How often should I audit my website?

For sites under active development, run a full audit monthly and a quick health check weekly. Stable marketing sites can get away with quarterly audits plus a re-audit after every deploy that touches the template, CDN, or DNS. Compliance-heavy sites (finance, healthcare, EU B2C) should audit quarterly at minimum and after every vendor change that adds a tracker.

What does a website audit cost?

A free website audit using BeaverCheck costs nothing — enter a URL at beavercheck.com and get all 100+ checks. Agency-delivered audits typically run $500–$5,000 depending on scope. Enterprise audits bundled with a remediation plan go from $10,000 to $50,000+. The tooling is mostly free; you're paying for the analyst time to interpret and prioritize.

How long does a website audit take?

A BeaverCheck automated audit completes in 60–90 seconds. A human-led audit by an agency typically takes 5–15 business days: 1–2 days of crawling, 3–5 days of analysis, and 2–5 days writing up findings and the remediation roadmap. Ongoing monitoring audits should run daily in the background and only produce a report when something regresses.

What is a technical SEO audit?

A technical SEO audit checks the parts of SEO that don't involve content or backlinks: crawlability (robots.txt, sitemap, internal links), indexability (canonical tags, noindex directives, hreflang), site architecture, Core Web Vitals, mobile usability, structured data, and HTTPS. It answers the question 'can search engines find, render, and understand every page?' rather than 'is the content any good?'.

Do I need a website audit?

Yes, if any of the following apply: traffic has dropped without a clear cause, you're planning a redesign or replatform, you just inherited the site, you're preparing a competitive analysis, a client or board member asked, or you're chasing a compliance deadline (GDPR, WCAG, PCI). Even healthy sites benefit from a quarterly check because third-party scripts, expiring certificates, and DNS drift accumulate silently.

What is the difference between an SEO audit and a website audit?

A website audit is the superset. SEO audit covers crawlability, indexability, on-page signals, and content. A full website audit also covers performance, security headers, accessibility, infrastructure (DNS, CDN, email records), legal compliance (GDPR, CCPA, cookies), and availability. If you only audit SEO, you'll miss the CSP header a security reviewer will flag, the color contrast failure a lawyer will flag, and the expiring SSL certificate that will take the whole site offline.

Can I audit my website myself?

Yes — the checklist below is designed to be walked through in a single afternoon with free tools. Run BeaverCheck to get the automated half (85+ of the 100+ checks), then manually verify the remaining items that need judgment: document outline, sitemap submission status, consent banner coverage. If you've never done one, budget 4–6 hours for your first audit; it will drop to 90 minutes once you know the site.

What tools do I need for a website audit?

For the automated checks: BeaverCheck (free, no account) covers Lighthouse, headers, SSL, DNS, redirects, and tech detection in one run. For manual verification: Google Search Console (indexing), Chrome DevTools Lighthouse (local Core Web Vitals), axe DevTools (deep accessibility), and a text editor to document findings. That's the whole kit.

What should be in a website audit report?

A good audit report has four parts: (1) executive summary with the top 5 findings ranked by business impact, (2) a scored dashboard across the eight audit dimensions, (3) a detailed findings list with severity, evidence screenshot, and recommended fix, and (4) a prioritized remediation roadmap with effort estimates. Skip the 80-page PDF — no one reads those.

How do I audit a competitor's website?

Run the competitor's domain through BeaverCheck the same way you'd run your own. Since it only uses publicly observable signals, no account or permission is needed. Compare the scored dashboards side by side: their LCP vs. yours, their header set vs. yours, their structured data coverage vs. yours. Do not run internal tools (GSC, analytics) against a competitor — you'll only have public data.

What is a website health check?

A website health check is a lightweight audit — usually 10–20 checks across availability, performance, and security — run frequently (daily or weekly) to catch regressions. A full audit is exhaustive and run periodically. Think of the health check as a smoke test and the audit as the annual physical.

How do I prioritize findings from a website audit?

Score each finding on two axes: business impact (revenue, legal risk, brand trust) and engineering effort (hours to fix). Sort by impact / effort ratio. Fix the high-impact, low-effort items first (missing meta descriptions, HSTS header, HTTPS redirect — all under an hour each) before tackling the expensive stuff (replatforming for Core Web Vitals, rewriting the CSP).

Website Audit Checklist — 100+ Checks Across 8 Dimensions

What is this?

