A website audit isn’t something you do once and forget. The businesses that consistently check their site’s health are the ones that consistently outrank their competitors. Whether you’re losing traffic, watching conversions drop, or simply haven’t reviewed your site in months, this website audit checklist covers every check that matters — from SEO and security to performance, usability, and conversions.
This checklist covers 33 specific checks across 5 categories, the same checks used by professional agencies and built into our free website audit tool. You can work through them manually, or run all 33 checks automatically in under 10 seconds using the tool. Either way, by the end of this guide, you’ll know exactly where your website stands and what to fix first.
How to Do a Website Audit Using This Checklist
A thorough website audit checklist covers five categories: SEO, Security, Performance, Usability, and Conversions. Most website audit tools only check the first four. Conversions — whether your site is actually built to generate business — is the category that matters most, yet it’s almost always overlooked.
Here’s how to approach your website audit checklist step by step:
- Manual audit: Work through each check below one by one. Use browser developer tools (F12), Google Search Console, and free online checkers. Budget 2–3 hours for a thorough manual review.
- Automated audit: Use a website audit tool to run all checks at once. Our free website health check tool scans all 33 items server-side in under 10 seconds — no signup or email required.
- Frequency: Audit quarterly as a baseline, plus after any major update (theme changes, plugin updates, server migrations) or whenever traffic or leads drop unexpectedly.
Now, let’s work through the complete website audit checklist.
SEO Website Audit Checklist (8 Checks)
An SEO website audit identifies the technical issues that prevent search engines from finding, crawling, and ranking your content. These are the foundations. If they’re broken, no amount of content marketing will compensate. A website SEO audit should be the first thing you do before spending money on ads or link building.
1. Page title exists and contains your primary keyword
The <title> tag is the single most important on-page SEO element. It appears in browser tabs, search results, and social shares. Your title should be 50–60 characters, contain your primary keyword, and accurately describe the page content. A missing or generic title (“Home” or “Untitled”) is one of the most common — and most damaging — SEO mistakes.
2. Meta description is compelling and under 160 characters
The meta description doesn’t directly affect rankings, but it directly affects click-through rate. Google uses it as the preview text in search results. If yours is blank, Google generates one automatically — and it’s usually terrible. Write a clear, benefit-focused description under 160 characters that makes searchers want to click.
3. Single H1 heading containing target keyword
Every page should have exactly one H1 tag. It tells search engines what the page is about. Multiple H1s dilute the signal. No H1 means Google has to guess your topic from context — and it won’t guess as well as you’d write it. Include your primary keyword naturally in the H1.
4. Heading hierarchy is properly structured
Your headings should follow a logical order: H1 → H2 → H3. Don’t skip levels (H1 straight to H3) and don’t use headings for styling. Proper heading hierarchy helps search engines understand your content structure and improves accessibility for screen readers.
5. All images have descriptive alt text
Alt text serves two purposes: it describes images for visually impaired users, and it helps search engines understand image content. Every image should have alt text that describes what the image shows, not just “image1.jpg” or empty quotes. Include relevant keywords where natural, but don’t keyword-stuff.
6. Canonical URL is self-referencing
The canonical tag tells search engines which version of a page is the “official” one. Every page should have a self-referencing canonical URL pointing to itself. Without it, search engines may treat duplicate URLs (with/without trailing slashes, HTTP/HTTPS variants, query parameters) as separate pages, splitting your ranking signals.
7. Open Graph tags are set correctly
Open Graph meta tags (og:title, og:description, og:image) control how your page appears when shared on social media. Without them, platforms like LinkedIn and Facebook pull random content from your page — often with a missing image or a truncated description. Set these explicitly for every important page.
8. Structured data (JSON-LD schema) is present
Structured data helps Google understand your content type — whether it’s an article, a product, a local business, or an FAQ. Pages with proper schema markup are eligible for rich results in Google: star ratings, FAQ dropdowns, breadcrumbs, and more. These enhanced listings get significantly higher click-through rates than standard blue links.
Website Security Audit Checklist (6 Checks)
Security headers and HTTPS aren’t just about protecting data. Browsers actively warn users about insecure sites, and Google considers HTTPS a ranking factor. A security audit ensures your visitors and their data are protected, and that browsers trust your site enough to display it without warnings.
