Databending
What AI Vibe Coders Miss: The Unglamorous Website Basics That Sink Real Businesses
Published July 10, 2026
Author Will Coulter
Start a Project →

What AI Vibe Coders Miss: The Unglamorous Website Basics That Sink Real Businesses

AI tools can build you a website in an afternoon. What they won't build: working SEO, accessibility, a privacy policy, secure API keys, or a 404 page that doesn't embarrass you. Here's what vibe-coded sites are missing, and why it costs Canadian businesses real money.

⚡ Quick Summary (TL;DR)

AI coding tools are genuinely good at making websites that look finished. They are consistently bad at everything you can't see in a screenshot: SEO fundamentals, performance, accessibility, testing, security, and the legal pages Canadian businesses are required to have. Veracode found AI-generated code introduces security vulnerabilities in 45% of tasks, and we see the same pattern in vibe-coded sites that Ontario businesses bring to us for rescue. This post is the checklist of what's usually missing.

A few times a month now, someone calls our Windsor studio with a version of the same story. They described their business to an AI tool, watched it spit out a genuinely nice-looking website, hooked up a domain, and moved on with their life. Three or four months later they’ve noticed something: nobody is finding the site. Or a customer mentioned the contact form doesn’t work. Or, in one memorable case, a competitor pointed out their Google result said “Vite + React” instead of their business name.

This is vibe coding. The term comes from AI researcher Andrej Karpathy, who coined it in early 2025 to describe building software by telling an AI what you want and accepting whatever comes back, without really reading the code. For prototypes and weekend projects, it’s honestly great. I use these tools daily. We build with AI assistance at Databending too, and anyone who says otherwise in 2026 is probably lying.

The problem isn’t the AI. The problem is what happens when “it looks done” gets confused with “it is done.” A website that loads in a browser is maybe 60% of a website that works for a business. The other 40% is invisible, unglamorous, and exactly the part AI tools skip, because you never asked for it and it doesn’t show up in the preview window.

Here’s what’s usually missing, from the merely expensive to the genuinely dangerous.

The basics: SEO, performance, accessibility, testing

SEO that actually exists

Vibe-coded sites tend to ship with no title tags, no meta descriptions, a missing or default favicon, no sitemap, no robots.txt, no canonical URLs, and no structured data. Every page is often titled the same thing. Sometimes the whole site is one JavaScript bundle that renders client-side, which means what Google’s crawler sees first is an empty div.

None of this is exotic. It’s the stuff we cover in our list of common SEO mistakes, and it’s been table stakes for a decade. But an AI tool building from the prompt “make me a landscaping website” has no reason to add it, and the person prompting has no reason to know it’s missing. The site looks identical either way.

The timing makes this worse than it used to be. As we wrote after Google I/O 2026, AI search agents are now reading your site and deciding whether to recommend your business before a human ever visits. A site with no structured data, no clear service descriptions, and no crawlable content isn’t just ranking poorly. It’s invisible to the systems that increasingly decide who gets the customer. If you’re a landscaper in Windsor or a clinic in Toronto competing for local searches, the businesses that show up are the ones whose sites machines can actually read.

Performance

AI tools love dependencies. Ask for a simple animation and you might get three libraries. Ask for a photo gallery and you’ll get 4MB hero images served at full resolution to phones. The result is a site that scores in the 40s on PageSpeed and takes five seconds to become usable on a mobile connection.

That costs money in a very direct way. 63% of visitors bounce from pages that take over four seconds to load, and ecommerce conversion rates drop from around 3% at a one-second load to under 1% at four seconds. We went deeper on this in our post on load times and conversions, but the short version is: every second of bloat is a percentage of your revenue, and vibe-coded sites are bloated by default because nobody ever profiled them.

Accessibility

This one has legal teeth in this province. Ontario’s AODA requires many organizations to meet WCAG 2.0 Level AA, and we’ve written a full guide on AODA compliance for Ontario small businesses. AI tools do not build to it. The 2026 WebAIM Million report found that 95.9% of the top million home pages have detectable WCAG failures, averaging 56 errors per page, and the number got worse this year for the first time in seven years. WebAIM also found that pages using ARIA attributes, which AI tools sprinkle everywhere because it looks thorough, actually average more errors than pages without them.

Low-contrast text, unlabelled form fields, missing alt text, div-buttons that keyboards can’t reach. A vibe-coded site typically has all of them. That’s lost customers (roughly a quarter of Canadians live with a disability), legal exposure in Ontario, and weaker SEO, since Google reads the same signals.

Testing

Nobody tests a vibe-coded site. Not on Safari, not on an actual Android phone, not with the form submitted empty, not with a payment declined. The AI wrote it, the preview looked right, ship it.

We learned the value of proper testing the expensive way, launching our first client app through Apple’s review gauntlet, and it changed how we build everything. Real testing on real devices is boring and it works. If you want a sense of what it costs when done professionally, we broke that down for ecommerce in our real user testing post. What it costs when not done is a contact form that’s been silently failing for four months while you wondered why leads dried up.

Security and infrastructure: where it stops being funny

Everything above costs you customers. This section is where vibe coding starts costing people their data.

Veracode tested over 100 AI models on 80 coding tasks and found AI-generated code introduced security vulnerabilities in 45% of them, with cross-site scripting protections failing 86% of the time. And their Spring 2026 follow-up found the newest models aren’t better. This isn’t a growing pain that the next model release fixes. It’s structural: the AI writes code that works, and “works” and “is secure” are different properties.

