Vibe coding a business website sounds appealing. Tell an AI what you want, get a website in a day, save yourself the cost of a developer. The problem is that the resulting code is riddled with security vulnerabilities, you cannot update it without going back to the AI or hiring a developer, and a good website was never just about how fast you could write the code. WordPress, for all its imperfections, remains the safer, more practical choice for small businesses right now.

Key Takeaways:

  • Research from Veracode found that 45% of AI-generated code introduces security vulnerabilities, and this figure does not improve with newer or larger models
  • A December 2025 analysis found that AI co-authored code contains security vulnerabilities at a rate 2.74 times higher than human-written code
  • Vibe coded websites have no content management system, meaning a business owner cannot update their own site without touching code
  • A good website requires strategy, copywriting, SEO research, and photography before a single line of code is written. AI skips all of that.
  • WordPress powers over 43% of the web and holds more than 61% of the CMS market. That ecosystem, talent pool, and infrastructure exists because it works.

What Vibe Coding Actually Is

Vibe coding is a term coined in February 2025 by Andrej Karpathy, the OpenAI co-founder and former Tesla AI director. He described it as “fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists.” In practice, it means describing what you want to an AI tool in plain English and accepting whatever it generates without reviewing or understanding the underlying code.

For a developer using it as a productivity tool with proper oversight, it has its uses. For a business owner who has never written a line of code treating it as a website solution, it is an entirely different proposition.

I spoke to a roofing company in Bristol last year. The owner had used an AI tool to generate a website over a weekend. It looked smart. It had a homepage, a services page, a contact form. He was genuinely chuffed with it.

Six weeks later, the contact form was harvesting enquiries and sending them to a third-party address that was not his. He had no idea how to fix it. He had no idea who to call because the AI that built the site was not going to diagnose the problem. He ended up having the site taken down and rebuilt on WordPress.

That is not a fringe case. It is exactly what the research predicts will happen.

The Security Problem Nobody Is Warning Businesses About

In 2025, Veracode tested over 100 large language models across 80 coding tasks and found that AI-generated code introduces security vulnerabilities 45% of the time. That is not a statistic that improves with the more sophisticated models. It stayed consistent regardless of how advanced the AI was.

A December 2025 analysis by CodeRabbit of 470 open-source GitHub pull requests found that AI co-authored code contained approximately 1.7 times more major issues than human-written code overall, with security vulnerabilities specifically appearing at a rate 2.74 times higher.

Research published in early 2026 tested five of the most popular vibe coding tools by building the same three applications with each. Across 15 applications, researchers found 69 vulnerabilities in total. A number of these were rated critical. The most serious concerned API authorisation logic, meaning the controls that determine who is allowed to access a resource or perform an action.

For a business website with a contact form, a booking system, or any kind of customer data, that is not an abstract risk.

In May 2025, Lovable, one of the most popular vibe coding platforms, was found to have security vulnerabilities in 170 out of 1,645 applications it had generated. Anyone with basic technical knowledge could access personal information from those sites.

Replit’s AI agent deleted the primary database of a project it was developing in 2025 despite being given explicit instructions to make no changes to the database. There was no separation between test and production environments.

These are not edge cases from amateurs misusing the tools. They are documented failures from the platforms themselves.

WordPress has its own security considerations. A WordPress site needs its plugins kept updated, its core files maintained, and ideally a security plugin running. Done properly, this is straightforward and well understood. The support ecosystem for WordPress security is enormous. If something goes wrong, there are thousands of developers, plugins, and documented solutions.

With a vibe coded site, you are on your own. There is no community. There is no ecosystem. There is no plugin to fix it. There is just you, a site you did not write, and a problem you cannot diagnose.

You Cannot Update Your Own Website

This is the issue that gets the least attention and causes the most day-to-day pain.

WordPress was built on the assumption that non-technical people would need to update their own websites. It is the entire point of the platform. A business owner can log into the dashboard, change a price, add a new service, upload a photo, publish a blog post, or update their opening hours in minutes. No developer required. No technical knowledge needed. This is not a coincidence. It is a design decision made 20 years ago that WordPress has stuck to ever since.

A vibe coded website is not built with any of that in mind. The AI generates code. That code sits on a server. To change anything on the site, you either go back to the AI and prompt it again, hoping it does not break something else in the process, or you hire a developer to edit the underlying code manually.

