We scanned 12,689 small-business websites. 17 passed.
We ran AcuityScan's full 350+ check suite against 12,689 small-business websites across all 50 states. 17 earned an A. Here is everything else we found, worst first.

Over the past few months we scanned 12,689 small-business websites with AcuityScan. Every scan ran the full suite: 350+ checks across performance, security, email, accessibility, SEO, and DNS.
17 sites scored 90 or above.
That is not 17 percent. That is 17 sites. 0.13 percent of the entire corpus earned an A. The median site scored 71, a C. The mean was 66.9, dragged down by a long tail of sites in genuinely bad shape.
I want to walk through what we found, because the individual numbers are worse than the headline.
How we did this
Quick methodology note, because a stat without one is just a claim.
The sites came from public business directories across all 50 states. Real plumbers, dentists, law firms, restaurants, contractors. Each domain was scanned once with AcuityScan's full 350+ check suite, and we deduplicated to 12,689 unique sites.
One honest caveat: the per-issue percentages below were counted by keyword match against scan findings, not by re-querying each raw check result. That means the figures are approximate. They are close, but treat them as "about 84 percent," not "exactly 84.3."
Here is what we found, worst first.
84.3% fail mobile speed
More than five out of six sites are slow on a phone. Not "could be snappier." Slow enough that our performance checks flag them against Google's own thresholds.
Why it matters: most local search traffic is mobile. Someone searches "emergency plumber near me" standing in a flooding kitchen, taps the first result, and waits. Google's data has long shown that bounce probability climbs sharply as load time passes three seconds. A slow mobile site does not just annoy people. It quietly hands your click to the next result, and it factors into where you rank in the first place.
82.9% have broken or missing DMARC
DMARC is the DNS record that tells receiving mail servers what to do with email that pretends to be from your domain. Roughly 83 percent of these businesses either have no DMARC record or have one set to a policy that does nothing.
Why it matters: without enforced DMARC, anyone on earth can send email as you. Invoice fraud against small businesses usually starts exactly this way: a spoofed message from "your" address to your own customer, with new payment details. And since 2024, Google and Yahoo require authentication for senders they will reliably deliver. Broken DMARC means your legitimate email is also more likely to land in spam. It is one DNS TXT record.
79.4% have missing accessibility labels
Nearly four in five sites have controls, images, or form fields with no accessible name. A screen reader hits the search button and announces "button." It hits the phone number field and announces "edit, blank."
Why it matters: about a quarter of US adults live with a disability, and many of them buy things. A form a screen reader cannot parse is a customer who cannot contact you. There is also a legal side: ADA web accessibility lawsuits keep hitting small businesses, and missing labels are among the first things any complaint cites. These are code-level fixes, mostly one attribute per element.
76% have no HSTS
HSTS is a response header that tells browsers to only ever talk to your site over HTTPS. Three quarters of the sites we scanned do not send it.
Why it matters: without HSTS, the first request a visitor makes can go out over plain HTTP before being redirected. On hostile networks, coffee shop Wi-Fi being the classic case, that window is enough for an attacker to sit in the middle of the connection. Your padlock icon looks fine. The gap is invisible in a browser. It is one line of server config.
68.6% have no clickjacking protection
About two thirds of sites can be loaded inside an invisible frame on someone else's page. That is the setup for clickjacking: a visitor thinks they are clicking a video play button, but they are actually clicking something on your framed site.
Why it matters: attackers use framing to hijack logins, trick users into actions, and run phishing pages that look legitimate because your real site is rendering inside them. The defense is a frame-ancestors directive or an X-Frame-Options header. One header. Most hosts let you add it in minutes.
59.5% fail color contrast
Just under 60 percent of sites have text that fails WCAG contrast minimums. Light gray on white is the usual offender.
Why it matters: low-contrast text is unreadable for people with low vision and hard for everyone in bad conditions, like a phone screen in sunlight, which is exactly where local customers are. If your phone number or hours are in pale gray, some real fraction of visitors physically cannot read them. Designers pick these colors on bright calibrated monitors. Customers do not read them on bright calibrated monitors.
31.9% run an outdated CMS with known CVEs
Almost a third of the sites run a CMS version with publicly documented vulnerabilities. Not "might have an issue." Known CVEs, with published details, that the current version already fixed.
Why it matters: exploitation of these is automated. Bots scan the internet for version fingerprints and attack anything that matches. Nobody targets your bakery specifically; the script does not care what you sell. A compromised site gets used to serve malware, host phishing pages, or send spam, which leads directly to the next stat.
6.4% are actively blacklisted
One in sixteen sites is on at least one spam or malware blacklist right now. Today.
Why it matters: this is the most invisible finding in the study. A blacklisted domain has email silently dropped, gets warning screens in some browsers and security products, and loses deals to a filter the owner has never heard of. Nobody emails you to say you have been listed. Every business we have ever told about this was hearing it for the first time.
And 97.4% have no CAA record
Almost nobody publishes a CAA record, which restricts which certificate authorities can issue SSL certificates for your domain. On its own this is low severity, and I am not going to pretend otherwise. But it is a five-minute hardening step that closes off a real class of misissuance attacks, and 97 percent of sites skip it. It is a decent proxy for how far down the checklist anyone ever got. The answer is: not far.
For completeness, a few findings that did not make the headline list: 41.7 percent are missing DKIM, 40.5 percent expose server or version information they do not need to, and 9.5 percent have no SPF record at all.
The grade distribution
Here is the full corpus, graded the way AcuityScan grades every scan:
| Grade | Sites | Share | |---|---|---| | A (90+) | 17 | 0.1% | | B (80s) | 1,205 | 9.5% | | C (70s) | 5,965 | 47.0% | | D (60s) | 4,127 | 32.5% | | F (below 60) | 1,375 | 10.8% |
Median score: 71. Almost half of small-business websites are C sites, and more than 43 percent are D or worse. The A tier is small enough to invite over for dinner.
The part that should bother you
Here is the thing about this list. Almost none of it is visible.
Every one of these sites loads. Most of them look fine. The owner opened it in Chrome, saw their logo and their photos, and reasonably concluded the website was done. Slow mobile rendering, spoofable email, missing security headers, blacklist entries, a CMS with published exploits: none of that shows up when you look at your own homepage on your own desktop.
The website is the paint. The findings above are the wiring. And based on 12,689 real businesses, the wiring is in bad shape almost everywhere, not because owners are careless, but because nothing in the normal life of a small business ever surfaces these problems until one of them becomes expensive.
The fixes are mostly small. A DNS record. A response header. An update button. The hard part has never been fixing these things. It is finding out they exist.
See where your site lands
You can run the exact same 350+ check scan we used for this study, free, at acuityscan.com. It takes about a minute and shows you your score against the 12,689 sites above.
Statistically, there is something on the list. I would rather you find it than someone else.
Scan your own site
See what 350+ checks find on your domain.
Free, no signup, 60 seconds. Email auth · DNS · SSL · Performance · SEO · Accessibility · Privacy · Mobile.