The real-world incidents are piling up:

The most common failure we see on sites people bring us is the simplest one: API keys pasted directly into frontend code. The AI needed a key for Google Maps, or OpenAI, or a payment provider, so it put the key where the code is, and where the code is, in a browser app, is public. Anyone can open developer tools and read it. Hardcoded secrets leaked in public GitHub commits jumped 34% in 2025, the largest single-year increase on record, driven substantially by AI-generated code. Best case, someone runs up your OpenAI bill. Worst case, that key touches customer data.

Then there’s infrastructure that simply nobody set up: no backups, no staging environment (edits go straight to the live site), no SSL renewal plan, DNS held together with tape, and databases with no access rules because the AI’s default was “allow everything so the demo works.” We wrote a fuller plain-English rundown in our small business website security guide, because this deserves more than a section.

The boring pages nobody prompts for

Ask an AI for a website and you’ll get a homepage, an about page, maybe services and contact. You will not get the pages that make a site legitimate, because nobody ever types “and also a privacy policy” into the prompt box.

A real 404 page. Type a wrong URL on a vibe-coded site and you’ll usually get a blank white screen, a raw error, or the framework’s default. It sounds trivial. It isn’t: broken links happen constantly (old bookmarks, typos in ads, pages you renamed), and a dead-end error page loses that visitor and tells Google’s crawler your site is janky. A decent 404 page takes twenty minutes and says “we’re a real operation.”

A privacy policy. In Canada this is not optional decoration. PIPEDA applies to basically any business collecting personal information in the course of commercial activity, and a contact form collects personal information. If you have customers in Quebec, Law 25 goes further, with penalties that can reach $25 million or 4% of worldwide revenue. We wrote a full plain-language guide to what Canadian websites legally need, because almost every vibe-coded site we audit has nothing.

Terms of service. If you sell anything, book anything, or let users post anything, and you have no terms, then every dispute defaults to an argument. Refund conditions, liability limits, acceptable use: these exist to keep small problems small.

Cookie consent. If the site runs analytics or ad pixels (or, ironically, especially if it doesn’t and someone bolted Facebook tracking on later), Canadian guidance under PIPEDA and Quebec’s Law 25 expects meaningful consent for tracking. AI site builders don’t add consent management because it makes the demo uglier.

Analytics at all. This is my favourite one, because it’s the inverse problem: plenty of vibe-coded sites ship with no analytics whatsoever. The owner has no idea how many people visit, where they come from, or what they do. Which means when they ask “is my website working?”, the honest answer is that nobody on earth knows. You can’t improve what you never measured. Even a lightweight, privacy-respecting analytics setup beats flying blind.

The pattern underneath all of this

Notice what every item on this list has in common: none of it is visible in a screenshot. AI tools optimize for the thing you can evaluate in ten seconds, which is how the site looks. Everything on this list is only evaluable over months, in Google rankings, in bounce rates, in a breach notification, in a lawyer’s letter. Vibe coding doesn’t skip the hard parts of web development. It skips the invisible parts, and it turns out those were most of the job.

I want to be fair here: the same list of failures existed long before AI. Cheap template sites and rushed freelance builds have been missing meta tags and privacy policies for twenty years. What changed is volume and confidence. The tools are so fluent that people who would previously have hired someone, or at least known they were cutting corners, now genuinely believe the work is complete. The gap didn’t get bigger. The awareness of the gap disappeared.

What we actually do about it

At Databending we build websites for businesses across Windsor, Toronto, and the rest of Ontario, and increasingly the work is a hybrid: AI-assisted building with human review on exactly the layers above. When we take on a web design project, the launch checklist covers meta tags and structured data, performance budgets, WCAG checks against AODA, cross-device testing, secrets kept server-side, backups and staging, the legal pages, and analytics from day one. When someone brings us a vibe-coded site, we audit it against the same list. Sometimes the verdict is “this is 70% there, let’s finish it,” which is a genuinely good outcome; the AI saved them money and we make it real. Sometimes the verdict is that the foundation can’t hold weight, and we talk honestly about what a proper rebuild costs in Canada.

If you’ve already built something with AI, here’s the honest self-check, no agency required:

  1. Google your business name. Does your actual business name and description show up, or a framework default?
  2. Run your site through PageSpeed Insights. Below 70 on mobile, you have a problem.
  3. Type a fake URL on your domain. What does the 404 look like?
  4. Open your site, hit F12, search the source for “key” or “sk-”. If you find credentials, take the site down until they’re rotated.
  5. Look for your privacy policy. Then look for your analytics. If both are missing, you have no legal cover and no data.
  6. Fill out your own contact form. Did the message arrive?

If you got through all six clean, sincerely: nice work, you’re ahead of most funded startups. If you didn’t, that’s normal, and fixable.


Want a second set of eyes on your site?

We do this every week for businesses in Windsor, Toronto, and across Ontario. Whether you vibe-coded it yourself or inherited someone else’s build, we’ll tell you plainly what’s solid and what’s missing.

Get in touch with Databending

Related reading:


Sources

  1. Veracode — 2025 GenAI Code Security Report
  2. Veracode — Spring 2026 GenAI Code Security Update
  3. WebAIM — The WebAIM Million, 2026 report
  4. Decrypt — Tea App Exposes 72,000 IDs in Security Fail
  5. Barracuda — Vibe coding and the Tea app breach
  6. OX Security — Why 62% of AI-Generated Code Ships With Vulnerabilities
  7. Cloud Security Alliance — Vibe Coding Security Crisis: Credential Sprawl and SDLC Debt
  8. Edmonds Commerce — Page Load Time Impact: Bounce Rates, Conversions & Revenue
  9. IBM — Vibe Coding Security Risks Aren’t Like Ordinary Security Risks
  10. OneTrust — Quebec’s Law 25: What You Need to Know

More Articles

View All →