The Complete Website Audit Checklist (40 Points)
A practical 40-point website audit checklist covering SEO, performance, accessibility, security, and conversion — with the exact checks to run and why each one matters.
Why audit your website at all?
Most websites don't fail loudly. They fail quietly — a page that takes six seconds to load on mobile, a checkout button that's unreadable to a screen reader, a pricing page that returns a 404 because someone renamed a URL two years ago. Each issue costs you a few visitors at a time, and none of them ever files a complaint. They just leave.
A structured audit is how you find those silent leaks before they compound. The checklist below covers the five areas where problems cluster: SEO, performance, accessibility, security, and conversion. You can work through it manually in an afternoon, or use automated tooling for the repetitive parts and save your attention for judgment calls. Either way, the goal is the same: a prioritized list of fixes ranked by impact, not a 90-page report nobody reads.
SEO: can people find you? (points 1–10)
Start with the basics that search engines read on every page. These checks are unglamorous, but they're also where the fastest wins live — a missing meta description or a broken canonical tag can be fixed in minutes and pays back for years.
- 1. Every indexable page has a unique, descriptive title tag under ~60 characters
- 2. Meta descriptions exist and actually describe the page (they drive click-through, not rankings)
- 3. One H1 per page, with a logical H2/H3 hierarchy below it
- 4. Canonical tags point where you intend — watch for http/https and trailing-slash mismatches
- 5. robots.txt isn't accidentally blocking pages you want indexed
- 6. An XML sitemap exists, is referenced in robots.txt, and only lists live URLs
- 7. No broken internal links or orphaned pages — crawl the whole site, not just the homepage
- 8. Images have descriptive alt text and sensible file names
- 9. Structured data (Organization, Product, FAQ, Article) validates without errors
- 10. Redirect chains are short — one hop, not 301 → 301 → 302 relay races
Performance: does it load before people give up? (points 11–18)
Speed is the multiplier on everything else. A page that ranks well and converts well on paper still loses if half your mobile visitors bounce before the hero image renders. Google's Core Web Vitals give you a shared vocabulary here: LCP (how fast the main content appears), INP (how quickly the page responds to taps and clicks), and CLS (how much the layout jumps around while loading).
- 11. Largest Contentful Paint under 2.5 seconds on mobile — test on a throttled connection, not your office fiber
- 12. Cumulative Layout Shift under 0.1 — set explicit width/height on images and embeds
- 13. Interaction to Next Paint under 200ms — audit heavy third-party scripts first
- 14. Images served in modern formats (WebP/AVIF) and sized to their containers
- 15. Render-blocking CSS and JavaScript minimized; non-critical scripts deferred
- 16. Text compression (Brotli or gzip) enabled on every response
- 17. Static assets cached with long max-age headers
- 18. Total page weight under ~2MB — heavier pages almost always have an image problem
Accessibility: can everyone use it? (points 19–26)
Accessibility is often framed as a compliance chore, which undersells it badly. Around one in six people has some form of disability, and the fixes that help them — clear focus states, sufficient contrast, keyboard navigation — make the site better for everyone else too. It's also increasingly a legal requirement in the US and EU, so the cost of ignoring it is rising.
- 19. Text contrast meets WCAG AA (4.5:1 for body text, 3:1 for large text)
- 20. Every interactive element is reachable and operable by keyboard alone
- 21. Visible focus indicators — don't strip outline styles without a replacement
- 22. Form fields have programmatically associated labels, not just placeholder text
- 23. Images that convey meaning have alt text; decorative images have empty alt attributes
- 24. Page language is declared in the HTML lang attribute
- 25. Link text makes sense out of context — no bare “click here”
- 26. No content flashes more than three times per second
Security and trust: does the browser vouch for you? (points 27–33)
Visitors judge trustworthiness in seconds, and browsers now do some of that judging for them — a missing HTTPS padlock or a “Not Secure” warning ends the visit before your copy gets a chance. Security headers are the low-effort, high-signal layer here: most take one line of server config and protect against whole classes of attacks.
- 27. HTTPS everywhere, with HTTP requests redirecting to HTTPS in a single hop
- 28. TLS certificate valid and not within 30 days of expiry
- 29. HSTS header present so browsers never downgrade to HTTP
- 30. Content-Security-Policy set — even a basic one — to limit injected scripts
- 31. X-Content-Type-Options and X-Frame-Options (or frame-ancestors) configured
- 32. No mixed content — every image, script, and font loads over HTTPS
- 33. Contact details, privacy policy, and terms are findable — trust signals that both users and AI assistants check
Conversion: does traffic become revenue? (points 34–40)
The last seven points are where audits earn their keep, because a conversion fix compounds against all the traffic you already have. You don't need heatmaps and a testing program to start — most conversion problems are visible to anyone willing to walk through the site as a skeptical first-time visitor.
- 34. The homepage answers “what is this and why should I care?” within five seconds
- 35. One clear primary call to action per page, visually dominant, above the fold
- 36. Social proof — reviews, logos, testimonials, case numbers — appears near the CTA, not buried on a separate page
- 37. Forms ask only for what you'll actually use; every extra field costs completions
- 38. Pricing is findable and understandable without a sales call (or the wall is deliberate)
- 39. The full purchase or signup flow works end-to-end — actually complete it, on mobile
- 40. 404 pages recover gracefully with search or links back to key content
How to run this without losing a week
Manually checking 40 points across every page of a site is the kind of task that starts diligently and ends abandoned around point 14. The sensible split: automate the objective checks, and spend your human attention on the judgment calls like messaging clarity and CTA strength.
That's the split WebEnture is built around. The SEO Agent (/seo-agent) covers points 1–10 across your whole crawl, the Performance Agent (/performance-agent) handles the Core Web Vitals checks, the Broken Links Agent (/broken-links-agent) hunts down every dead internal and external link, and the Accessibility and Security & Trust agents cover their sections in a few minutes each. If you want a single starting score before going deep, the free website grader runs a condensed version of this exact checklist against any URL.
However you run it, put the output in a prioritized list — impact first, effort second — and fix the top five before scheduling the next audit. A quarterly cadence catches regressions before they calcify; after any redesign or platform migration, audit immediately.