Website Audit Checklist: 72 Points to Check in 2026

A website audit checklist turns an overwhelming process into a manageable, repeatable system. Without one, you will either miss critical checks or spend hours going back and forth between tools trying to remember what you have and have not examined.

This checklist covers 72 checkpoints across six dimensions: SEO, technical infrastructure, content quality, user experience, security, and performance. It is the same checklist our team uses for every professional audit we deliver. We have refined it over five years and 500+ audits.

Work through each section methodically. For each item, check whether it passes, fails, or needs further investigation. Not every checkpoint will apply to every site — skip items that are not relevant to your setup (such as hreflang checks on a single-language site). The goal is thoroughness, not blind compliance.

SEO Checklist

• Every page has a unique title tag under 60 characters — Title tags are the strongest on-page ranking signal. Duplicate or missing titles dilute relevance and waste crawl budget on functionally identical pages. Check with Screaming Frog's Page Titles report.
• Every page has a unique meta description under 160 characters — While not a direct ranking factor, meta descriptions influence click-through rate. Pages without descriptions get auto-generated snippets from Google, which are rarely optimal.
• Every page has exactly one H1 tag — The H1 should clearly state what the page is about. Multiple H1s confuse the content hierarchy. Zero H1s leave search engines guessing about your primary topic.
• Heading hierarchy is logical (H1 then H2 then H3) — Skipping heading levels (H1 to H3 with no H2) creates a broken content outline. Search engines use heading structure to understand topic relationships within the page.
• Target keyword appears in URL, title, H1, and first 100 words — These four placements signal strong topical relevance. Missing any one of them weakens the page's ability to rank for its target term.
• Every image has descriptive alt text — Alt text helps search engines understand image content and is critical for accessibility. Missing alt text is a ranking opportunity wasted and an accessibility compliance failure.
• Internal links use descriptive anchor text — Anchor text tells search engines what the linked page is about. Generic anchors like "click here" or "read more" pass less topical relevance than descriptive phrases.
• No orphan pages (pages with zero internal links) — Orphan pages receive no internal link equity and are often ignored by crawlers. Every page you want ranked needs at least one contextual internal link pointing to it.
• Canonical tags are correctly implemented — Every page should have a self-referencing canonical tag unless it is intentionally pointing to a different preferred URL. Incorrect canonicals can deindex important pages.
• XML sitemap exists, is valid, and is submitted to Search Console — Your sitemap should list only indexable, 200-status, canonical URLs. Verify it is referenced in robots.txt and submitted in both Google Search Console and Bing Webmaster Tools.
• Robots.txt is correctly configured — Verify that no important pages or resources are blocked. Test with the robots.txt tester in Search Console.
• Structured data is implemented and validates without errors — Test every schema type on your site with the Rich Results Test. Fix missing required properties, incorrect data types, and deprecated markup.
• No keyword cannibalisation across pages — Two pages targeting the same keyword split ranking authority between them and often result in neither ranking well. Identify overlaps using Search Console's Performance report filtered by query.

Technical Checklist

• All pages return a 200 status code or appropriate redirect — Crawl your entire site and flag any 4xx or 5xx errors. Every page that users or search engines can reach should return a clean 200 response or a 301 redirect to the correct destination.
• No redirect chains longer than two hops — Each redirect in a chain adds latency and loses a small amount of link equity. Google follows up to 10 redirects but recommends keeping chains as short as possible. Ideally, every redirect should go directly to the final destination.
• No redirect loops — A redirect loop (page A redirects to B, which redirects back to A) creates an infinite loop that makes the page inaccessible. Crawl tools flag these automatically.
• HTTPS is enforced sitewide with 301 redirects from HTTP — Every HTTP URL should redirect to its HTTPS equivalent. Test the four variations of your homepage (http, https, www, non-www) and verify they all resolve to one canonical URL.
• SSL certificate is valid and covers all subdomains — An expired or misconfigured certificate triggers browser warnings that destroy user trust and may trigger Google Safe Browsing flags. Test with Qualys SSL Labs.
• No mixed content (HTTP resources on HTTPS pages) — Loading images, scripts, or stylesheets over HTTP on an HTTPS page triggers browser security warnings. Scan for mixed content using Screaming Frog's Insecure Content report.
• Server response time (TTFB) is under 200ms — Time to First Byte measures how quickly your server responds to a request. Anything over 200ms indicates a server, database, or caching issue that affects every page on the site.
• Crawl depth is 3 clicks or fewer for important pages — Run a crawl with depth analysis and verify that revenue-generating and high-traffic pages are within 3 clicks of the homepage.
• No duplicate content across URLs — Parameter-based URLs, www vs non-www, trailing slash vs non-trailing slash, and HTTP vs HTTPS can all create duplicate versions. Canonicals and redirects should consolidate them.
• Hreflang tags are correct (multi-language sites) — Every hreflang tag must have a reciprocal tag on the target page. Language and country codes must use the correct ISO format. Self-referencing hreflang tags must be present.
• Pagination is handled correctly — Paginated series should use self-referencing canonical tags on each page (not canonical to page 1) and include clear navigation links between pages.
• JavaScript-rendered content is indexable — If your site uses client-side JavaScript rendering, verify with the URL Inspection tool in Search Console that Google can see your rendered content.
• No broken external links — Outbound links to pages that return 404 or 5xx errors create a poor user experience and can signal neglect to search engines.

