How to Avoid AI Coding Mistakes on Your Website

Alannah Picking

AI is everywhere right now. It's attached to the name of almost every new product, even ones you would think have nothing to do with it. And it's dramatically changing the digital world, including how websites are built.

More business owners are skipping the developer and using AI to add features, change layouts, and expand their sites themselves. Not only does it save money, but for many people, it's the first time they've been able to change their own website with just a few prompts. Exciting!

Unfortunately, it's also where the problems start.

Our team is spending more and more time cleaning up after these tools, and after a while the same mistakes start to look familiar. Boiled down to it, AI will hand you a problem dressed up as a solution, and it'll do it with total confidence.

We sat down with Nik, who runs our development team, to find out what his real-time experience is with AI coding mistakes.

Section 01

'It works' and it's 'correct' are two different things

The biggest misconception isn't that AI writes broken code. It's almost the opposite. AI is good at writing code that does exactly what you asked. The trouble shows up later, when that code has to live alongside the rest of your site.

It'll solve what you asked it to do very quickly and accurately. But often, what you asked isn't broad enough to cover the whole problem.

Nik runs into the same problem on a mind-numbingly common basis. You make a change, it looks great on your monitor, so you move on, happy with the result and time saved. A week later, you open the same page on your phone to show your business partner why you no longer need a developer, and half of the page is hanging off the edge of the screen because nobody thought to check it on mobile. The code did its job. The job was just defined too narrowly.

Wild expectations make this worse. The news talks about what AI might do in five or ten years, so people assume it can already do more than it can. In our experience, the strong uses today are narrower than the hype suggests. It's good for quick prototyping, testing an idea, getting something to a rough working version so you can see if it's worth pursuing at all. Where it struggles is exactly where experience matters. Thinking ahead. Knowing about everything already running on the site. Being able to custom code a solution that fits your site perfectly, like knowing your site is mostly used on mobile and how to code it in response.

Section 02

When code slop becomes code soup

You may have heard the phrase "AI slop", or "code slop". It refers to code that runs, looks fine on the surface, but hides a mess underneath. The core problem is simple. The AI doesn't know the wider system it's writing for, and it will only give you what you ask of it. Limited coding knowledge? Limited output.

Picture an online store. You need a small custom function, like something that pulls data off an order and applies it to a customer's account. You ask the AI, you get a tidy little function, you paste it in, and it works. What you can't see is that your site might already do most of that job somewhere else. The AI had no idea, so it wrote its own version anyway.

Now two pieces of code do the same thing. Everything still works, so nobody notices.

The cost shows up later. A year on, you need another change. Maybe you use AI again, maybe you hire a developer. Whoever opens the code finds two functions that look more or less identical and can't tell which one is really being used. A simple job now takes two, three, four times as long. And the more you add this way, the worse it gets, because each duplicate makes the next change harder. When a real bug turns up (and one will), it's twice as hard to find, because you can't tell which copy it's coming from.

Code slop becomes code soup. The duplicates don't always sit there harmlessly, either. Sometimes they clash, and the duplicate stops working properly. The worst version of this is when it breaks, and nobody catches it at all.

Worth knowing

If you don't have time to check that you're not duplicating things, you probably don't have time to test everything afterwards either. So a fault can sit live on your site, tripping up real customers, until one of them gets fed up enough to email you. Usually something like, "I tried to check out three times and couldn't buy anything." OUCH.

Section 03

The vending machine habit

One of the most common mistakes is treating AI like a vending machine. You feed it prompt after prompt, take whatever drops out, paste it onto the site without really knowing what it does. It turns up a lot on sites we inherit from other agencies. Dozens of small AI changes, each one added without anyone knowing what it touched.

Why is that risky, beyond the obvious? Because if you use AI this way, you don't understand the code, and you've got no choice but to trust it. AI is good enough that the output is rarely broken straight out of the box, and it reads cleanly even to a developer. But if you can't read code, you won't spot the problems underneath. The inefficient way it did something. The security check it skipped. The function it copied for no reason.

