’s SMTP server).

There’s a layer beyond that worth knowing: even with SMTP in place, Microsoft 365 and Google Workspace run aggressive spam filters that reject mail from domains without properly configured SPF, DKIM, and DMARC records. These are DNS entries that prove your domain is authorised to send email. If they’re missing or misconfigured, your form submissions route to spam even with SMTP set up correctly. Your hosting provider or a DNS tool like MXToolbox can show you whether yours are in order.

Forms also break silently after WordPress core updates or plugin version changes that alter how wp_mail() is hooked — and after host migrations that change the server’s mail configuration. Testing your form after any significant update is a good habit.

Sign 4: You Haven’t Updated WordPress, Your Theme, or Plugins in Months

Outdated WordPress sites are the most common target for automated attacks. Bots scan the web continuously for known vulnerabilities in specific plugin versions. When they find a match, exploitation is automated — no human involvement required.

How to check it: Log into your WordPress dashboard. Pending update notices that have been sitting there for weeks are a maintenance problem. Also check Google Search Console for manual action warnings — compromised sites often receive them before the owner notices anything wrong.

How to spot a compromised site

• Unfamiliar admin users: Go to Users → All Users in your dashboard. Any accounts you don’t recognise — especially with administrator role — are a red flag.
• Unexpected files in uploads: Attackers often drop PHP shells into /wp-content/uploads/ where they blend in with media files. If you have server access, a quick find wp-content/uploads -name "*.php" should return nothing.
• Google Search Console warnings: GSC sends email alerts for manual actions and security issues. If you’ve never verified your site in GSC, that’s a separate gap worth closing.
• Visitors reporting redirects: If customers mention being sent to unrelated sites, your site is almost certainly compromised and actively serving malware.

The business risk

• Site defacement: Attackers replace your homepage — customers see it before you do
• Silent redirects: Your site sends visitors to spam or adult content; Google blacklists you within days
• Data exposure: A WooCommerce store breach with customer data is a GDPR incident
• Hosting suspension: Most hosts suspend sites serving malware without warning

We run monthly maintenance updates for clients — WordPress core, all plugins, all themes — with a pre-update backup so there’s always a clean restore point. It’s not glamorous work, but it’s the difference between a site that keeps running and one that gets you a panicked call on a Friday afternoon.

Sign 5: Your Checkout or Booking Flow Has Unnecessary Friction

For WooCommerce stores and sites with appointment booking, every extra step between “I want this” and “I’ve paid” costs conversions. Cart abandonment averages around 70% across e-commerce — and a significant share of that is friction the site owner added without realising it.

How to check it: Go through your own checkout or booking process as a new customer, on a phone. Count the pages and required fields between “Add to Cart” and “Order confirmed.”

Common friction points

• Forced account creation: Requiring customers to register before buying is the single biggest driver of checkout abandonment. Always offer guest checkout.
• Too many form fields: WooCommerce’s default checkout collects both billing and shipping addresses, phone, email, and more. For digital products or local delivery, half of these are irrelevant — remove them.
• Missing local payment methods: In Belgium and the Netherlands, a checkout without Bancontact or iDEAL loses a significant share of customers who prefer not to use a card online. Stripe and Mollie both support local payment methods with minimal setup. Similarly, markets in Southeast Asia expect options like GoPay, OVO, or PromptPay — a checkout that only offers cards will underperform in those regions.
• No trust signals at checkout: An SSL padlock isn’t enough. Customers need to see payment provider logos, a return policy summary, and a contact option before entering card details on a site they found last week.

See our WooCommerce development services for how we approach checkout optimisation for SME stores.

What to Do Next

None of these fixes require a full redesign. Most take hours, not weeks. The audit is the starting point — knowing what’s broken before deciding what to fix.

If your site has more than one of these issues, the combined effect compounds: a slow site with a broken contact form and outdated plugins is losing customers at every stage, not just one. Fixing all five together often produces a more noticeable result than any single fix alone.

Start here, today

• Run your site through PageSpeed Insights — free, and gives you a prioritised list
• Send yourself a contact form submission right now
• Open your WordPress dashboard and check for pending updates
• Go through your checkout on a phone
• Check Users → All Users for any accounts you don’t recognise