Content Checklist

• No thin pages (under 300 words with no other value) — Pages with minimal content that do not serve a clear user intent drag down your site's overall quality signal. Either expand them with useful content or consolidate them into a more comprehensive page.
• No duplicate or near-duplicate content within the site — Use Siteliner or Screaming Frog's near-duplicate detection to find pages with 80 percent or more content overlap. Consolidate them with redirects or differentiate them with unique content.
• Content matches the search intent for target keywords — Check the top-ranking pages for each target keyword. If Google ranks how-to guides and your page is a product listing, you have an intent mismatch that no amount of optimisation will fix.
• E-E-A-T signals are present on important pages — Author bios, credentials, editorial policies, source citations, and publication dates build Experience, Expertise, Authoritativeness, and Trustworthiness. Critical for YMYL content.
• Content is up to date — Pages referencing outdated statistics, discontinued products, or past events signal neglect. Review your most important pages and update anything that has become stale.
• No keyword stuffing or over-optimisation — Unnatural keyword repetition can trigger spam filters. If the content reads awkwardly because of forced keyword placement, rewrite it naturally.
• Above-the-fold content is useful (not just ads or CTAs) — Pages that push the main content below the fold in favour of ads or interstitials violate page experience guidelines.
• Content depth covers the topic comprehensively — Compare your content against the top 10 ranking pages. If competitors cover subtopics that you do not, you have a content gap that may be costing you rankings.
• No auto-generated content published without human review — Google penalises unhelpful content regardless of how it was produced. Every published page should be reviewed by a subject-matter expert.
• Blog posts link to relevant pillar pages — Supporting content should link to and reinforce your main topic pages, building topical authority through a hub-and-spoke internal linking model.

UX and Design Checklist

• Site is fully responsive across mobile, tablet, and desktop — Test on physical devices, not just browser resizing. Emulators miss touch-target issues, font rendering differences, and viewport-specific layout bugs.
• Navigation is intuitive with a clear hierarchy — Users should be able to find any major section within two clicks from the homepage. Menu labels should be descriptive and standard.
• Touch targets are at least 48x48px on mobile — Buttons, links, and interactive elements that are too small cause frustration and accidental taps. Google flags this as a mobile usability error.
• Forms are easy to complete on mobile — Input fields should use the correct input type (email, tel, number) to trigger the appropriate mobile keyboard. Labels should be persistent, not placeholder-only.
• 404 page is helpful with navigation options — A custom 404 page with a search box, links to popular pages, and a friendly message recovers users who land on broken URLs instead of bouncing them.
• No intrusive interstitials or pop-ups on mobile — Page experience guidelines penalise mobile interstitials that cover the main content. Cookie consent banners are exempt; marketing pop-ups are not.
• Font size is readable without zooming (16px+ base) — Small text on mobile drives users away. Set your base font size to at least 16px and ensure body text never renders below 14px on any viewport.
• Color contrast meets WCAG AA standards (4.5:1 for text) — Insufficient contrast makes text hard to read for users with visual impairments. Test with the WAVE accessibility checker.
• Breadcrumb navigation is present and functional — Breadcrumbs help users understand their location within the site hierarchy and generate breadcrumb rich results when marked up with schema.
• Call-to-action buttons are clear and consistent — Every page should have a clear next step. CTAs should stand out visually, use action-oriented language, and be consistent in style across the site.