A website audit is a structured review of everything that determines whether your site works, ranks, stays online, stays legal, and stays fast. Most "audit checklists" you find online cover one axis — usually SEO — and leave you with an incomplete picture. A page can have perfect meta tags and still leak sensitive data through a missing Content-Security-Policy header, or rank number one and still fail the WCAG contrast requirement that gets you sued in California.

This checklist covers all eight axes that actually matter: performance, security, accessibility, SEO, infrastructure, content, compliance, and availability. It is written to be walked through in order, one item at a time, with a place to document findings and a clear link to the tool that verifies each check. We built it because every client audit we have done in the last decade has used some version of this list, and every time we went looking for a public version of it we could not find one that was both comprehensive and platform-neutral.

Use the checklist like this. Start by running a full audit on BeaverCheck — that takes about a minute and covers roughly 85 of the 100+ checks below automatically. Open the result page in one tab and this checklist in another. Walk through each section, tick off items that pass, and for each failure write down the evidence (screenshot, header value, network waterfall) and a one-line recommendation. At the end, sort your findings by severity and engineering effort, and build a remediation roadmap. That is the entire methodology; the rest is discipline.

Checklists beat ad-hoc scans because every site has a long tail of issues that a single tool will miss. Your performance tool will not look at your cookie flags. Your SEO crawler will not validate your TLS certificate. Your accessibility scanner will not tell you your DNS is slow from Asia. The checklist is the forcing function that ensures every dimension gets looked at before you sign off on "the site is healthy."

The 8 audit dimensions at a glance

Dimension	What it measures	Green	Yellow	Red
Performance	How fast pages render and respond to input	LCP < 2.5s	2.5s–4.0s	> 4.0s
Security	Protection against XSS, MITM, clickjacking, data leaks	A+ on headers	Missing 1–2	No HTTPS, no HSTS
Accessibility	Usability for people with disabilities (WCAG 2.1 AA)	0 violations	1–5 violations	6+ violations
SEO	Findability and indexability in search engines	All pages OK	1–10% issues	> 10% issues
Infrastructure	DNS, CDN, email records, IPv6, redirect hygiene	All correct	Minor gaps	DNS/MX broken
Content	Document structure, outbound links, no mixed content	No issues	Minor issues	Mixed content
Compliance	GDPR, CCPA, cookie consent, legal pages	All present	Missing 1	No privacy policy
Availability	Uptime, mobile response, HTTP/2+, IPv4/IPv6	99.9%+ up	Occasional 5xx	Frequent downtime

The thresholds are starting points, not absolutes. A small internal tool does not need a CDN; a consumer e-commerce site with EU traffic cannot skip the cookie banner. Adjust for your risk tolerance and audience, but do it deliberately and document the exception.

1. Performance

Performance is the first thing users feel and the first thing Google measures for Core Web Vitals. Fix performance first because every other dimension (SEO, accessibility, conversions) gets easier when the page is fast.

Largest Contentful Paint (LCP) below 2.5s on mobile — the main visual element loads quickly. Measured in the BeaverCheck Lighthouse tab.
Interaction to Next Paint (INP) below 200ms — tap and click responses feel instant. INP guide.
Cumulative Layout Shift (CLS) below 0.1 — content does not jump around while loading.
First Contentful Paint below 1.8s on mobile 4G — the first pixel of meaningful content appears quickly.
Time to First Byte (TTFB) below 800ms — the server responds quickly before rendering begins. TTFB guide.
Render-blocking JavaScript in <head> is deferred or async — scripts do not block the first paint. Render-blocking guide.
Render-blocking CSS is minimal and critical styles are inlined — the browser can paint without a round trip.
Total JavaScript bundle size below 200KB gzipped on the landing route. Large JS bundles guide.
Images below the fold are lazy-loaded with loading="lazy" — off-screen images do not block the main thread.
Critical above-the-fold images are preloaded with <link rel="preload" as="image">.
Images are served in modern formats (WebP or AVIF) where the browser supports them. Modern image formats guide.
Images are sized correctly for their container — no 2000px source for a 400px slot.
Responsive images use srcset and sizes so mobile downloads the mobile asset.
Web fonts use font-display: swap so text is never invisible during font load. Font-display guide.
Font files are subset to the characters actually used and preloaded.
Third-party scripts account for less than 30% of main-thread time — ads, analytics, chat widgets are the usual culprits.
Cache-Control headers set long TTLs on static assets with hashed filenames.
gzip or brotli compression is enabled for all text responses.
No request waterfall longer than 3 levels deep on the critical rendering path.