9. HTTPS with valid SSL certificate
This is non-negotiable. Every page on your site must load over HTTPS with a valid, non-expired SSL certificate. Google Chrome marks HTTP sites as “Not Secure” directly in the address bar. Beyond the trust issue, Google has confirmed that HTTPS is a ranking signal. If your SSL is expired or misconfigured, fix it before anything else.
10. HSTS header is enabled
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS, even if a user types HTTP. Without HSTS, there’s a brief window where a first-time visitor’s connection could be intercepted before the HTTPS redirect kicks in. This header eliminates that vulnerability entirely.
11. X-Content-Type-Options header is set
The X-Content-Type-Options: nosniff header prevents browsers from MIME-type sniffing — a technique where attackers trick browsers into executing malicious files by disguising their content type. It’s a single header that closes a known attack vector. There’s no reason not to enable it.
12. X-Frame-Options prevents clickjacking
Clickjacking attacks embed your site in an invisible iframe on a malicious page, tricking users into clicking buttons they can’t see. The X-Frame-Options header (set to DENY or SAMEORIGIN) prevents your pages from being framed by external sites. This is a standard security measure that every website should implement.
13. Content-Security-Policy is configured
The Content-Security-Policy (CSP) header controls which resources (scripts, styles, images, fonts) your page is allowed to load. A properly configured CSP prevents cross-site scripting (XSS) attacks by blocking the execution of unauthorised scripts. It’s the most powerful security header available, though it requires careful configuration to avoid breaking legitimate functionality.
14. No mixed content (HTTP resources on HTTPS pages)
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. Modern browsers block mixed active content (scripts) entirely and display warnings for mixed passive content (images). This breaks functionality, triggers browser warnings, and undermines the trust that HTTPS is supposed to provide.
Website Performance Audit Checklist (5 Checks)
Page speed isn’t just a user experience factor — it’s a ranking factor. 53% of mobile users abandon pages that take longer than 3 seconds to load, according to Google’s own research. Every additional second increases bounce rate by another 32%. A performance audit identifies the bottlenecks that slow your site down.
15. Time to First Byte (TTFB) under 600ms
TTFB measures how long it takes for a browser to receive the first byte of data from your server after requesting a page. It reflects server processing speed, database query time, and network latency. A TTFB under 600ms is the target; under 200ms is excellent. If your TTFB is over 1 second, your server configuration, hosting, or backend code needs attention.
16. Total page size under 3MB
The total transfer size of a page includes HTML, CSS, JavaScript, images, fonts, and any other resources. Larger pages take longer to download, especially on mobile networks. Keep total page size under 3MB — ideally under 1.5MB. The biggest culprits are usually uncompressed images and unnecessary JavaScript libraries.
17. Compression enabled (GZip or Brotli)
Text-based resources (HTML, CSS, JavaScript) should be served compressed. GZip compression typically reduces file sizes by 60–80%. Brotli, the newer alternative, compresses even further. If compression isn’t enabled on your server, your visitors are downloading files 3–5 times larger than necessary. Check the Content-Encoding response header to verify.
18. No render-blocking resources in the head
Render-blocking resources are CSS and JavaScript files in the <head> that prevent the browser from displaying any content until they’ve fully loaded. Move non-critical JavaScript to the bottom of the page or add async/defer attributes. Inline critical CSS for above-the-fold content. The goal is to show something useful as fast as possible, even while the rest of the page is still loading.
19. No unnecessary redirect chains
Each redirect adds a full HTTP round-trip before the page starts loading. A single redirect is sometimes necessary (HTTP → HTTPS), but chains of 2–3 redirects (HTTP → HTTPS → www → final URL) can add 300–500ms of unnecessary latency. Audit your redirects and eliminate any unnecessary hops. One redirect maximum between any external link and your final page.
Website Usability Audit Checklist (6 Checks)
Usability checks ensure your website works correctly across devices, browsers, and for search engine crawlers. These are the foundational elements that every website needs — the technical plumbing that makes everything else possible.
20. Viewport meta tag is set (mobile responsive)
The viewport meta tag tells mobile browsers how to scale your page. Without it, mobile devices render your page at desktop width and then shrink it down — making text tiny and buttons impossible to tap. Over 60% of web traffic comes from mobile devices. If your site isn’t mobile responsive, you’re turning away the majority of your visitors.
