Website Audit Checklist: The Complete Health Check
A complete website audit checklist covering technical health, SEO, security, content, performance, and monitoring. Use this as a repeatable framework for keeping your site in top shape.
A website audit is a systematic review of everything that affects how your site performs, ranks, and serves visitors. Done well, it catches problems before they become outages, ranking drops, or security breaches. Done poorly, or not at all, issues accumulate silently until something breaks in a visible way.
This checklist covers six audit categories: technical infrastructure, SEO, security, content, performance, and monitoring. Each section includes specific items to check, what to look for, and how often to review. For a broader guide to ongoing site maintenance, see the website maintenance and monitoring guide.
Technical Infrastructure Audit
Technical issues are the foundation. If your server is not responding, nothing else matters.
Uptime and Availability
- [ ] Verify that your site returns a 200 status code from multiple geographic locations
- [ ] Check recent uptime history for patterns (recurring downtime at specific times, brief outages during deployments)
- [ ] Confirm that your monitoring tool checks frequently enough (every 1 to 5 minutes for production sites)
- [ ] Test that your alerting actually works by triggering a test alert
- [ ] Verify that your site responds within acceptable timeframes (under 500ms for the initial response, under 3 seconds for full page load)
For a detailed monitoring setup, see the website monitoring checklist.
DNS Configuration
- [ ] Verify that all DNS records are correct (A, AAAA, CNAME, MX, TXT)
- [ ] Check that nameservers are responding and properly delegated
- [ ] Confirm that TTL values are appropriate (not too short for stable records, not too long for records you might need to change)
- [ ] Verify SPF, DKIM, and DMARC records for email authentication
- [ ] Check for any unexpected DNS records that should not be there
Use dig or nslookup to query your records directly. For automated monitoring, DNS monitoring catches unauthorized changes between manual audits.
SSL/TLS Certificates
- [ ] Verify that your SSL certificate is valid and not expired
- [ ] Check the certificate chain for completeness (intermediate certificates included)
- [ ] Confirm that your certificate covers all domains and subdomains you serve (including www and non-www)
- [ ] Verify that HTTP requests redirect to HTTPS (see redirect guide)
- [ ] Check for mixed content (HTTP resources loaded on HTTPS pages)
- [ ] Verify TLS version (TLS 1.2 minimum, TLS 1.3 preferred)
- [ ] Set a reminder for certificate renewal at least 30 days before expiration
Domain Registration
- [ ] Confirm your domain registration has not expired or is close to expiring
- [ ] Verify that domain auto-renewal is enabled
- [ ] Check that WHOIS contact information is current
- [ ] Confirm that the registrar lock (domain transfer lock) is enabled
- [ ] Verify nameserver assignments match your intended DNS provider
Redirects
- [ ] Audit existing redirect rules for correctness (301 vs 302 usage)
- [ ] Check for redirect chains (A to B to C) and shorten them where possible
- [ ] Verify that HTTP to HTTPS redirects are in place
- [ ] Verify that www/non-www canonical redirects are consistent
- [ ] Test that old URLs from previous site structures still redirect properly
- [ ] Check for redirect loops
Use Redirect Tracer to visualize redirect chains and verify status codes.
SEO Audit
SEO issues compound over time. Small problems that go unnoticed for months can result in significant ranking losses.
Crawlability
- [ ] Verify your robots.txt file allows search engines to crawl important pages
- [ ] Check that your XML sitemap is current, accessible, and submitted to Google Search Console
- [ ] Look for pages that return 404 or 5xx errors in Google Search Console's coverage report
- [ ] Check for noindex tags on pages that should be indexed
- [ ] Verify canonical tags point to the correct URLs
- [ ] Check for orphan pages (pages not linked from anywhere on your site)
On-Page SEO
- [ ] Verify that every page has a unique, descriptive title tag (50 to 60 characters)
- [ ] Check meta descriptions for uniqueness and relevance (150 to 160 characters)
- [ ] Verify proper heading hierarchy (one H1 per page, logical H2/H3 structure)
- [ ] Check that images have descriptive alt text
- [ ] Verify internal links are working and use descriptive anchor text
- [ ] Check for duplicate content across your site
Structured Data
- [ ] Verify that structured data (JSON-LD) is present and valid on relevant pages
- [ ] Test structured data with Google's Rich Results Test
- [ ] Check for errors or warnings in Google Search Console's structured data reports
- [ ] Ensure structured data matches the visible page content
Core Web Vitals
- [ ] Check Largest Contentful Paint (LCP): should be under 2.5 seconds
- [ ] Check Cumulative Layout Shift (CLS): should be under 0.1
- [ ] Check Interaction to Next Paint (INP): should be under 200ms
- [ ] Review both lab data (Lighthouse) and field data (Chrome UX Report) in PageSpeed Insights
- [ ] Identify the specific elements causing poor scores and prioritize fixes
Security Audit
Security problems are the most dangerous because they are often invisible until significant damage has been done. See the website security monitoring guide for a deeper look at each area.