2. Security

Security findings are the ones that turn into incidents. Every item below has a direct vector: missing HTTPS enables MITM, missing CSP enables XSS, weak cookies enable session theft. Fix these before you worry about OG tag optimization.

HTTPS is enforced via a 301 redirect from HTTP to HTTPS — no page ever loads over plain HTTP. Redirect Checker and HTTPS redirect guide.
HSTS header is set with max-age of at least 6 months — browsers refuse to connect over HTTP. Security Headers Checker and HSTS guide.
HSTS has includeSubDomains if all subdomains support HTTPS.
HSTS has preload directive and the domain is submitted to the browser preload list for long-term sites.
Content-Security-Policy header is set and does not use 'unsafe-inline' or 'unsafe-eval' unless documented. CSP guide.
X-Frame-Options is set to DENY or SAMEORIGIN, or CSP frame-ancestors is set — the page cannot be iframed by attackers.
X-Content-Type-Options is set to nosniff — browsers do not guess content types.
Referrer-Policy is set to strict-origin-when-cross-origin or stricter — you do not leak full URLs to third parties.
Permissions-Policy explicitly denies unused browser features (camera, microphone, geolocation, payment, USB).
SSL certificate is valid and more than 30 days from expiry — set a calendar alert. SSL Checker.
SSL certificate covers all hostnames the site is reachable at (apex, www, subdomains).
TLS 1.2 or 1.3 only — TLS 1.0 and 1.1 are disabled at the server.
Cookies have Secure, HttpOnly, and SameSite flags set appropriately. Cookie Security guide.
Session cookies use SameSite=Lax or Strict, not None unless cross-site POST is required.
No known-vulnerable JavaScript libraries in use — check jQuery, Bootstrap, React versions against CVE database.
Subresource Integrity (SRI) attributes on every third-party <script> and <link rel="stylesheet">. SRI guide.
.git, .env, .DS_Store, backup/ are not publicly accessible — try fetching them directly.
No sensitive data (API keys, internal emails, employee names) embedded in JavaScript bundles.
Server headers do not leak version numbers (Server: Apache/2.4.41 is a reconnaissance gift).
Rate limiting is in place on login, signup, and form submission endpoints.

3. Accessibility

Accessibility is both an ethical obligation and a legal one. WCAG 2.1 AA is the minimum compliance target in the EU (EN 301 549), US (ADA Title III case law), Canada, and Australia. Failing contrast ratio alone has produced multi-million-dollar settlements.

Every <img> has an alt attribute — decorative images use alt="", content images use descriptive text. Alt text guide.
Color contrast meets WCAG 2.1 AA: 4.5:1 for normal text, 3:1 for large text (18pt+ or 14pt+ bold). Contrast Checker.
Heading hierarchy has no skipped levels — no H1 → H3 jumps, exactly one H1 per page. Heading hierarchy guide.
The <html> element has a lang attribute (<html lang="en">). Lang attribute guide.
Every form field has an associated <label> (either wrapping, for-matched, or aria-label).
All interactive elements are keyboard-accessible — you can tab to every button, link, and form control.
Focus indicators are visible — do not outline: none without replacing with a visible alternative.
ARIA attributes are used correctly and not redundantly (do not put role="button" on a <button>).
Touch targets are at least 48×48 CSS pixels with at least 8px of spacing between them.
Error messages are associated with their form field via aria-describedby and announced to screen readers.
Content order in the DOM matches visual order — do not use CSS to rearrange reading flow.
Video has captions; audio has transcripts.
No content relies on color alone to convey meaning (error states have an icon or text, not just red).
Page is usable at 200% browser zoom without horizontal scrolling on desktop viewports.
Motion respects prefers-reduced-motion — auto-playing carousels and parallax stop when the user opts out.

4. SEO

SEO audits check whether search engines can find, crawl, and understand every page you want indexed. The items below are the technical basics that apply to every site; content quality and link equity are separate concerns.

