The signal that survives
Websites & web apps, built to standards you can check yourself
A good small business website does three jobs the owner can't easily see: it loads fast on a phone, it works for everyone who lands on it, and it keeps customer data safe by default. We build to the public measures behind each one (Core Web Vitals for speed, WCAG 2.2 AA for accessibility, current NCSC guidance for security), and you can verify the result yourself with free tools the day we hand it over.
We hold our own site to these standards too — run truenoise.co.uk through PageSpeed Insights and read the score for yourself. We're a small UK team, and we build the way we'd want a supplier to build for us: modern, secure, and clear about what's measurable.
Get a free performance check · Start a project
Most small business sites underdeliver, and the owner never finds out
Fewer than half of websites pass Google's speed checks on a phone. According to the HTTP Archive Web Almanac 2025, only 48% of mobile sites meet all three Core Web Vitals (56% on desktop), and the gap is widest exactly where your customers are, on mobile. The same blind spots tend to repeat on small business sites: pages that load slowly on a mid-range phone, layouts that shift while you're reading, forms that don't work for someone using a keyboard, and a security setup nobody has looked at since launch.
None of that shows up when the owner checks the site on their own laptop on office wifi. It shows up in lost enquiries, abandoned baskets, and customers who quietly go elsewhere. The point of this page is to make "built well" something you can see and check, not take on trust.
What "built well" actually means
Three things, in plain English. Each one has a public standard behind it, so it's measurable rather than a matter of opinion.
- Fast and stable on every device. The page shows its main content quickly, responds the moment someone taps, and doesn't jump around as it loads. The measure is Google's Core Web Vitals.
- Usable by everyone. Someone using a keyboard, a screen reader, or a phone with one hand can all get through. The measure is WCAG 2.2 AA, the recognised web accessibility standard.
- Secure by default. Traffic is encrypted properly, certificates renew themselves, and the basics of cyber hygiene are in place from day one. The reference is current NCSC guidance.
You don't need to learn the acronyms. You just need to know that each promise can be checked against an independent yardstick, and below we show you the tools to do exactly that.
Performance: fast in a way you can measure
"Fast" on its own is a sales word. The useful version is three specific measures, with thresholds Google publishes openly. Core Web Vitals are measured at the 75th percentile of real page loads, so the experience has to be good for the slowest quarter of your visitors too, not just on a fast connection.
| Metric | What it measures | "Good" threshold |
|---|---|---|
| LCP (Largest Contentful Paint) | How quickly the main content loads | 2.5 seconds or under |
| INP (Interaction to Next Paint) | How quickly the page responds when someone taps or clicks | 200 milliseconds or under |
| CLS (Cumulative Layout Shift) | How much the page jumps around while loading | 0.1 or under |
Thresholds per web.dev (Google).
A fourth measure sits upstream of all of these: Time to First Byte (TTFB), which is how long the server takes to start responding. web.dev describes it as the foundational metric that precedes every other meaningful experience metric. Good is 0.8 seconds or under, and above 1.8 seconds is poor. Get TTFB wrong and everything downstream struggles, which is why hosting and architecture matter before any visual polish.
Why aim for all three Core Web Vitals rather than treating it as a checkbox? Because most sites don't manage it. With only 48% of mobile sites passing all three (Web Almanac 2025), clearing the bar is a genuine edge rather than the baseline. The individual figures show where sites fall down: on mobile, 62% have good LCP (versus 74% on desktop) and 81% have good CLS, so loading speed and stability on phones are where the work is.
INP, the responsiveness measure, replaced the older FID metric for a good reason. FID only looked at the very first interaction, but Chrome usage data shows roughly 90% of a visitor's time on a page is spent after it has loaded. In other words, how the page feels while someone is actually using it matters more than the first split-second.
Core Web Vitals also feed Google's ranking systems as part of page experience. Google states that other page experience signals such as HTTPS and mobile-friendliness do not on their own push a site higher; they improve the experience but aren't a ranking lever. So we treat performance as something that helps customers first and search second, never as a ranking trick.
You can check this yourself. Run your URL through PageSpeed Insights (free, no login) on the mobile setting, and read the field data from real visitors rather than only the lab score. Google Search Console's Core Web Vitals report shows the same data aggregated across your pages. PageSpeed Insights runs Lighthouse 13.0, updated on 20 October 2025.
Accessibility: built for the whole market, not most of it
Start with the business case, because the technical detail follows from it. There are 16 million disabled people in the UK, and according to the charity Scope, 23% of working-age adults are disabled and households with at least one disabled person have an estimated combined spending power of £274 billion a year. A site that's hard to use for that audience is turning away real customers, quietly, every day.
There's a legal dimension too. The Equality Act 2010 (Part 3) requires service providers, including businesses offering services through a website, to make reasonable adjustments for disabled people, whether the service is paid or free. The Act doesn't name a specific technical standard, but WCAG 2.2 AA is the widely recognised definition of what "reasonable" looks like in practice. WCAG 2.2 AA isn't itself a legal requirement for private businesses; the duty is framed as reasonable adjustments, and WCAG is the accepted yardstick for meeting it. For public sector bodies, the bar is explicit: the Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 require WCAG Level A and AA, a clear signal of the direction of travel for everyone else.