I had a client last year, a wedding photographer in Cheltenham. Her web developer had built her site using an AI coding tool and charged her accordingly. It looked great at launch. Within three months, she needed to update her packages and add a new gallery. Her developer had moved on to other projects and was not responding. She had no way to update the site herself. She had no CMS. She had no login. She had just a website she could not touch.

She came to us to rebuild it on WordPress. The rebuild cost more than the original site.

That scenario is increasingly common. Research from Curotec published in January 2026 noted that with AI-generated sites, even modest changes typically involve code edits, builds, and redeployments. WordPress, by contrast, was built around the reality that non-technical users make frequent updates. Marketing teams can change content and layouts without waiting on engineering. That division of responsibility is practical rather than elegant, and it is why WordPress works for businesses.

Speed Was Never the Point

Here is the part that the vibe coding conversation almost entirely misses.

Coding a website is not the slow bit. It never was.

The slow part of building a good business website is everything that happens before anyone touches a text editor. You need a clear strategy: what the site is for, who it is speaking to, what action you want visitors to take. You need copywriting: words that are accurate, persuasive, and written in the voice of the business. You need keyword research if you want the site to be found in search. You need photography: actual images of the business, the team, and the work, not stock photos of people shaking hands in front of a glass building.

A good website requires all of that to exist before design begins. Designers and developers cannot build effectively around placeholder content. The copy informs the layout. The layout informs the design. The design informs the development. Remove any of those stages and the resulting site is weaker for it.

AI generates a website in an hour. What it generates is a structure with no real strategy, placeholder or generic copy that sounds like no business in particular, no SEO foundation, and no photography that reflects reality. Technically it is a website. Commercially it is not much use.

I worked with a firm of solicitors in Gloucester earlier this year. They had a vibe coded site that had gone live in 48 hours. It ranked for nothing. The copy described their services in the most generic terms imaginable. There were stock photos throughout. They were getting almost no enquiries from it.

We rebuilt it on WordPress. The process took eight weeks. Not because WordPress is slow to build on, but because we spent the first five weeks on strategy, copywriting, keyword research, and a proper photoshoot. The last three weeks were the actual build. Six months later they were ranking for multiple local search terms and enquiries from the site had increased substantially.

The eight weeks was not wasted time. It was the work.

Why WordPress Is Still the Right Call for Most UK Small Businesses

WordPress powers over 43% of all websites on the internet, according to W3Techs data. Among websites using a known CMS, its market share is above 61%. The next closest competitor is Shopify at under 7%, and Shopify is primarily an ecommerce platform rather than a general website solution.

That market share reflects something real. WordPress has an enormous developer community, a plugin ecosystem of over 59,000 available plugins, and an established infrastructure for security, SEO, backups, and support. If you need a specific feature, someone has built a plugin for it. If something goes wrong, someone has fixed that problem before and documented the solution. If your developer disappears, another developer can pick up a WordPress site and understand it.

A vibe coded site built on a niche platform offers none of that. If the platform shuts down or pivots, your site has a problem. If the developer who built it is unavailable, you may have no recourse. If it gets hacked, there is no community to help you fix it.

WordPress is not perfect. It requires proper maintenance. Plugins need updating. Security needs managing. But these are well-understood problems with well-understood solutions, and the support infrastructure for them is enormous.

For a UK small business that needs a site they can update themselves, that will rank in local search, that a developer can maintain without proprietary knowledge, and that is not going to be compromised by a security flaw in AI-generated authorisation logic, WordPress is still the most sensible choice on the market right now.

What To Do Right Now

If you are considering a new website or have been approached by someone offering to vibe code one for you, ask these questions before you agree to anything.

Will I be able to log in and update my own content without hiring a developer? If the answer is not an immediate yes, that is a problem.

What CMS will the site run on? If there is no CMS, you will not own your site in any meaningful sense.

How will security be managed after launch? A vibe coded site has no clear answer to this.

How long will the strategy, copywriting, and SEO research take? If the answer is that it is all included in a one-week build, it has not been done properly.

A business website is not a weekend project. It is a commercial asset that should be generating enquiries, ranking in search, and representing the business accurately for years. The code is the smallest part of that.

Build it properly. Build it on WordPress. Make sure you can update it yourself.

Need help building a proper website that you can actually manage? Get in touch and we will do it right.