What a Website Audit Should Actually Check — A Complete Checklist

Most website audits check the wrong things. They generate 50-page PDFs full of technical jargon that nobody reads, flag issues that do not matter, and miss the problems that are actually costing you money. A good audit is not about running every diagnostic tool on the internet. It is about checking the things that affect whether people find your site, trust your site, and do what you want them to do on your site.

This guide is a practical checklist of what a website audit should cover, why each item matters, and how to prioritize fixes when the list feels overwhelming. It is written for business owners, marketers, and anyone who has ever received an audit report and thought "now what?"

1. Page Speed and Performance

Page speed is the foundation. Everything else you do with your website is undermined if pages take too long to load. Google uses page speed as a ranking factor. Visitors use it as a patience test. The data is consistent: every additional second of load time increases bounce rate and decreases conversions.

What to Check

• Largest Contentful Paint (LCP) — How long until the main content of the page is visible. Target: under 2.5 seconds. This is the metric that most directly correlates with perceived speed. If your hero image or main text block takes 4 seconds to appear, visitors are already deciding whether to stay.
• First Input Delay (FID) / Interaction to Next Paint (INP) — How long until the page responds to the first user interaction (click, tap, keypress). Target: under 200 milliseconds. A page that looks loaded but does not respond to clicks feels broken.
• Cumulative Layout Shift (CLS) — How much the page layout moves around as it loads. Target: under 0.1. Layout shifts happen when images without defined dimensions load, fonts swap, or ads inject themselves into the page. They are disorienting and cause mis-clicks.
• Total page weight — The combined size of all resources (HTML, CSS, JavaScript, images, fonts, videos) that the browser must download. Target: under 3 MB for most pages. Pages over 5 MB should be investigated.
• Number of HTTP requests — Each resource is a separate request. More requests mean more round trips to the server. Target: under 50 requests for a typical page. Pages with 100+ requests often have too many third-party scripts or unoptimized assets.
• Image optimization — Are images served in modern formats (WebP, AVIF)? Are they appropriately sized for their display dimensions? A 4000x3000 pixel image displayed at 400x300 pixels is wasting 99% of its file size.
• JavaScript bundle size — How much JavaScript is being loaded? Is any of it unused? Large JavaScript bundles block rendering and delay interactivity. Many sites load 2-3 MB of JavaScript when they need 200 KB.

2. SEO Fundamentals

Search engine optimization is not magic. It is a set of technical and content practices that help search engines understand what your pages are about and decide which searches they should appear for. An audit should check both the technical foundation and the content signals.

Technical SEO Checklist

• Title tags — Every page should have a unique, descriptive title tag under 60 characters. The title tag is the blue link in search results. If it is missing, duplicated, or generic ("Home" or "Welcome"), you are leaving rankings on the table.
• Meta descriptions — Every page should have a unique meta description under 160 characters that accurately describes the page content. Google does not always use your meta description, but when it does, a well-written one increases click-through rate.
• Header hierarchy — Each page should have one H1 tag that describes the primary topic. H2 tags for major sections. H3 tags for subsections. Skipping levels (H1 directly to H4) confuses both search engines and screen readers.
• Canonical tags — Every page should have a canonical tag pointing to itself (or to the preferred version if duplicate content exists). Without canonical tags, search engines may index the wrong version of a page or split ranking signals between duplicates.
• XML sitemap — Your site should have an XML sitemap submitted to Google Search Console. The sitemap should include all pages you want indexed and exclude pages you do not (login pages, thank-you pages, duplicate content).
• Robots.txt — Your robots.txt file should not accidentally block important pages from being crawled. Check it at yourdomain.com/robots.txt. A misconfigured robots.txt can deindex your entire site.
• Structured data — Schema.org markup helps search engines understand your content and can earn rich results (review stars, FAQ dropdowns, product information) in search listings. Check for errors in Google's Rich Results Test.
• Internal linking — Pages should link to other relevant pages on your site. Orphan pages (pages with no internal links pointing to them) are hard for search engines to discover and tend to rank poorly.
• HTTPS — Your entire site should be served over HTTPS. HTTP pages receive a ranking penalty and show a "Not Secure" warning in browsers. If you have mixed content (HTTPS page loading HTTP resources), fix the resource URLs.

Content SEO Checklist

• Target keywords — Does each important page target a specific keyword or topic? Is that keyword present in the title tag, H1, URL, and body content? You do not need to stuff keywords, but the page should clearly be about something.
• Content depth — Are your pages comprehensive enough to satisfy the search intent behind your target keywords? Thin pages (under 300 words) with no unique value rarely rank. Content does not need to be long for the sake of length, but it needs to be complete.
• Duplicate content — Are any pages substantially identical to other pages on your site or to content published elsewhere? Duplicate content dilutes ranking signals and confuses search engines about which page to show.
• Fresh content — When was each page last updated? Pages with outdated information (old dates, discontinued products, dead links) signal neglect to both search engines and visitors.