This happens even to experienced developers. You ask the AI to adjust one function, and the new version also changes something else that was already right. A developer catches it because they read every line. Someone trusting the output blindly never would.

How much any of this matters depends on what you're touching. Change the way a button looks, and the risk is low. Change the way your payment gateway processes a credit card and, well, that's a different conversation entirely.

This excitement is dangerous. If you've never been able to change your own website, getting AI to move a button is a real buzz. That little hit of confidence can build into a habit, where you keep making changes faster than you can really understand them.

We were victims of this even in the WTS office. Given some safe practice sites, people built calculators and tools they'd wanted for years, in maybe ten minutes of prompting. Things that never made financial sense to build from scratch for smaller clients. It was great, and hard not to get swept up in. It was also a reminder of how quickly excitement can outrun caution, which is why a developer checked every one of those experiments before it went anywhere near a live site.

Section 04

(The right) context is key

If one word runs through all of this, it's context. So what does the right context look like when you're adding to an existing site?

Give the AI the code that will or might interact with the thing you're building. A clear description of what you want. And, just as important, what you don't want it to touch.

The edge case trap

If you're building anything interactive and you don't ask for validation, the AI usually won't add it, because it wants to give you a working result fast. So it builds your form, you fill it in normally, it submits, the data lands where you expected. Done. Except you never tested what happens when someone submits it empty. Or with far too much text. Or with completely the wrong values. Or, the one developers always watch for, with a database query buried in a form field, probing for a way in. The AI won't guard against the edge cases you didn't name.

One key to giving good context is understanding the code you're adding to. But the people leaning on AI are usually the ones who don't understand it. That's the whole reason they're using AI. For a developer, AI is a real time saver. For someone using it to avoid the cost of a developer, getting the context right is really hard.

So the natural move is: "if I don't know what to give it, I'll give it everything." And that's its own trap. There's research suggesting that cramming every document and rule into a prompt makes the output worse, not better. Too much context and it doesn't know where to focus. Worse, what it hands back can end up spread across half a dozen files. A developer building a single feature would keep that code in one place, making it easy to find and change later. Flood the AI with context, and you also raise the odds it changes things you never asked it to.

The functions.php trap

The WordPress functions.php file is the example I always come back to. On many sites, it runs to thousands of lines and contains most of the custom functionality. Paste the whole thing in, say "make these changes", and the AI hands the entire file back. You've no idea what it altered, and you just gave it everything that makes your site work. If you're not testing every affected feature after that, anything could be broken.

And this doesn't only happen on day one. Without a clear approach, it builds up over time. You keep improving something, keep feeding it more, until it's carrying so much general context that a simple request lands in completely the wrong spot.

Section 05

Where the security holes hide

The first place AI tends to introduce security holes is authentication. Say you use AI to build a page where a customer checks their order status with a link that holds the order ID. The AI might cover the obvious bases, validating the input and protecting the database from malicious activity. What it tends to miss is the person who edits the link, subtracts one from their order number, and hits enter. Now they're looking at someone else's order. Nothing stops them, because nobody told the AI to stop them.

Why this gets missed

The fix is to tell it what mustn't be allowed. But that assumes you know the risk exists in the first place. If you're not a developer, you probably don't know this is even a thing to think about, let alone something to warn the AI against. That's the real issue with security. People don't skip these checks because they're careless. They skip them because they've never heard of them. Even a plain contact form, built without that awareness, can hand someone with bad intentions a way in.

Section 06

The accessibility stuff that's easy to skip

Most good accessibility isn't hard. You just have to think to do it. So if you're generating everything with AI and you don't ask for it, you usually won't get it.

One example is tabindex, the order in which keyboard users move through a page when they press Tab. Drop an AI-built form into the middle of a page without enough context, and you can end up with a tab order that runs through the header, jumps straight past the form to the footer, and only then loops back. Someone using a screen reader might reach the footer and never even realise the form was there.

