The AI coding revolution everyone's talking about (and why you should be careful)

This week: The vibe coding hype is real but risky. We cover Replit's browser-based AI builder, break down why WordPress beats AI-generated sites for businesses, share a quick security scan for sites you've already built, and look at Bolt and Cursor for different use cases.

You've probably heard about vibe coding by now. It's the trend where you describe what you want in plain English and AI builds it for you. Imagine telling a computer "build me an online shop that sells handmade candles with PayPal checkout" and watching it appear in front of you. Sounds brilliant, doesn't it?

Here's the thing: research found that AI co-authored code contained approximately 1.7 times more major issues compared to human-written code, with security vulnerabilities 2.74 times higher. The tools are genuinely impressive. I've tested them myself. But developers may use AI-generated code without fully comprehending its functionality, leading to undetected bugs, errors, or security vulnerabilities.

For rapid prototyping? Brilliant. For testing an idea before committing proper budget? Absolutely. But for your actual business website that handles customer data and payments? That's where I get twitchy.

I still recommend WordPress to most small businesses, and here's why: it's completely open-source meaning you have complete ownership of your website and everything on it. Unlike these vibe coding platforms where you might be locked into their ecosystem, your WordPress site can be backed up, exported, and moved to any host you want. WordPress is used by more than 40% of all websites globally, so it's not going away anytime soon. That matters when you're building a business.

With proper hosting and maintenance, WordPress automatically runs all the necessary updates, including security patches, WordPress core updates, and plugin updates. You're not relying on an AI to remember to patch security holes. There's a massive community of developers and security experts actually looking after it, and robust security features like SSL, DDoS protection, and firewalls are standard with decent hosting.

Can vibe coding tools build something faster? Absolutely. But websites aren't just about speed. They're about reliability, security, ownership, and having someone to call when things go wrong at 2am.

Replit is an AI-powered platform that lets you build complete applications directly in your browser by describing what you want in natural language.

It's for anyone from complete beginners to experienced developers who want to prototype quickly without the usual setup faff.

Replit's Agent feature converts your plain language requests into complete applications with frontend, backend, and database structure automatically. No installing development environments, no configuring servers, no pulling your hair out over dependencies. You literally open your browser, describe what you want, and watch it build. Agent 3 now tests itself and works autonomously for up to 200 minutes. It even includes built-in database management and one-click deployment.

How to get started:

Pro tip: Many users report unpredictable costs tied to AI agent usage, and the Agent can sometimes override your intent or break other parts of the app when making fixes. Start with the free tier, set clear budgets if you upgrade, and always review what it's actually built rather than blindly trusting it. The code it generates isn't always production-ready, even if it looks like it works.

Link: https://replit.com

If you've already built a site using Replit, Bolt, or similar tools and you're concerned about security (you should be), here's what to check right now:

1. Force HTTPS everywhere Make sure your site is using HTTPS (the padlock in your browser) and that HTTP requests automatically redirect to HTTPS. Data encryption in transit is non-negotiable. If you're using Replit or Bolt's hosting, this should be enabled by default, but check it.

2. Check what's exposed Look at your deployment settings. Is your database publicly accessible? Are API keys hardcoded in the frontend code? Right-click on your site, view source, and make sure you're not broadcasting credentials to the world. You'd be shocked how often AI-generated code leaves secrets in plain sight.

3. Change default credentials immediately If your vibe-coded site has any admin login, change the username from "admin" and use a proper password manager to generate something strong. Enable two-factor authentication if the platform supports it.

4. Review what data you're collecting What forms or inputs does your site have? Are you validating and sanitizing user input to prevent injection attacks? AI-generated code often skips input validation entirely.

5. Check your dependencies What libraries and packages did the AI pull in? Outdated dependencies are a common attack vector. If you're on Replit or similar, check when packages were last updated.

Takes 10 minutes. Could save you from a breach that costs £200,000 to fix.

NEED HELP? In over your head? No idea what an API is? I can help fix these issues.

Bolt.new - Full-stack AI builder that runs entirely in your browser with enterprise-grade hosting, authentication, and databases built in. Raised $105 million in funding and pioneered the vibe coding movement when it launched in October 2024. Particularly good for rapid prototyping when you need to test an idea quickly. https://bolt.new

Cursor - AI-native code editor that weaves AI into nearly every interaction a programmer has with their code, with codebase-aware chat and multi-file editing capabilities. Better suited for developers who want AI help but still want to understand and control their code. Built on VS Code, so feels familiar if you've used that before. https://cursor.com

Look, I'm genuinely excited about vibe coding tools. They're powerful, they're fast, and in the right hands they can save serious time. But we're already seeing grifters pop up offering "instant website builds" for small businesses, then disappearing when things break or get hacked.

A single security breach can cost small businesses an average of £200,000, and 60% of small businesses that suffer a cyberattack close their doors within six months. That's not a risk worth taking to save a few quid on proper development.

If you're using these tools for prototyping or personal projects, brilliant. But please, for your actual business website, either learn enough to understand what you're getting, or work with someone who does. Your website isn't just code. It's your business reputation, your customer data, and your livelihood.

Got a tool you want me to review? Reply to this email.

Need proper website development or digital marketing that won't fall apart? I've been doing this for 17 years without shortcuts. Get in touch.