WCAG 2.2 is the current W3C Recommendation, dated 12 December 2024 (first published in October 2023), and it adds nine new success criteria over WCAG 2.1. Four of those, at AA level, trip up everyday small business sites built before 2024:
- Focus not obscured (2.4.11) — when you tab through a page, the highlighted element can't be hidden behind a sticky header.
- Dragging movements (2.5.7) — any drag action (a slider, a map) needs a simple tap or click alternative.
- Target size (2.5.8) — interactive targets should be at least 24×24 CSS pixels, so buttons aren't impossible to hit on a phone.
- Accessible authentication (3.3.8) — login can't depend on a memory test, which means password managers have to work.
We build to these from the start and provide a documented WCAG 2.2 AA conformance check as a deliverable: accessibility you can point to, not just verbal assurance.
Security: calm, current, and built in
Security on a small business site isn't about fear; it's about getting the basics right and keeping them right. The basics matter because attacks are common: according to the UK Government's Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cyber security breach or attack in the previous 12 months. Phishing was the most prevalent, affecting 85% of breached businesses, and the average cost of the most disruptive breach was around £1,600. The practical response is straightforward, and it comes in three layers.
1. Encryption done properly. Traffic between your visitors and your site should use modern encryption. NCSC guidance is clear: TLS 1.3 is the recommended standard, TLS 1.2 is still strong with the right configuration, and TLS 1.0, 1.1 and all SSL versions are formally deprecated and must not be used. NCSC also recommends automated certificate management so certificates renew themselves and never lapse, which is a common, avoidable cause of outages. One myth worth retiring: the expensive "OV" and "EV" certificates no longer give visitors more trust or security. NCSC and the browsers now treat DV, OV and EV as functionally equivalent, so a free, automatically renewed certificate does the job.
2. Cyber hygiene from day one. Sensible defaults (secure configuration, controlled access, kept-up-to-date components) are part of the build, not an afterthought you bolt on later.
3. Cyber Essentials, if it fits. Cyber Essentials is the UK government's NCSC-backed baseline scheme, covering five controls: firewalls, secure configuration, user access control, malware protection, and security update management. Certification starts at £320 + VAT, and organisations with turnover under £20m that certify their whole organisation automatically receive Cyber Liability Insurance via IASME. It's a recognised credibility signal for any business handling customer data or online payments, and it's required for some government contracts. We can build to its controls and help you work towards certification where it's worth it for you.
We don't claim a magic number of attacks prevented, because NCSC doesn't publish one. What we offer is a build that starts from current guidance and a security posture you can verify, for example an A or A+ grade on a public SSL test.
Mobile-first isn't optional
Google now crawls sites with its smartphone agent and uses the mobile version of your content for indexing and ranking. That makes the mobile experience the primary one in search, not a scaled-down afterthought. And it's where the performance gap bites: 48% of mobile sites pass all three Core Web Vitals versus 56% on desktop (Web Almanac 2025), with mobile lagging on both loading and stability. Responsive design, a layout that adapts to the screen, is the floor, not a feature. We build mobile-first and measure on mobile, because that's how your customers and Google both see you.
The stack we build on
We build on modern frameworks (Nuxt, Next.js, Astro) with a headless content management system where it makes sense. In plain terms, that lets us serve pages statically or from the edge, which keeps Time to First Byte low and Core Web Vitals strong by design rather than by constant firefighting. Measurement is part of the build, not an extra: PageSpeed Insights, Search Console, and the real-world field data (CrUX) that Google collects.
Architecture is a genuine factor here, not branding. With under half of mobile sites passing Core Web Vitals, how a site is built has a real bearing on whether it can hit the standard, and a lean, modern frontend tends to hold its scores with less ongoing maintenance than a heavyweight, plugin-laden setup.
How we work
A simple, verifiable sequence:
- Discovery — what the site needs to do, for whom, and what "good" looks like for your business.
- Standards audit — if you already have a site, we measure it against performance, accessibility and security before recommending anything. Sometimes a targeted fix is the right call; sometimes a rebuild is cheaper over time. We'll tell you which.
- Build to measurable thresholds — to the Core Web Vitals, WCAG 2.2 AA and NCSC standards above, mobile-first throughout.
- Post-launch verification — you receive a PageSpeed Insights link and a WCAG conformance check as part of delivery. The commitment is checkable, not verbal.
Who this is for
- E-commerce stores that need conversion-ready speed on mobile, where every slow second and layout jump costs baskets.
- B2B and service businesses that need professional credibility and reliable lead capture, and a site that reflects how they actually work.
- Any business marketing to the public, which means accessibility under the Equality Act 2010 is your obligation, not an optional extra.
If you're currently on a setup that needs constant patching and plugin-wrangling to stay fast and safe (WordPress being the common one), that maintenance burden is a cost you carry, not one you should have to. We don't build, host or maintain WordPress; what we do is move businesses off it onto a modern stack that's secure and fast by default. See our migrate off WordPress page for how that works.
