How to Choose a Web Design Agency: 12 Questions That Filter Out Cowboys

The single most revealing question to ask a web agency is this: can I see three sites you built two years ago that you still maintain today? It is revealing because it cannot be faked, rehearsed or smoothed over with marketing language. A portfolio shows what an agency can produce on launch day, with maximum effort and a fresh budget. A two-year-old site that is still fast, still patched and still owned by a happy client shows what the agency actually delivers once the invoice is paid and nobody is watching. That gap is where most bad agency relationships hide.

I run a small web development shop, and a meaningful share of our work is not building new sites but rescuing them. We have inherited WordPress installs locked inside proprietary builders, hosted on reseller accounts we could not log into, with domains registered in the previous agency's name. I have seen every cowboy trap from the inside, on the day a client discovers they cannot leave. The twelve questions below are the ones I would ask if I were the buyer. Each filters for the same two things: can you leave, and is the work real. Ask them on your first call and most cowboys will rule themselves out before you sign anything.

Ownership: Can You Actually Take What You Paid For

Who owns the code and intellectual property when the project ends

This question exposes the deepest trap, so ask it first. A professional answer is unambiguous: you own it. On final payment, all custom code, design files and content are assigned to you in writing, and the agency keeps only generic internal tooling not specific to your site. That assignment should be a contract clause, not a verbal reassurance. The red-flag answer sounds reasonable until you parse it: "we own the code and you licence it from us." Translated, the day you stop paying, you lose your site. Most buyers assume that because they paid for the work they own it, and they are wrong by default. In the UK, copyright in commissioned software belongs to the developer unless assigned in writing. In the US, "work made for hire" does not automatically cover a contractor's code without a signed agreement. The legal default favours the agency, and only an explicit written assignment flips it. If the contract is silent on ownership, treat the silence as the red flag.

Do you get the source files, not just the live website

A good agency hands over everything: the design files in editable format, the source for any custom theme or block, a database export, a documented build process, and a written inventory of every third-party account and licence the site depends on. The red flag is "you get the live website" with a full stop after it, design files delivered only as flattened images, or the line "we keep the working files, that is standard practice." It is not standard practice. It is a leash. A live website is a compiled output, and without the design and build source, the next developer rebuilds from scratch, and that rebuild cost is the lock-in. Page-builder sites are the worst offenders here. You are really asking whether a different competent developer could pick up your site tomorrow. If the answer is no, you have found a cowboy.

Who hosts the site and can you move it without the agency

The answer you want is that hosting is in your name, on your account, billed to your card, with the agency holding delegated access you can revoke with a single password change. The domain should be registered to you at the registrar. The red flag is bundled hosting folded into a monthly fee, sitting on an agency-owned reseller account you have no direct login to, with your domain registered under the agency's details. Bundled hosting is the most common lock-in in this industry because it does not feel like a trap, it feels like convenience. But it means the agency holds the keys, and the domain is the worst part: whoever controls the registrar controls your website and your company email. I have watched a business be unable to move agencies for months because the cowboy who registered the domain stopped replying. Own the domain and the hosting account, and let the agency have access that is delegated and revocable.

Proof: Is the Work Real and Does It Last

Can you see live sites built two years ago that are still maintained

This is the flagship question, and a confident agency answers it on the spot. It names three or more sites you can visit right now, they still load quickly, and the client will take a reference call. The strongest version is when the agency still maintains those sites, because the relationship survived past launch. The red flag is a portfolio of only brand-new launches, a blanket "we cannot share that for confidentiality" on every older project, or links to sites that now return errors or load slowly. Portfolios are launch-day snapshots. Two years is the honest test: has the site stayed fast, stayed patched, stayed owned by a client still glad they hired this agency. A portfolio of only recent work means either the agency is genuinely new, which is fine if they say so plainly, or older clients have churned and will not give references. Either way, the absence of aged, maintained work is information.

What performance KPIs do you commit to and how are they measured

A professional answer is made of numbers. It commits to named Core Web Vitals targets, an LCP under 2.5 seconds, an INP under 200 milliseconds, a CLS under 0.1, measured on real-world field data, on mobile, on your key templates, with a date when you can re-test. The red flag is everything that sounds nice and means nothing: "your site will be fast," "we optimise for speed," with no metric and no re-test date. Performance is the easiest thing to fake on launch day. Test on a fast laptop, empty cache, desktop screen, and almost any site looks quick. It is also the easiest thing to let quietly rot once the agency moves on. A real commitment is a number, a tool, a device profile and a re-test date in the agreement. If an agency will not put a figure on it, they are not committing to it.

After Launch: What Happens When the Site Is Live

What is the post-launch warranty

A good agency offers a defined warranty period, commonly between 30 and 90 days, during which anything that does not work as specified is fixed at no charge. It draws a clear line between a bug, which is the agency's responsibility, and a new feature, which is a paid change. The red flag is no warranty at all, bugs billed from the first day after launch, or a warranty so vaguely worded that every fix becomes an argument about scope. A warranty is an agency betting on its own quality. A shop confident in the build offers one without being pushed. An agency that wants to bill you to fix its own mistakes is telling you, plainly, that it expects to make them.