Something that looks like it's in the right place, but wasn't built into the page correctly, can also confuse how Google reads it. And increasingly, how tools like ChatGPT and Gemini read it is becoming its own way for people to find you. Building within a mature platform does help, but it depends on which part you're working in. The parts of WordPress or Shopify designed for non-technical users come with a lot of built-in protection: features that prevent you from accidentally breaking your layout or misconfiguring an element. But the moment you go deeper, into the code, into the areas where you might be pasting in AI output, that protection largely disappears. Those parts of the platform just assume you know what you're doing.

Section 07

Bloat that creeps up on you

Nik admits that AI has got better at this, but it's still working without visibility into what your site already loads, and that's where the trouble starts. Say you ask it to turn a section into a slider. It reaches for a JavaScript slider library and adds a line to load it. What you don't know is that your site may already load that exact library, or a different one doing the same job. Now the page pulls down two libraries to do one thing. Or the same one twice. One instance is relatively harmless. Repeat the pattern across a site, and you've got a page loading far more than it needs, plus the odd clash between the rival libraries.

None of this is new. WordPress users have bolted on plugins for things the builder already did for years. What's new is the speed. AI lets people add weight so gradually that nobody notices the site sliding from fast to sluggish. And on a busy site, small speed losses add up. Slightly less time on the page. Slightly fewer enquiries. Slightly fewer sales. It starts with one slider. Then a font loader, an animation library, a chat widget. Nobody added a slow site. They just each added one small thing.

Then there's scale, which is a slightly different worry. An AI-built product grid might run fine with 20 products and fall over at 300, if it wasn't built to scale. It might load each product one at a time, then fire separate database queries for each product's price and its details, instead of fetching everything in a single trip or using scalable features like pagination. Built that way, it works on launch day but gets slower over time until the page crawls or the server times out and throws an error. AI won't always build for the future. And most people using it won't know to ask it to.

Section 08

Why your SEO can suffer for it

Can AI coding mistakes hurt your SEO? The honest answer is that it touches almost everything, which makes it hard to pin down. But a common example is the page that looks perfect to a person and is a mess to a search engine. On your screen, the important content sits at the top. In the code, the AI may have dropped that content near the bottom, so a crawler reads the page out of order and can't work out what it's even about.

It builds from there. If you don't tell AI to optimise for SEO, it usually won't bother. You can end up with every heading marked as an h1, or no real headings at all, just text styled to look like headings with none of the structure search engines lean on. It looks fine to a visitor and is clearly broken to anyone who knows SEO. And if you don't, you'll never know to check.

Even asking for "SEO best practices" isn't enough, oddly. You have to give it the page's subject, the product it's about, and the search terms you really want to rank for. There's a duplication trap waiting too. Paste in a nicely optimised product description, complete with its own meta description, onto a site that already builds meta descriptions automatically, and now you've got two. Slightly different, each one working against the other. For someone who doesn't know what a meta description is, that's a very hard thing to diagnose when the page just won't rank.

Section 09

Can't AI just review its own work?

There's a trend of getting AI to check the changes it just made. Does it work? Somewhat. Not enough for Nik to tell a non-developer to run a self-review and call it done, though. Where it does help is as a sort of brainstorming partner. Ask it, "What might be wrong with this?" and let it point your attention to something useful. It's a way to focus your own judgement faster. It's not a replacement for experience.

Section 10

So what's actually safe to touch?

So when is it actually safe to use AI on your website? Nik's answer is short: the safe list is pretty short too.

Working in a staging environment, if you have oneYes
Small styling changes, like the colour of a buttonYes
Fully self-contained additions, like a standalone calculator or widgetYes
PHP or JavaScript that interacts with your existing setupLimited
Anything to do with money, payments, or loginsNo
Anything handling information that would matter if it leakedNo
Direct edits to files like functions.phpNo
Nik's rule of thumb

Ask what the worst outcome is before you hit save. If the worst case is a page that looks a bit off, go ahead. If the worst case is a site that won't load and a back end you can't get back into, that's when you call a developer instead.

Section 11

So what's a sensible process?

A developer would test every workflow that the new code could affect by going through the site as a customer. But if you don't understand the code, you don't know what it could affect. So to be truly safe, you'd have to test everything, which isn't realistic for most people.

