WordPress Site Audit: What It Is, Why You Need One, and How It Works

Overview

A WordPress site audit is a structured review of your site’s health across five pillars: security, performance, SEO, content, and user experience. The outcome is a prioritized remediation plan with clear owners, timelines, and measurable improvements (Core Web Vitals, indexing, conversions, revenue).

When to run an audit:

• Before redesigns, migrations, or major updates.
• After incidents (breach, downtime, ranking drop).
• Quarterly for active or revenue-critical sites; at least annually for smaller sites.
• After major plugin/theme changes or hosting moves.

Define Scope & Prerequisites

• Site type: brochure, blog, WooCommerce/Membership, multisite.
• Access: wp-admin, hosting panel, SFTP/SSH, database, staging.
• Baseline: analytics and Search Console connected; backups validated.
• Evidence capture: screenshots, PSI links, GSC exports; version inventory.

Prepare a working doc with:

• Site context: audience, revenue drivers, critical journeys.
• Constraints: maintenance windows, cache/CDN layers, third-party scripts, SLAs.
• Measurement plan: which metrics define success post-audit (e.g., LCP < 2.5s, +20% internal links to cornerstone pages, 0 high-severity vulns).

Output: A working doc with sections matching this guide.

Install & Configuration Audit

Checklist

• Core version supported; PHP version supported by host and theme/plugins.
• Timezone, permalinks, and site language configured correctly.
• Theme and child theme verified; remove inactive themes except a default fallback.
• Plugin inventory: list, versions, usage; remove or replace abandoned/overlapping plugins.
• Media settings: image sizes sane; offload or compression plan in place.
• Cron/jobs: ensure scheduled tasks run (hosting cron or WP-Cron under traffic).

Evidence to capture

• Site Health summary, plugin/theme lists, hosting specs, disk usage.

WP-CLI Quick Checks

wp core version && php -v
wp plugin list –status=active –fields=name,version,update
wp theme list –fields=name,status,version,update
wp option get permalink_structure && wp option get timezone_string

Decision tips

• Prefer a lightweight theme or block theme + child theme; retire page builders if they are bottlenecks.
• Remove duplicate functionality (e.g., two SEO plugins); replace abandoned plugins with maintained equivalents.
• For large libraries, enable offloading (S3/Cloudflare R2) and set the same thumbnail sizes to prevent bloat.

How to do it (step-by-step)

Versions and compatibility

• WordPress Dashboard → Updates. Note current versions and available updates.
• Tools → Site Health → Info → Server. Validate PHP ≥ supported by your theme/plugins.
• If PHP is outdated, request host upgrade on staging first.

Permalinks/timezone/site language

• Settings → Permalinks → use Post name for most sites.
• Settings → General → set timezone to the business locale for accurate CRON and analytics.

Theme baseline

• Appearance → Themes. Ensure one default theme (e.g., Twenty Twenty-Four) is kept as fallback; remove others.
• Confirm child theme exists if parent is customizable; record parent/child versions.

Plugin inventory and overlap

• Plugins → Installed Plugins → sort by “Last updated” and “Active”.
• Remove plugins that duplicate features (e.g., multiple caching plugins, multiple SEO plugins).
• Replace abandoned plugins (>12 months no update) with maintained alternatives and plan migration.

Media hygiene

• Settings → Media → Review thumbnail sizes; disable rarely used sizes.
• Sample media library pages for oversized images; design image size map (hero, card, thumbnail).

Scheduled tasks

• Tools → Site Health → Scheduled Events; verify critical tasks running (backups, SEO sitemaps, cache preloads).
• On hosts with real CRON, disable WP-Cron or set alternate cron per host guidance.

Edge cases to watch

• Multilingual plugins (WPML/Polylang) may add large media duplication; confirm media settings per language.
• Migration remnants (importer plugins, old builders) often linger; decommission fully and clean data.

Security Audit

Objectives: Harden access, patch vulnerabilities, and ensure monitoring/rollback.