Server Security
- [ ] Verify that your server software (web server, CMS, language runtime) is up to date
- [ ] Check for known vulnerabilities in your software versions (use CVE databases)
- [ ] Verify that directory listing is disabled
- [ ] Confirm that error pages do not reveal server version or stack information
- [ ] Check that backup files and development files are not publicly accessible
HTTP Security Headers
- [ ] Content-Security-Policy (CSP): restricts which sources can load content on your pages
- [ ] Strict-Transport-Security (HSTS): forces HTTPS connections
- [ ] X-Content-Type-Options: prevents MIME type sniffing
- [ ] X-Frame-Options or CSP frame-ancestors: prevents clickjacking
- [ ] Referrer-Policy: controls how much referrer information is shared
- [ ] Permissions-Policy: restricts browser feature access (camera, microphone, geolocation)
Test your headers with Mozilla Observatory or SecurityHeaders.com.
Access and Authentication
- [ ] Verify that admin panels and sensitive endpoints are properly secured
- [ ] Check that default credentials have been changed
- [ ] Confirm that two-factor authentication is enabled for administrative accounts
- [ ] Review user accounts for old or unused entries that should be removed
- [ ] Verify that file upload functionality (if any) validates file types and sizes
Malware and Blocklist Scanning
- [ ] Check Google Safe Browsing status for your domain
- [ ] Scan for known malware signatures using a website scanner
- [ ] Verify your domain is not on email blocklists (important for transactional email)
Content Audit
Content issues affect user experience and SEO. They are easy to overlook because they accumulate gradually.
Content Freshness
- [ ] Identify pages with outdated information (old dates, discontinued products, dead links)
- [ ] Check for broken external links (links to third-party sites that no longer exist)
- [ ] Review your most-trafficked pages for accuracy and completeness
- [ ] Identify thin content pages (pages with very little value) that could be improved or consolidated
Media and Assets
- [ ] Check for broken images (404 responses for image URLs)
- [ ] Verify that images are appropriately sized (not loading 4000px images in 400px containers)
- [ ] Confirm that images are in modern formats (WebP, AVIF) with fallbacks
- [ ] Check for videos or embeds that are no longer available
- [ ] Verify that media loads from your CDN rather than the origin server
Accessibility
- [ ] Test with a screen reader on your most important pages
- [ ] Verify sufficient color contrast ratios (WCAG AA minimum)
- [ ] Check that all interactive elements are keyboard-accessible
- [ ] Verify that form fields have associated labels
- [ ] Run an automated accessibility scan (axe, WAVE, or Lighthouse accessibility audit)
Performance Audit
Performance directly affects user experience, conversion rates, and search rankings.
Page Load Speed
- [ ] Test your homepage, top landing pages, and key conversion pages in Lighthouse
- [ ] Identify and address render-blocking resources (CSS and JavaScript that delay first paint)
- [ ] Verify that static assets are served from a CDN
- [ ] Check that browser caching headers are set appropriately for static assets
- [ ] Verify that text compression (gzip or Brotli) is enabled
Resource Optimization
- [ ] Audit JavaScript bundle sizes (look for unnecessarily large bundles)
- [ ] Check for unused CSS that could be removed
- [ ] Verify that third-party scripts (analytics, chat widgets, social embeds) are loaded asynchronously
- [ ] Assess the number of HTTP requests per page and reduce where possible
- [ ] Check for render-blocking font loading
Mobile Performance
- [ ] Test on actual mobile devices, not just browser emulators
- [ ] Verify that the viewport meta tag is correctly configured
- [ ] Check that touch targets are large enough (at least 48x48 CSS pixels)
- [ ] Verify that content does not require horizontal scrolling on mobile screens
- [ ] Test page load speed on a throttled 3G connection
Monitoring Setup Audit
An audit is a snapshot. Monitoring makes it continuous. The website health check guide covers what to monitor and how frequently.
Automated Monitoring
- [ ] Uptime monitoring is active and checking from multiple locations
- [ ] SSL certificate expiration monitoring is configured
- [ ] DNS record monitoring is active for critical records
- [ ] Domain expiration monitoring is in place
- [ ] Alerting is configured and goes to the right people
- [ ] Alert escalation is defined (who gets notified if the first responder does not acknowledge)
Vendor Monitoring
- [ ] Critical third-party services (CDN, DNS, payment processors, email providers) are monitored
- [ ] Status page subscriptions are active for each critical vendor
- [ ] Is That Down or equivalent is monitoring vendor dependencies
Log and Error Monitoring
- [ ] Server error logs are being collected and reviewed
- [ ] Application error tracking (Sentry, Bugsnag, or equivalent) is active
- [ ] 404 error rates are monitored for unexpected spikes
- [ ] Performance metrics are being collected over time (not just point-in-time audits)
Schedule your next audit
A full audit should happen quarterly. Between audits, automated monitoring catches the issues that develop between reviews. The combination of periodic audits and continuous monitoring is what keeps a site healthy year-round.
Audit Frequency Reference
Not every item needs the same cadence. Here is a practical schedule.
| Audit Area | Full Review | Automated Check |
|---|---|---|
| Uptime | Monthly | Every 1-5 minutes |
| SSL/TLS | Quarterly | Daily |
| DNS | Quarterly | Hourly |
| Domain registration | Quarterly | Weekly |
| SEO crawlability | Monthly | Weekly (via Search Console) |
| Security headers | Quarterly | Weekly |
| Performance | Monthly | Daily (synthetic tests) |
| Content freshness | Quarterly | Manual |
| Redirects | Quarterly | On change |
References
- Google PageSpeed Insights
- Google Search Console
- Mozilla Observatory
- Google Safe Browsing - Site Status
Automate the Checks That Matter Most
Site Watcher monitors uptime, SSL, DNS, domain expiry, and vendor dependencies continuously. Catch problems between audits before they affect your users.