How do change orders get priced

The answer you want is an hourly rate published inside the contract, a written change-order process, and a quote and your sign-off required before any extra work begins. The red flag is a change rate not mentioned until you ask mid-project, a vague "we will sort it out as we go," or a quote that came in suspiciously low. That last one is the change-order trap: the agency bids low to win, knowing the scope is incomplete, then makes its real margin on every change request once half the site is built and you have no leverage to walk. If the change-order rate is not in the contract you signed, you do not have a fixed price. You have the opening installment of an open-ended bill.

What is the ongoing maintenance plan

A professional answer describes an actual service: core, plugin and theme updates tested on staging before production, backups with a stated frequency and retention period, uptime monitoring, security patching, a defined response time when something breaks, and a monthly report. It is priced transparently and, crucially, it is optional. The red flag comes in two forms: no maintenance offering at all, which leaves your site to rot, or maintenance that is mandatory and bundled so tightly it becomes another reason you cannot leave. An unmaintained WordPress site is a security incident waiting to happen, because outdated plugins are the most common way sites get compromised. But maintenance has to be a service you choose because it is good, not a leash you cannot unclip.

The Team and the Stack Behind the Work

What stack or page builder do you use, and why

A good agency gives a reasoned answer specific to your project. Whatever the choice, a block theme, a lean builder, a custom theme, a headless setup, they can explain the trade-off they made for you, weighing performance, content editability, portability and the skills you have in-house. The red flag is "we always use this," delivered with no reasoning, a heavy bloated builder picked because it is what the agency knows, or a proprietary in-house framework only this agency can ever work on. The stack is a five-year decision, and a builder chosen for the agency's convenience becomes your performance ceiling and your lock-in at once. The question behind the question is whether another competent developer could take this site over without a full rebuild. If the answer is no, you have circled back to the ownership problem, and you should walk.

How do you handle SEO migration on a redesign

If you are redesigning an existing site, this question protects something valuable and invisible. A real answer is a migration plan: crawl and inventory the old URLs, build a 301 redirect map for every URL that changes, preserve the title, meta and heading structure on pages that already rank, hold or improve site speed, submit the new sitemap, then monitor Search Console and rankings for four to eight weeks after launch. The red flag is "Google will just re-index it," "SEO is not included," or no mention of redirects at all. A redesign with no redirect map silently destroys years of ranking equity. The damage is invisible on launch day and surfaces six weeks later as a traffic collapse, by which point the cowboy has been paid and moved on. Redirects are not optional on any redesign that changes URLs.

Who actually does the work, and is any of it subcontracted

The answer you want is honest disclosure, either way. "Our in-house team handles this," or "we subcontract this specific part to a long-term partner, here is who they are and how we QA it." Transparency is the whole point. The red flag is the senior person who pitched you vanishing the moment you sign, with the build quietly handed to an anonymous team you were never told about. Subcontracting itself is not the problem. Hidden, unmanaged subcontracting is. You are buying the team that actually shows up, not the team in the pitch deck. Ask who is on your project, by name and role, and who reviews their output. An agency that will not tell you who is building your site is hoping you do not think to ask.

The Exit, and How to Run These Calls

What happens if we part ways

Ask the breakup question on the first call, before there is any relationship to break. A professional answer is a written offboarding process: all credentials handed over, a complete export of your data and files, a documented handover for whoever comes next, a clean exit with no hostage behaviour. The best agencies have an offboarding clause in the contract. The red flag is evasive: "nobody has ever left us," no process at all, credentials withheld until every dispute is settled, or a blank look because the agency has never considered the question. How an agency answers this tells you how the whole relationship is built. A shop structured around lock-in has never thought about a clean exit, because that is the thing it has quietly designed against. A professional shop has the answer ready, because it competes on being worth staying with rather than on being hard to leave. Run all twelve questions as a conversation, not an interrogation, and listen for whether the agency gets defensive when you raise ownership, hosting and the exit. Defensiveness on those three is the loudest red flag of the lot.

Talking to WitsCode

We have built more than 250 sites, and we have also been the agency hired to clean up after the cowboys. Inheriting sites that are locked, unmaintained and registered to someone else is part of our day job, which is why this list is not theoretical. Every trap above is one we have had to dig a client out of. We answer all twelve questions the same way every time, because we built the business so that leaving us is easy: you own the code, the domain and the hosting, and the source files are yours on handover. We would rather you stay because the work is good than because you cannot leave.

If you have a proposal or contract on your desk right now, send it over before you sign. We will read it against these twelve questions and tell you honestly where it protects you and where it quietly works against you, even if the answer is to hire someone else. A short discovery call costs nothing and might save you the rescue project we would otherwise be quoting in two years. Ask us the twelve questions too.