Every page has a unique <title> tag, 50–60 characters, with the primary keyword near the front.
Every page has a unique meta description, 120–160 characters, written for humans. Meta description guide.
<link rel="canonical"> is set correctly on every page and points to the preferred URL.
robots.txt exists, is reachable at /robots.txt, and does not block content pages. Robots.txt guide.
sitemap.xml exists, is valid XML, lists only canonical URLs, and is referenced from robots.txt via Sitemap:.
Site is verified in Google Search Console and Bing Webmaster Tools.
Sitemap has been submitted in Google Search Console and shows no coverage errors.
Structured data (JSON-LD) is present on key page types: Organization on homepage, Article on blog posts, Product on commerce pages, FAQPage on FAQ pages, BreadcrumbList on deep pages.
Open Graph tags (og:title, og:description, og:image, og:url) are set on all shareable pages.
Twitter Card tags (twitter:card, twitter:title, twitter:image) are set.
Viewport meta tag is set: <meta name="viewport" content="width=device-width, initial-scale=1">. Viewport guide.
No broken internal links — every internal <a href> returns 200 or a redirect chain ending in 200.
Every content page is reachable within 3 clicks from the homepage via internal links.
hreflang tags are set correctly and reciprocally if the site has multiple language versions.
noindex directive is not accidentally present on pages that should rank (check <meta name="robots"> and X-Robots-Tag).
URL structure is flat, readable, and uses hyphens (/about-us, not /index.php?id=42).
Redirect chains are at most one hop — avoid A → B → C.
404 pages return HTTP 404, not 200 with a "not found" message (soft 404).

5. Infrastructure

Infrastructure is the plumbing. When it fails, everything fails. Most of these checks take seconds but prevent multi-hour outages.

DNS resolves quickly — under 100ms from resolvers in the US, EU, and Asia. DNS Checker.
DNS has at least two nameservers on different networks for redundancy.
A records are present for the apex domain and www subdomain.
AAAA records (IPv6) are present if the server supports IPv6.
MX records are configured correctly if email is expected on the domain.
SPF record is set and lists only authorized senders (v=spf1 ... -all).
DKIM selectors are set for every email-sending service (Google Workspace, SendGrid, Mailchimp).
DMARC record is set with p=quarantine or p=reject and an rua reporting address.
CAA record is set to restrict which Certificate Authorities can issue certs for your domain.
CDN sits in front of all static assets — images, CSS, JS, fonts served from edge locations.
www and non-www versions both resolve and one 301-redirects to the other (consistent canonical). Redirect Checker.
Trailing slash handling is consistent — either always present or always absent, with a 301 between the two forms.
TTLs on critical records (A, MX) are set to a value that supports quick failover (300–3600s for production).
Domain registration is more than 90 days from expiry with auto-renewal enabled.

6. Content

Content checks are the things a crawler can verify about the document itself — not editorial quality, but structural correctness.

No mixed content — an HTTPS page never loads HTTP <script>, <img>, <iframe>, or stylesheet resources.
Blog or news section has an RSS or Atom feed linked from <head> via <link rel="alternate">.
All outbound links to third-party domains have rel="noopener" when using target="_blank" — prevents reverse tab-nabbing.
Outbound links to untrusted content have rel="ugc" or rel="sponsored" as appropriate.
No broken outbound links — every external <a href> resolves.
Content has a clear H1 and a logical document outline (H1 → H2 → H3, no skipped levels).
Tables use <th> for header cells and scope="col" or scope="row" attributes.
Lists use <ul> or <ol> — not <div> with bullet characters.
No Lorem Ipsum, TODO, or [placeholder] text in production HTML.
No duplicate content across pages — near-identical pages are canonicalized or consolidated.

7. Compliance

Compliance is the dimension where ignoring a check has regulator-sized consequences. Start with the jurisdictions your traffic actually comes from — BeaverCheck detects this automatically — and work through the requirements.

Privacy policy is linked from the footer on every page.
Privacy policy lists every third-party data processor (analytics, ads, chat, CDN, CRM).
Terms of Service are linked from the footer on every page.
Cookie consent banner is shown to EU visitors before any non-essential cookies are set (GDPR + ePrivacy Directive).
Consent is opt-in, not opt-out — no pre-ticked boxes, no "by using this site you agree."
Rejecting cookies is as easy as accepting them — equal prominence, equal number of clicks.
CCPA "Do Not Sell or Share My Personal Information" link is present if you track California visitors and meet the CCPA thresholds.
Cookie policy documents every cookie the site sets, with purpose and retention period.
GDPR-required rights are described: access, rectification, erasure, portability, objection.
Data Protection Officer contact is published if required (EU public authorities, large-scale monitoring, sensitive data processing).
If you use Google Analytics, you have a Data Processing Addendum in place and IP anonymization enabled.
No third-party tracker fires before consent is captured — verify in DevTools Network tab with a fresh browser session.

8. Availability

Availability is the dimension that shows up as a customer support ticket when it fails. These checks confirm the site is reachable, everywhere, over modern protocols.