Proof
We'd rather show than tell. Here is what you can verify today:
- Check our own work. Run truenoise.co.uk through PageSpeed Insights yourself — we hold our own site to the standards on this page.
- Named brand evidence (directional). Google's own write-ups show the pattern: Vodafone tied a 31% improvement in LCP to an 8% increase in sales; Rakuten 24 reported 53.37% more revenue per visitor and a 33.13% higher conversion rate after investing in Core Web Vitals; redBus saw a 7% sales increase from better INP. These are correlations from large brands, not controlled experiments, but the direction is consistent: faster, more stable pages tend to convert better.
How this fits with working together
Most websites and web apps are custom project work, scoped to what your business needs and quoted up front (our custom rate is £60/hr, with no surprises). Many clients then keep their site looked after and improving through a rolling monthly plan (Essential, Growth or Scale), which puts ongoing capacity where it matters. Performance, accessibility and security don't stand still, and neither should your site. There's no lock-in: the monthly plan is rolling. See pricing for the detail.
Frequently asked questions
How do I know if my website passes Core Web Vitals? Run your URL through PageSpeed Insights (pagespeed.web.dev) — it's free and needs no login. Set it to mobile and read the field data, which reflects real visitors, rather than only the lab score. Google Search Console's Core Web Vitals report shows the same data across your pages. PageSpeed Insights runs Lighthouse 13 (updated October 2025). If your site has low traffic and no field data yet, the lab score stands in as a reasonable proxy.
Does my website legally have to be accessible? For a private business, the short answer is yes in effect: under the Equality Act 2010 (Part 3), any business offering services through a website must make reasonable adjustments for disabled people, paid or free. The Act doesn't name a technical standard, but WCAG 2.2 AA is the recognised definition of "reasonable". Public sector bodies face a stricter, explicit requirement under the 2018 Accessibility Regulations (WCAG Level A and AA).
What is WCAG 2.2, and is it different from what I have now? WCAG 2.2 is the current web accessibility standard (a W3C Recommendation dated 12 December 2024, first published October 2023). It adds nine requirements over WCAG 2.1. The four most likely to affect a business site: keyboard focus mustn't be hidden behind sticky headers; any drag action needs a tap or click alternative; interactive targets should be at least 24×24 pixels; and login mustn't rely solely on memory, so password managers have to work. Most sites built before 2024 fail at least one.
Do I need a new website, or can my existing one be fixed? It depends on how it's built. A performance and accessibility audit shows which gaps are patchable and which are architectural. Common architectural blockers are heavyweight CMS themes with render-blocking scripts, shared hosting with a slow TTFB, images with no set dimensions causing layout shift, and no keyboard focus management. Sometimes a retrofit is cost-effective; sometimes a rebuild on a modern stack is cheaper over time. A free performance check is the sensible first step.
Is HTTPS still important, and do I need an expensive certificate? HTTPS is still important, and the bar has moved: TLS 1.3 is the NCSC-recommended standard, and TLS 1.0 and 1.1 are formally deprecated. You do not need an expensive certificate. NCSC and the browsers treat the cheaper DV certificates and the pricier OV/EV ones as functionally equivalent for trust and security, so a free, auto-renewing certificate is fine. NCSC recommends automated renewal precisely so certificates never lapse.
What is Cyber Essentials, and do I need it? Cyber Essentials is the UK government's NCSC-backed minimum cyber security standard, covering five controls: firewalls, secure configuration, user access control, malware protection, and security update management. Certification starts at £320 + VAT, and organisations under £20m turnover that certify their whole organisation automatically receive Cyber Liability Insurance via IASME. It's required for some government contracts and is a solid baseline credibility signal for any business handling customer data or payments.
Will a faster website actually grow my business? Faster, more stable pages convert better, though the size of the effect depends on context. The clearest evidence comes from Google's own brand write-ups: Vodafone (8% more sales from a 31% LCP improvement), Rakuten 24 (53.37% more revenue per visitor) and redBus (7% more sales from better INP). These are correlations, not controlled trials, but they point the same way: slow pages lose people. We aim for the thresholds and let you verify the result.
Do you build WordPress, Shopify or Wix sites? We don't build, host or maintain WordPress — the only WordPress work we do is migrating businesses off it onto a modern stack. The reason is practical, not ideological: keeping a plugin-based site fast and secure takes ongoing maintenance you shouldn't have to carry. For e-commerce, a modern frontend (including a headless Shopify setup) tends to hold its Core Web Vitals more reliably, which matters when fewer than half of mobile sites pass. Tell us what you sell and how you work, and we'll recommend the right stack.
See where your site stands
The quickest way to know whether your site is fast, accessible and secure is to measure it — so start there, no commitment required.
Get a free performance check — we'll run your site against Core Web Vitals, accessibility and security, and send you a plain-English read of what's working and what isn't. Free, no obligation.
Start a project — ready to build or rebuild? Tell us what you need and we'll scope it, quote it up front, and build to standards you can check yourself.
No lock-in. Rolling monthly plans. Custom work at £60/hr, quoted before we start.