The practical answer is to test what matters most to your business. For a store, after a change that could touch products or checkout, that means doing it for real. Add to cart, remove from cart, change a quantity, reach checkout, place a real order, and check that emails and receipts come through. The list is nearly endless, so just focus on the workflows your business depends on.

People who know how a feature is meant to work test it differently from people who've never seen it, and not always in a good way. If you built it, or you're familiar with the workflow, you'll tend to do it right without thinking, skipping past the moments where a real user might get confused or stuck. So if you can, get someone unfamiliar with it to run through it too. They'll find things you won't.

Nik's team once built and tested an order flow for a client, and it ran fine for the best part of a year. Then one customer's order broke completely. Just theirs. It turned out their surname had an apostrophe in it, and nobody had told the system that character was allowed there. A similar thing happened on a different build, an electronic sign-in system for a campground. It worked for months, then went down on a busy long weekend because a guest's name had an apostrophe in it too. They fixed it, and it broke again almost straight away, because the next guest had put a house number in the name field instead. Neither issue was hard to fix once someone knew what to look for. Neither would have been quick to find without that experience.

Section 12

When to bring in a human

If your website is critical to your business, having an agency look over a few changes is a sensible bit of insurance. It usually won't cost a fortune. Unless what they find is a disaster, but let's not assume that. The key is the brief.

Vague brief

"I made big changes, please check everything."

Leads to either a vague answer or a slow, expensive investigation.

Specific brief

"I added AI code to these two files, can you make sure it isn't doing anything strange", or "here's a specific bug and the exact steps to reproduce it".

Lets a developer go straight to the problem and come back with a real answer.

Section 13

If you're worried right now, do these three things

1

Work out what actually matters. Not every page, just the two or three things your business can't survive without, like taking an order or capturing a lead.

2

Get someone who's never used the site to test those specific things. Not you, and ideally not someone who already knows how it's supposed to work.

3

If your site is genuinely important to your business, get a developer to look at the specific changes you made, with a clear brief about what changed and why.

Section 14

The one rule underneath all AI workflows

The TL;DR version of all the information provided above comes down to a single idea. AI can't replace your critical thinking.

It can be completely confident and completely wrong at the same time, and that mix is the dangerous part if you don't know enough to push back. There's a video doing the rounds where someone asks an AI which month has the letter X in it. December, it says. Asked to spell December, it does. No X. Oh, October then. Spells October. Still no X. Round and round it goes, every wrong answer delivered with total confidence. If you couldn't spell December or October, you'd just believe it.

Key takeaway

So the lesson isn't to distrust AI. It's to match your scrutiny to the stakes. The more important the change, the harder you should think before trusting whatever came back.

I read about one developer who trained his AI to assume he isn't a genius, to treat his questions as bad ones, and to argue against everything he states as fact. Deliberate guardrails against this exact overconfidence. There's something to that, even if it can never fully stand in for common sense.

None of this is meant to scare you off. AI is a useful tool, and for many people, it should be fun and inspiring. The catch is that the excitement tends to hide the pitfalls, and the ones worth avoiding are the ones we've watched real businesses walk straight into. So use it. Just keep your brain switched on while you do.


Alannah Picking
SEO Team Leader & Content Strategist

With 7+ years of SEO content experience and a background in marketing, I've developed content strategies that generate real results for clients in highly competitive and niche landscapes.

One example is when I increased organic impressions by over 172k and generated over 1000 clicks across only three semantically briefed content pieces for a client in the healthcare industry within a 4-week period.

I have written hundreds of pages of optimised content, including every page on a site that ranked organically on a content-only strategy (no backlinks), for over 12 months without any further optimisations. Getting pages to rank, generate high levels of traffic, and age well (rank longer) is my speciality.

My methodology focuses on semantic content clustering, strategic use of link equity and user intent mapping, which I have developed through the Australian SEO Academy and the Topical Authority Course.

Recent achievement: Planned and executed a content strategy that generated over 150,000 organic impressions within a 12 month period for a corporate training company using semantically briefed content and EEAT practices.