3. Content Quality Signals

Content quality is harder to audit than technical factors because it requires judgment, not just tools. But certain signals are reliable indicators of whether your content is working.

• Bounce rate by page — A high bounce rate on a page means visitors are arriving and immediately leaving. This could indicate a content mismatch (the page does not match the search query that brought them there), poor user experience, or slow loading. Check bounce rates in Google Analytics for your top landing pages.
• Time on page — How long do visitors spend reading each page? A 2,000-word article with an average time on page of 15 seconds is not being read. Either the content is not engaging, the layout is intimidating, or the page is not matching visitor intent.
• Calls to action — Does every page have a clear next step? Whether it is "Contact Us," "Request a Quote," "Read More," or "Add to Cart," visitors should never reach the bottom of a page and wonder what to do next.
• Trust signals — Are there testimonials, case studies, certifications, or social proof visible on key pages? Trust signals are especially important on pages where you are asking visitors to take a risky action (submitting personal information, making a purchase).
• Readability — Is your content written at an appropriate reading level for your audience? Are paragraphs short enough to scan? Are headers descriptive enough to skim? Most web readers scan before they read. If your content is a wall of text, it will be skipped.

4. Email Deliverability Basics

If your website collects email addresses and sends email (confirmations, newsletters, notifications), your email deliverability is part of your website's health. Emails that land in spam are worse than emails not sent because they train recipient mail servers to distrust your domain.

What to Check

• SPF record — Your domain's DNS should have an SPF record that lists all IP addresses and services authorized to send email on your behalf. Without SPF, receiving servers are more likely to flag your email as spam.
• DKIM signing — Emails should be digitally signed with DKIM (DomainKeys Identified Mail). This proves the email was not altered in transit and came from your domain. Most email service providers handle DKIM setup, but you need to verify the DNS records are in place.
• DMARC policy — A DMARC record tells receiving servers what to do with emails that fail SPF or DKIM checks. Start with a "none" policy (monitor only), then move to "quarantine" or "reject" as you verify your sending infrastructure.
• Sending reputation — Check your domain and IP reputation using tools like Google Postmaster Tools. If your domain has been flagged for spam, your emails are going to junk folders regardless of content quality.
• Bounce rates — If more than 2% of your emails bounce, clean your list. High bounce rates damage your sender reputation and can lead to your domain being blacklisted.

5. Security Headers and Configuration

Security is not just about preventing hacks. It is about trust. Browsers display warnings for sites with security issues. Search engines consider security signals. And visitors increasingly expect secure experiences.

Essential Security Checks

• SSL/TLS certificate — Is it valid, not expired, and covering all subdomains? An expired certificate shows a full-page browser warning that will send visitors running.
• HTTP Strict Transport Security (HSTS) — This header tells browsers to only connect via HTTPS, preventing downgrade attacks. Once enabled, browsers will refuse to load your site over HTTP.
• Content Security Policy (CSP) — A CSP header tells the browser which sources of content (scripts, styles, images) are allowed to load. This prevents cross-site scripting (XSS) attacks by blocking unauthorized scripts.
• X-Content-Type-Options — Set to "nosniff" to prevent browsers from interpreting files as a different MIME type than declared. This blocks certain types of attacks that exploit browser content sniffing.
• X-Frame-Options — Set to "DENY" or "SAMEORIGIN" to prevent your site from being embedded in iframes on other sites. This blocks clickjacking attacks.
• Software updates — Is your CMS, theme, and all plugins up to date? Outdated software is the most common attack vector for website compromises. WordPress sites with outdated plugins account for the majority of small business site hacks.
• Login security — If your site has a login page, is it protected with rate limiting, CAPTCHA, or two-factor authentication? Brute force attacks against login pages are constant and automated.

6. Mobile Responsiveness

Mobile traffic exceeds desktop traffic for most websites. Google uses mobile-first indexing, meaning it evaluates the mobile version of your site for rankings. If your site does not work well on mobile, you are failing the majority of your visitors and your search rankings.