21. Robots.txt is accessible and correctly configured
Your robots.txt file tells search engine crawlers which pages to crawl and which to ignore. If it’s missing, crawlers will try to access everything (including admin pages). If it’s misconfigured, you might accidentally be blocking your most important pages from being indexed. Check that your robots.txt exists, is accessible, and isn’t blocking anything important.
22. XML sitemap exists and is submitted
An XML sitemap is a list of all the pages on your site that you want search engines to index. It helps Google discover pages that might not be easily found through internal links alone. Submit your sitemap to Google Search Console to ensure all your important pages are being crawled and indexed.
23. HTML lang attribute is set correctly
The lang attribute on the <html> tag tells browsers and screen readers which language your content is in. It affects how text-to-speech tools pronounce your content, how browsers offer translation, and how search engines serve your pages to users in different regions. Set it to en for English, en-GB for British English, and so on.
24. Favicon is present and displays correctly
A missing favicon — that small icon in the browser tab — looks unprofessional. It also makes your site harder to find when users have multiple tabs open. More importantly, Google displays favicons in mobile search results. A missing or broken favicon means a grey globe icon next to your listing while competitors show their branded icons.
25. Character encoding is declared as UTF-8
The <meta charset="UTF-8"> declaration ensures that special characters, accented letters, and symbols display correctly across all browsers and devices. Without it, you might see garbled text, question marks, or broken characters — especially for users in non-English locales. Declare UTF-8 encoding in the first 1024 bytes of your HTML.
Website Conversion Audit Checklist (8 Checks)
This is where most website audit checklists stop — and it’s exactly where ours gets interesting. Technical SEO, security, and performance don’t generate leads on their own. They create the conditions for conversions to happen. The conversion audit checks whether your website is actually built to turn visitors into customers. This is what separates a website that looks good from one that performs.
If your website isn’t generating leads, this section will tell you why.
26. Clear call-to-action above the fold
The area visible before scrolling should contain a single, clear call-to-action. Not three buttons competing for attention — one primary action. Research from HubSpot shows that pages with a single CTA convert 13.5% of visitors, compared to 10.5% for pages with five or more competing CTAs. “Book a Free Consultation” beats “Learn More” every time.
27. Contact methods are visible and varied
Phone calls convert at 10–12 times the rate of web forms. Yet most websites bury their phone number on a Contact page three clicks deep. Your phone number should be in the header. Your email should be visible. You should offer at least two contact methods (phone, email, form, or live chat) without requiring visitors to navigate away from any page.
28. Trust signals are present (testimonials, reviews, logos)
Would you hand your email to a website with zero social proof? Neither would your visitors. Trust signals include client testimonials, Google Reviews ratings, client logos, industry certifications, and security badges. According to Spiegel Research Centre, displaying reviews can increase conversion rates by up to 270%. Place your strongest social proof within the first scroll of your homepage.
29. Social proof schema markup (Review/AggregateRating)
If you have reviews or ratings, mark them up with structured data. Google can display star ratings directly in search results — and listings with stars get significantly higher click-through rates than those without. Use Review or AggregateRating schema to make your social proof visible before visitors even click through to your site.
30. Pricing transparency
If your pricing is hidden behind a “Contact Us for a Quote” button, you’re filtering out a large segment of potential customers who want to self-qualify before reaching out. You don’t need to list exact prices — but a pricing page, starting-at ranges, or package tiers help visitors understand whether you’re in their budget. Transparent pricing builds trust and reduces friction.
31. Lead capture mechanism beyond a contact form
Remember: 96% of visitors aren’t ready to buy. If the only option on your website is “Contact Us” or “Request a Quote”, you’re only capturing the 4% who are already sold. Effective lead capture includes free tools (like our free website health checker), email newsletters, downloadable guides, and free consultations. Give visitors something valuable in exchange for their email address.
32. Privacy policy and legal pages linked in footer
Missing privacy policy and terms pages aren’t just a legal risk — they’re a trust signal. Visitors (and Google) expect to see these links in your footer. GDPR and similar regulations require a privacy policy if you collect any personal data, which includes contact forms, analytics cookies, and newsletter signups. If you don’t have them, create them.
33. Value proposition in H1 communicates benefit
Your H1 heading should answer one question: “What do you do, and why should I care?” If your H1 says “Welcome to [Company Name]” or just states your company name, you’ve wasted the most important real estate on your page. A strong value proposition communicates the outcome you deliver, not just who you are.