HTTP/2 or HTTP/3 is enabled — verify in Chrome DevTools Network tab under the Protocol column.
Server responds correctly on both IPv4 and IPv6 (if AAAA records are set).
Mobile user agents receive a mobile-friendly response (no m. subdomain with outdated content).
/robots.txt and /sitemap.xml both return HTTP 200.
/favicon.ico returns 200 or a 301 to the real favicon — not 404.
5xx errors represent under 0.1% of requests in server logs over the last 30 days.
Uptime monitoring is configured from at least 3 geographic regions with alerting.
Error pages (404, 500) return the correct status code and render a helpful, on-brand message.
Health check endpoint exists for the origin and returns 200 when dependencies are healthy.

How to fix it

Step 1 — Run a full BeaverCheck audit

Enter your URL at beavercheck.com and wait about 60 seconds. The result page breaks findings into the same dimensions as this checklist: Lighthouse, HTTP, Security, Content, Performance, Infrastructure, Compliance, Availability, Accessibility, SEO, Technology, Screenshots, and Changes. Keep that tab open. If your site requires authentication or is behind a VPN, use the free tools instead — Redirect Checker, SSL Checker, Security Headers Checker, DNS Checker, Contrast Checker — and run them piece by piece. You need the automated half of this audit before the manual half makes sense.

Step 2 — Walk through this checklist with the audit open

Open this checklist in one tab and the BeaverCheck result page in another. Work through each of the eight sections in order, top to bottom. For every item, either tick it off or write a one-line finding: what failed, what the evidence is (header value, screenshot, request waterfall), and a one-line recommendation. Do not try to fix anything yet — the goal of this pass is to produce a complete, deduplicated list of findings. You will miss things if you switch between "find" and "fix" mode. Budget 90 minutes for a site you know well, four hours for one you do not.

Step 3 — Triage findings by severity and effort

Score every finding on two axes: business impact (revenue loss, legal risk, brand trust, developer velocity) and engineering effort (hours to ship a fix). Sort by impact divided by effort. Fix the high-impact, low-effort items first — missing HSTS header, missing meta descriptions, HTTPS redirect, cookie Secure flag — these are typically under an hour each and unlock the higher-effort work. Group the remaining findings into three buckets: this sprint, this quarter, this year. Expensive items (replatforming, CSP rollout, full WCAG remediation) go in the quarter or year bucket with a named owner and a budget line. Do not promise the client or your boss everything will be fixed next week; promise the right things will be fixed first.

Step 4 — Re-audit after fixes to verify

After shipping each batch of fixes, re-run BeaverCheck and compare the new score against the baseline. The Changes tab shows the deltas explicitly. Do not trust the fix is live just because CI is green — production configuration, CDN edge cache, and DNS TTLs can delay the change by hours. Verify from a fresh browser session in an incognito window, from a network other than the one you deployed from, and, if possible, from a different geographic region. Close the finding only when the re-audit shows it passing. Schedule the next full audit for 30 days out if the site is under active development, 90 days out otherwise.

How often should you audit?

Sites under active development — daily deploys, frequent content changes, new third-party scripts — need a full audit monthly and a lightweight health check weekly. The health check can be as simple as a BeaverCheck run with an alert on score regression.

Stable marketing sites that change quarterly can be audited quarterly, plus a targeted re-audit after any deploy that touches the template, CDN configuration, DNS, or analytics stack. Those are the changes most likely to introduce regressions without anyone noticing.

Compliance-heavy sites — finance, healthcare, EU B2C, anything that processes special-category personal data — should audit every quarter at minimum, and immediately after any change to the vendor list or the cookie banner. The audit trail matters as much as the audit itself; keep dated result pages or PDF exports for two years.

Regardless of cadence, always audit: after inheriting a site, before a major launch or replatform, when traffic drops without an obvious cause, after a vendor is added or removed, and when any regulator announces enforcement priorities that might apply to you. The audit is cheap; the incidents it prevents are not.

Browse & Analyze

Learn

Website Audit Checklist — 100+ Checks Across 8 Dimensions

Website Audit Checklist — 100+ Checks Across 8 Dimensions

What is this?

The 8 audit dimensions at a glance

1. Performance

2. Security

3. Accessibility

4. SEO

5. Infrastructure

6. Content

7. Compliance

8. Availability

How to fix it

Step 1 — Run a full BeaverCheck audit

Step 2 — Walk through this checklist with the audit open

Step 3 — Triage findings by severity and effort

Step 4 — Re-audit after fixes to verify

How often should you audit?