Security Checklist

• HSTS header is set with max-age of at least one year — HTTP Strict Transport Security tells browsers to only connect via HTTPS. Set max-age to 31536000 and include includeSubDomains.
• Content-Security-Policy header is configured — CSP prevents cross-site scripting attacks by restricting which resources can be loaded. Start with a report-only policy and tighten it over time.
• X-Content-Type-Options is set to nosniff — Prevents browsers from MIME-sniffing responses away from the declared content type, blocking a common attack vector.
• X-Frame-Options is set to DENY or SAMEORIGIN — Prevents your pages from being embedded in iframes on other sites, protecting against clickjacking attacks.
• No sensitive files are publicly accessible — Check for exposed .env files, wp-config.php backups, .git directories, database dumps, and phpinfo pages.
• CMS and plugins are updated to latest versions — Outdated WordPress cores, plugins, and themes are the primary attack vector for website compromises. Check for updates at least monthly.
• Admin login pages are not at default URLs — Default login paths like /wp-admin are targeted by brute-force bots. Use a security plugin to change the login URL and implement rate limiting.
• No Google Safe Browsing warnings — Check your site in the Transparency Report. A warning flag devastates traffic and trust. If flagged, clean the malware and request a review immediately.
• Backup system is in place and tested — Having backups is not enough — verify that restoring from backup actually works. Test a restore quarterly. Ensure backups are stored off-server.
• Permissions-Policy header restricts unnecessary browser APIs — Limit access to camera, microphone, geolocation, and other browser features your site does not need.

Performance Checklist

• Largest Contentful Paint (LCP) under 2.5 seconds — The single most important speed metric. Test on both mobile and desktop with PageSpeed Insights. If failing, check image sizes, server response time, and render-blocking resources first.
• Interaction to Next Paint (INP) under 200 milliseconds — Measures responsiveness to user interactions. If failing, profile JavaScript execution in Chrome DevTools to find long-running tasks and heavy event handlers.
• Cumulative Layout Shift (CLS) under 0.1 — Measures visual stability. If failing, add width and height attributes to all images and videos, preload fonts, and reserve space for dynamically injected elements.
• Images are optimised (WebP/AVIF, responsive srcset) — Images are typically the largest payload on any page. Convert to modern formats, implement responsive images, and lazy-load below-fold images.
• CSS and JavaScript are minified — Remove unnecessary whitespace, comments, and dead code from production assets. Most build tools handle this automatically.
• Non-critical CSS and JS are deferred — Render-blocking resources delay the initial paint. Inline critical CSS for above-fold content, defer everything else, and load third-party scripts with async or defer.
• Browser caching is configured with appropriate max-age — Static assets should have Cache-Control headers with max-age of at least one year. Use content hashing in filenames for cache busting.
• CDN is configured for static assets — A content delivery network serves assets from edge locations near the user, reducing latency by 40 to 60 percent for geographically distributed audiences.
• Gzip or Brotli compression is enabled — Text-based resources should be compressed in transit. Brotli offers 15 to 25 percent better compression than Gzip and is supported by all modern browsers.
• No unnecessary third-party scripts — Every third-party script adds latency and main thread blocking. Audit every script for necessity and defer or remove the ones that do not justify their performance cost.

Download the Checklist

This 72-point checklist is also available as a downloadable spreadsheet template that you can use to track your audit progress. The template includes columns for status (Pass, Fail, N/A), notes, priority level, and the team member responsible for fixing each issue.

For a ready-to-use template with built-in scoring and conditional formatting, see our free audit template page.

If you are auditing an online store, our ecommerce audit checklist adds 20+ additional checkpoints specific to product pages, category structures, checkout flows, and ecommerce schema.

For WordPress sites, our WordPress audit checklist covers plugin auditing, theme performance, database optimisation, and CMS-specific security checks.

Prefer to have an expert run through this checklist for you? Our professional audit service covers all 72 checkpoints and delivers a prioritised action plan starting at $297.