This is what sets a comprehensive website audit checklist apart from a simple technical scan. Most audit tools only check items 1–25. Items 26–33 determine whether your site actually converts visitors into business. Technical health means nothing if your site isn’t built to sell.
Free Website Audit Tool — Check All 33 Items Instantly
Working through this website audit checklist manually takes 2–3 hours. Or you can check all 33 items automatically in about 10 seconds.
Our free website audit tool runs every check on this list — server-side, not just a JavaScript scan. It fetches your page exactly as Google would, analyses the response headers, HTML structure, meta tags, performance metrics, and conversion elements, then scores you across all five categories with specific recommendations for each failing check.
What makes this free website health check tool different from alternatives:
- No signup required. No email, no account creation, no “enter your details to see results”. Enter a URL and get your results immediately.
- Server-side analysis. We actually fetch and parse your page, measure real TTFB, and analyse response headers. This catches issues that browser-only tools miss.
- Conversion checks included. The 8 conversion checks (items 26–33) are unique. Competitors like GTmetrix, Lighthouse, and Ahrefs only check technical factors. Ours checks whether your site is built to generate business.
- Specific, actionable recommendations. Not just “improve your SEO” — specific issues like “missing meta description” or “no call-to-action detected above the fold”.
Run your free website audit now →
What Fixing These Issues Actually Looks Like
| Metric | Before Audit | After Fixing Issues | Impact |
|---|---|---|---|
| Google ranking (target keyword) | Page 3+ | Page 1 | +2,000% visibility |
| Page load time | 4.2s | 1.8s | –57% |
| Bounce rate | 68% | 39% | –43% |
| Monthly organic leads | 4 | 22 | +450% |
| Security headers | 1/6 | 6/6 | Full protection |
The pattern is consistent: businesses that work through a website audit checklist regularly and fix the issues they find see measurable improvements within weeks, not months. The cost of not auditing is invisible — you don’t see the leads you’re losing, the rankings you’re missing, or the visitors who leave because your site is slow or untrustworthy.
“An audit without action is just a report. The value isn’t in knowing what’s broken — it’s in fixing it. Start with the items that are easiest to fix and have the highest impact on conversions.”
How Often Should You Audit Your Website?
A website audit isn’t a one-off exercise. Your site changes over time — new content, plugin updates, server changes, and shifting Google algorithms all affect your score. Here’s when to run through your website audit checklist:
- Quarterly (minimum). Set a calendar reminder. Even if nothing has changed, a quarterly audit catches issues that creep in gradually — expired SSL certificates, broken links, new mixed content from recent updates.
- After any major update. Theme changes, plugin updates, server migrations, CMS upgrades — any of these can break security headers, alter page speed, or remove meta tags. Audit immediately after.
- After publishing significant new content. New pages, new blog posts, new landing pages — check that they follow the same standards as your existing content. It’s easy to publish a page with a missing meta description or broken heading hierarchy.
- When traffic or leads drop unexpectedly. A sudden drop in organic traffic or conversion rate often has a technical root cause. Run an audit before assuming your marketing stopped working.
The businesses that audit consistently are the ones that maintain their rankings, keep their conversion rates stable, and catch problems before they become crises. If you want to automate your business processes more broadly, regular website audits should be one of the first recurring tasks you systematise.
The Bottom Line
This website audit checklist covers everything that matters: 8 SEO checks, 6 security checks, 5 performance checks, 6 usability checks, and 8 conversion checks. That’s 33 items that determine whether your website ranks, loads fast, stays secure, works on every device, and — most importantly — converts visitors into leads and customers.
You can work through the website audit checklist manually using the guide above. Or you can run all 33 checks automatically with our free website health check tool in under 10 seconds. Either way, the sites that audit regularly outperform those that don’t. It’s not a question of if you should audit — it’s a question of how much business you’re leaving on the table by not doing it.
If your audit reveals conversion issues, our guide on why your website isn’t generating leads goes deeper into fixing the structural problems that prevent sites from converting. And if you’re looking to improve your overall business ROI through automation, start with the website — it’s the foundation everything else is built on.
Found issues in your audit? Book a free 15-minute consultation — we’ll prioritise what to fix first and walk you through exactly how to do it, whether you work with us or not.