Checks

• Accounts and roles: least privilege; remove unused admins; enforce 2FA for privileged roles.
• Updates: core/plugins/themes current; review changelogs for breaking changes.
• Vulnerabilities/malware: run scans; verify file integrity; review server-side WAF status.
• HTTPS and headers: valid TLS; HSTS and security headers via CDN/server.
• Activity logs: enable an activity log plugin or hosting equivalent; review recent changes.
• Backups and rollback: automated, off-site, tested; document recovery steps.

Deep checks (recommended)

• Disable file editing in dashboard; restrict XML-RPC unless required; enforce strong salts/keys.
• Review login rate limiting/CAPTCHA; restrict /wp-admin/ and /wp-login.php with WAF rules if feasible.
• Validate file permissions on wp-content, uploads, and disallow PHP execution in uploads.
• Verify environment exposure: no .env, readme.html, or debug display in production.

WP-CLI/User Audit

wp user list –role=administrator –fields=ID,user_login,user_email,roles
wp option get users_can_register
wp plugin list –status=active –field=name | sort

Pass/Fail Table (Sample)

Check	Method	Status	Notes
2FA on admins	Plugin/WAF	Fail	Mandate org-wide 2FA in 7 days
XML-RPC access	Server/WAF	Pass	Blocked except for needed IPs

Red flags

• Unknown admin users, weak passwords, or shared logins.
• Outdated, nulled, or abandoned plugins and themes.

How to do it (step-by-step)

Accounts and hardening

• Users → All Users → filter role=Administrator; remove/disable unknown accounts; force password reset.
• Enforce 2FA for privileged roles via your security suite; add recovery codes policy.
• Add constants in wp-config.php on staging first:

// Hardening constants (add above /* That’s all, stop editing! */)
define(‘DISALLOW_FILE_EDIT’, true);
define(‘DISALLOW_FILE_MODS’, false); // keep updates allowed, or true on locked environments
define(‘WP_POST_REVISIONS’, 10);

Vulnerability and integrity

• Run a malware/vulnerability scan via your security plugin/hosting; export findings.
• Compare core files with checksums (many security tools provide this).

HTTPS and headers

• Verify valid TLS cert; check HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy in DevTools → Network → Response Headers.
• Add headers at CDN/server (avoid adding at PHP where possible).

Backups and restore test

• Trigger an on-demand backup; download archive.
• Restore to staging; validate login, forms, and media. Record RTO/RPO.

File permissions and uploads execution

• Ensure directories 755 and files 644 (host-dependent).
• Disallow PHP execution in wp-content/uploads via server rules/WAF.

Edge cases

• Membership/ecommerce sites: enforce session timeouts and device/session revocation.
• XML-RPC required for Jetpack/remote posting: restrict via IP allowlist instead of global block.

Performance & Core Web Vitals

Measure and improve what matters: LCP, CLS, and TBT.

Diagnostics

• PageSpeed Insights on key templates; compare mobile vs desktop.
• Waterfall in browser DevTools; identify render-blocking and large assets.
• Server TTFB via PSI or WebPageTest; confirm CDN headers and caching.

Fix patterns

• Caching: enable a reputable caching plugin; align with server/CDN caching to avoid double-caching conflicts.
• Images: serve WebP/AVIF; compress; lazy-load; right-size; defer offscreen.
• Fonts: self-host or preload critical; limit variants; use font-display: swap.
• JavaScript: defer non-critical; remove unused scripts; conditionally load heavy widgets.
• CSS: inline critical CSS for key templates; purge unused CSS where safe.
• Database: cleanup transients/revisions; enable persistent object cache if supported.

Monitoring

• Re-test after each change; keep before/after snapshots for the report.

Targets and Quick Wins

Metric	Target	Common Fixes
LCP	≤ 2.5s	Serve optimized hero image, reduce render-blocking CSS/JS, preload critical assets
CLS	≤ 0.1	Set width/height on media, reserve space for ads/embeds, avoid late-loading fonts
TBT	≤ 200ms	Defer third-party scripts, split bundles, limit heavy widgets on first paint

Advanced notes

• WooCommerce: defer cart fragments on non-cart pages; cache category and PDP where possible.
• CDN: ensure correct cache keys and vary headers; avoid conflicting cache rules across plugin/server/CDN.
• Preconnect/prefetch third-party origins (fonts, analytics) judiciously.

