/ Project Handbook

Site Audit Checklist

Often our first action with a new client/partner is to perform an audit of their existing WordPress site. This checklist can help you make sure you’ve covered all the key points. Feel free to check out the examples below before starting.

Hosting Environment

  • Are they using a host without any known issues around WordPress support, performance, security?
  • Do they have a secure login with 2FA enabled?
  • Is the site using forced SSL?
  • Are backups enabled and verified to be working?
  • Does the environment offer any WordPress-specific optimizations, and are they enabled and helping?
  • Has the client had any pain points in hosting their site there?
  • Are they using a DNS provider with reasonably fast response times (i.e. one of the top ones in this list)?
  • Is there a staging environment available for testing changes?
  • Does the website sit behind Cloudflare or another similar service?

WordPress Environment

  • Is core up to date?
  • Are all the plugins up to date?
  • Is Jetpack installed and connected?
  • Are backups (VaultPress or Rewind) enabled? ███████████████
  • Are there any conflicting, duplicative or otherwise problematic plugins in use? NB, some block plugins may no longer be needed as WordPress Core does it natively.
  • Are they using any plugins (especially Pro ones) that could be replaced with core + Jetpack functionality?
  • Are there any errors or warnings in wp-admin?
  • Do they have a reasonable number of Administrator roles?
  • Is 2FA enabled and in use for user logins?
  • Is the theme in use something from the .org directory, and is it up to date? If not, try to download the theme code and run it in Theme Check to see how it matches up against our code standards.
  • Is the site a multisite? (Jetpack Scan and Backup do not support multisite)
  • Are we auditing one site in the multisite only? Are all our suggestions about plugins applicable for the multisite context? e.g. the site we’re auditing might not use a plugin which is used on other sites in the multisite.

Site Performance

  • ███████████████
  • How does the site fare on https://pagespeed.web.dev/ ?
  • How does the site fare in both the desktop and mobile tests?
  • Is the TTFB below 500ms?
  • Is the payload size of the front page and key pages reasonable, under 1MB if possible?
  • Is there some kind of page-level caching in use? Object caching?
  • Lazy loading is now natively supported by WordPress and modern browsers. Is the theme supporting this?
  • Is the largest contentful paint object e.g. header or hero image, NOT being lazy loaded?
  • Is gzip compression enabled where relevant?
  • Are static assets served with caching headers/expiration?
  • Are they using a CDN of some kind?
  • Is there any JS and CSS minification or concatenation going on?
  • As you browse through the site, are there any obviously broken pages, images, content?
  • How do accessibility look when running it through https://web.dev/measure/ ?
  • What does our Accessibility tool turn up?

Once you’ve completed your audit, write up your findings (usually in a Google Doc – see below examples). We should always make sure to include a note about installing Jetpack and activating backups, monitoring and performance features like Photon. Get peer review and feedback if needed. Deliver the write-up as a PDF attachment to the client along with an in-email summary of the key action items we want them to approve.

Examples

The examples here can give you an idea of how an audit could look. The fun part is that every audit is different, because every site is different, so you’ll want to treat these as helpful starting points, rather than explicit worksheets to be filled out.

  • Here’s an optional template Google Doc for writing up your recommendations. Start by making a copy.
  • ███████████████
Here’s an optional markdown note-taking format to gather details as you explore/test (this is an example of how one person took notes in the past, and might not match what data you collect). 
<PROJECT/SITENAME> Site Audit

General Notes

# Hosting

	* Hosting Company: 
	* Site IP: 
	* Notes (on hosting provider): 
	* Hosting-provided WP optimizations: 
	* SSL: 
	* Client pain points with hosting: 
	* DNS: 
	* MX: 
	* NS: 
	* Ranking of DNS: 
	* Staging environment: 
	* Cloudflare: 
	* Other Caching: 


# WordPress Environment

	* Core Version: 
	* Plugins Current: X/Y (X = needs update, Y = total plugins)
		* <Plugin Name>: <Installed Version> vs. <Current Version>
	* Known Plugin Conflicts: 
	* Jetpack Installed: 
	* Backups Present/Verified: 
	* Plugins that can be replaced by core + Jetpack: 
	* Errors/Warnings in wp-admin: 
	* Reasonable Number of Admin Roles: 
	* 2FA: 
	* Theme Info: <Theme Name>, <Version>, <URL of Theme if relevant>
	

# Site Performance

	* Webpagetest.org Results
		* Test Results URL: 
		* TTFB: 
		* Keep-alive: 
		* Compress Transfer: 
		* Compress Images: 
		* Cache static content: 
		* Effective use of CDN: 
		* Load Time: 
		* Start Render: 
		* Speed Index: 
		* First Interactive: 
		* Requests: 
		* Fully Loaded: 
		* Bytes In:


	* Lighthouse Results - Desktop / Mobile
		* Performance: /
			* First Contentful Paint: /
			* Speed Index: /
			* Time to Interactive: /
			* First Meaningful Paint: /
			* First CPU Idle: /
			* Estimated Input Latency: /
		* Opportunities
			* 
		* Diagnostics
			* 
		* Accessibility: /
			* 
		* Best Practices: /
			* 
		* SEO: /
		
	* Total Payload: 
	* gzip Compression: 
	* CDN: 
	* JSS/CSS Minification: 
	* Broken pages, content, images, etc.:

🔍 Search the handbook

All pages