Your site's quiet payroll of scripts
Open the source of almost any small-business website and you will find a payroll of third parties: a chat widget, a Meta pixel, Google Analytics, a review badge, a heatmap tool someone trialled in 2023, an Instagram feed and a couple of YouTube embeds. Each one took five minutes to add. Almost none are ever removed. Together they frequently weigh more, and block the browser for longer, than the website itself.
Third-party scripts hurt in three ways: they add network requests to new domains, they execute JavaScript on the main thread (which freezes taps and scrolls), and some inject further scripts of their own. The good news is that everything you need to audit them ships free inside Chrome, Edge or Firefox.
Step one: build the inventory
Set aside twenty minutes and work through this on your homepage first:
- 1. Open the page in Chrome, press F12 for DevTools, choose the Network tab, tick 'Disable cache' and reload.
- 2. Use the third-party filter (or type -domain:yourdomain.co.uk in the filter box) to hide your own files and see only outsiders.
- 3. Sort by Size, then by Time, and note every distinct company that appears.
- 4. Run a Lighthouse report (also inside DevTools) and read the 'Reduce the impact of third-party code' section, which groups the cost by provider.
- 5. Repeat on your highest-traffic landing page and your checkout or contact page, because the script mix often differs page to page.
Record each script in a spreadsheet with four columns: what it is, what it does, who in the business asked for it, and when its output was last actually used. The last two columns are usually the revealing ones.
Need a hand with this?
Our team delivers Website Maintenance for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →
Step two: measure what each script costs
DevTools has an underused feature built for exactly this: request blocking. Right-click any request in the Network tab, choose 'Block request domain', reload the page, and see how it behaves and how much faster it loads without that provider. Test one domain at a time and note the difference.
For a second opinion, WebPageTest.org is free and runs before-and-after comparisons on real devices, with a filmstrip showing exactly when content appears. Watch Total Blocking Time in particular: it is the metric chat widgets and tag managers damage most, because it reflects main-thread work that makes the page ignore the visitor's input.
The keep, defer or delete framework
Keep (load normally)
Scripts with a proven, current job: analytics you actually read, a payment provider, the consent platform you are legally required to run. These stay, but each one needs a named owner in the business.
Defer (load later or on interaction)
Scripts that are useful but not needed to render the page: chat widgets, heatmaps, remarketing pixels. Load them after the page becomes interactive, after a short delay, or only when the visitor shows intent, such as scrolling or moving towards the chat bubble.
Delete
Anything that fails three tests: nobody can name its owner, nobody has looked at its output in six months, or the campaign it supported has ended. Old A/B-testing snippets and expired trials are the usual suspects. Delete the tag properly rather than pausing it.
Lighter alternatives for the usual culprits
- YouTube embeds: each iframe pulls hundreds of kilobytes before anyone presses play. Use a facade such as the open-source lite-youtube-embed, which shows a thumbnail and loads the real player only on click.
- Chat widgets: most providers, including Intercom, Tidio and LiveChat, can be lazy-loaded after a few seconds or on first scroll instead of blocking the initial render.
- Social feeds: replace live Instagram or X embeds with periodically updated images that link to your profile. Visitors cannot tell the difference; your load time can.
- Google Tag Manager: GTM itself is light, but containers become skips full of forgotten tags. Audit the container quarterly and remove anything paused or orphaned.
- Multiple analytics tools: pick one. If you only ever check visitor counts, a lightweight cookieless option such as Plausible or Fathom does the job in a few kilobytes.
- Consent ordering: under UK GDPR and PECR, non-essential trackers need consent anyway, so wiring pixels to fire only after the banner is accepted keeps you compliant and speeds up first paint for everyone who has not clicked it.
Key Takeaway
List every third-party script using the DevTools Network tab, then test each one by blocking its domain and reloading. Sort survivors into keep (proven revenue or legal need), defer (load after interaction or a delay) and delete (nobody can name its owner). Replace the heaviest culprits with facades that load the real widget only on click, and review the inventory quarterly so the list never regrows.
Keep the list from regrowing
A script audit decays like any other clean-up unless someone owns it. Keep the inventory spreadsheet live, require a name and a review date for every new tag before it goes in, and book a quarterly fifteen-minute review: run Lighthouse, compare against the inventory, and question anything new. Marketing tools should earn their place with output, not squat on your main thread out of habit.
If your site feels slow and you suspect the passengers rather than the vehicle, our team can run this audit for you and hand over the keep, defer or delete list with the changes already implemented.