What to Check

• Viewport configuration — The page should have a <meta name="viewport"> tag that sets the viewport width to the device width. Without this, mobile browsers render the desktop version and scale it down, making everything tiny.
• Touch target sizes — Buttons, links, and form fields should be at least 44x44 pixels on mobile. Smaller targets cause tap errors and frustration. Check your navigation links, footer links, and form buttons specifically.
• Text readability — Body text should be at least 16px on mobile. Smaller text forces pinch-to-zoom, which breaks the responsive design you worked hard to build.
• No horizontal scrolling — Content should fit within the viewport width. If visitors need to scroll horizontally to see content, something is overflowing: an image, a table, a code block, or a fixed-width element.
• Form usability — Test every form on a phone. Are the fields easy to tap? Does the keyboard match the input type (numeric keyboard for phone numbers, email keyboard for email fields)? Can visitors complete the form without zooming or scrolling excessively?
• Navigation — Is the mobile navigation easy to open, use, and close? Can visitors reach any page on the site within three taps from the homepage?

7. Accessibility Basics

Website accessibility means making your site usable for people with disabilities, including visual impairments, hearing impairments, motor disabilities, and cognitive disabilities. Beyond being the right thing to do, accessibility is increasingly a legal requirement. ADA lawsuits against websites have increased every year, and courts have consistently ruled that commercial websites must be accessible.

Core Accessibility Checks

• Alt text on images — Every meaningful image should have alt text that describes its content. Decorative images should have empty alt attributes (alt=""). Screen readers read alt text to describe images to blind users.
• Color contrast — Text must have sufficient contrast against its background. WCAG 2.1 requires a contrast ratio of at least 4.5:1 for normal text and 3:1 for large text. Light gray text on a white background fails this test and is common on modern websites.
• Keyboard navigation — Can a user navigate your entire site using only a keyboard (Tab, Enter, Escape, arrow keys)? All interactive elements must be reachable and usable without a mouse. This affects users who cannot use a mouse due to motor disabilities.
• Form labels — Every form field must have an associated label. Placeholder text is not a substitute for labels because it disappears when the user starts typing. Screen readers rely on labels to tell users what each field is for.
• Focus indicators — When a user tabs through interactive elements, there should be a visible indicator (usually an outline) showing which element is currently focused. Many sites remove the default browser focus outline for aesthetic reasons, which makes keyboard navigation impossible.
• Video captions — All video content should have captions or transcripts. This is required for deaf and hard-of-hearing users and is also helpful for users in noisy environments or those who prefer reading to listening.
• Semantic HTML — Use proper HTML elements for their intended purpose. Buttons should be <button> elements, not styled divs. Navigation should use <nav> tags. Main content should be in a <main> tag. Semantic HTML helps assistive technologies understand page structure.

8. Competitor Analysis Methodology

A website audit in isolation tells you where you stand. A competitor analysis tells you where you stand relative to the sites you are competing with for the same customers and search rankings.

What to Compare

• Domain authority and backlink profile — How does your site's authority compare to your competitors'? If they have significantly more quality backlinks, your content needs to be substantially better to outrank them on competitive keywords.
• Content coverage — What topics do your competitors cover that you do not? Content gaps are opportunities. If three competitors all have comprehensive guides on a topic and you have nothing, that is a content gap worth filling.
• Page speed comparison — Run PageSpeed Insights on your competitors' key pages. If they load in 1.5 seconds and you load in 4 seconds, speed is a competitive disadvantage. If everyone in your space is slow, speed is a competitive opportunity.
• User experience — Visit your competitors' sites as a customer. How easy is it to find information? How clear is their messaging? How simple is their conversion process? Note what they do well and what frustrates you. Your visitors are making the same comparisons.
• Featured snippets and SERP features — Search for your target keywords and note which competitors appear in featured snippets, People Also Ask boxes, and other SERP features. These positions drive significant traffic and can be won by structuring your content to answer specific questions clearly.

9. How to Prioritize Fixes

An audit that flags 47 issues is useless if you do not know which ones to fix first. Here is a prioritization framework that works.

Tier 1: Fix Immediately

Issues that are actively costing you traffic, revenue, or trust:

• Broken pages (404 errors on important URLs)
• SSL certificate issues
• Site not loading on mobile
• Critical security vulnerabilities
• Pages accidentally blocked by robots.txt
• Missing or broken tracking (you cannot improve what you cannot measure)

Tier 2: Fix This Week

Issues that affect rankings and user experience but are not emergencies:

• Page speed problems (especially LCP over 4 seconds)
• Missing title tags and meta descriptions on high-traffic pages
• Broken internal links
• Images without alt text on key pages
• Email deliverability issues (SPF, DKIM, DMARC)

Tier 3: Fix This Month

Issues that represent missed opportunities but are not causing active harm:

• Content gaps compared to competitors
• Structured data implementation
• Accessibility improvements beyond the basics
• Internal linking optimization
• Image optimization and modern format conversion

Tier 4: Ongoing Improvement

Issues that benefit from continuous attention rather than one-time fixes:

• Content freshness and updates
• Backlink acquisition
• Conversion rate optimization
• New content creation for uncovered topics
• Regular security and software updates