How to do it (step-by-step)

Pick 3–5 representative templates

• Home, a category/collection page, a PDP (if ecommerce), and a long-form article.

Run PSI and GTmetrix

• Capture LCP element, CLS sources, and TBT contributors; collect waterfall screenshots.

Fix order (typical)

• Hero media: compress and right-size; convert to WebP/AVIF; set explicit width/height.
• CSS: extract critical CSS for above-the-fold; defer non-critical; purge unused safely.
• JS: defer/async non-critical; remove unused plugins/widgets; load analytics after consent.
• Fonts: self-host; limit variants; preload critical; use font-display: swap.
• Cache: enable full-page caching, object caching (Redis), and CDN edge caching.

Validate

• Re-run tests; verify no regression in layout or functionality, especially on mobile.

Edge cases

• Logged-in users bypass cache—ensure separate performance strategy for admin/editor roles.
• Third-party iframes (maps, reviews) often dominate LCP/CLS—use placeholders and interaction-based loading.

SEO Audit: On-Page, Technical, Off-Page

On-Page

• Titles/meta, headings hierarchy, descriptive alt text.
• Internal linking to cornerstone pages; avoid orphan pages.
• Readability and intent match; avoid thin/duplicate content.

On-Page Checklist (per URL)

Item	Check
Title/meta	Unique, concise, keyword-aligned; compelling CTR orientation
Headings	Single H1; logical H2/H3 hierarchy; scannable subheads
Media	Descriptive filenames; alt text; lazy-loading where appropriate
Links	Inbound internal links to cornerstone pages; no orphan pages
Copy	Intent match; satisfies query; clear CTA above the fold

Technical

• Indexability: no accidental noindex; XML sitemaps complete and referenced in robots.
• Canonicals consistent; pagination and faceted navigation rules clear.
• Site structure: breadcrumbs, logical categories; schema opportunities (Organization, Breadcrumb, Article, Product, FAQ/HowTo as applicable).

Technical Drill-Downs

• Robots and sitemaps: ensure robots allows crawl of important paths; submit XML sitemap in GSC.
• Redirects: map 4xx/5xx and legacy URLs to the closest canonical destination.
• Internationalization: if multilingual, verify hreflang pairs and canonical alignment.
• Structured data: implement JSON-LD for relevant types (FAQ/HowTo/Product/Organization) and validate.

Off-Page

• Snapshot of backlinks and citations; identify toxic links and gaps versus competitors.

Off-Page Quick Actions

• Audit brand citations and ensure consistent NAP for local entities.
• Identify top competitor backlinks and feasible outreach targets.
• Disavow only where clearly harmful; focus on acquiring relevant, high-quality links.

Content Audit

Inventory and score each significant URL against goals and KPIs. Decide one of four actions per URL: Keep, Refresh, Consolidate, or Prune.

Common pitfalls

• Measuring only traffic, not conversions or strategic value.
• Duplicated topics cannibalizing rankings.

Recommended 10-step content process

1. Define goals and KPIs (traffic, conversions, assisted revenue).
2. Export inventory (URLs, types, dates, authors, categories, word count).
3. Collect performance data (GA4, GSC, backlinks, engagement).
4. Detect duplicates/cannibalization; pick canonical winners.
5. Evaluate E-E-A-T signals (author bios, citations, updates).
6. Score content quality (intent match, freshness, completeness).
7. Assign action (Keep/Refresh/Consolidate/Prune) with owner and due date.
8. Standardize metadata and internal links to cornerstone content.
9. Implement and QA changes on staging if high-impact.
10. Measure deltas at 2/4/8 weeks; iterate.

Scoring Rubric (example)

Dimension	Weight	Scale	Notes
Business relevance	0.35	0–5	Revenue/lead impact
Organic performance	0.25	0–5	Clicks/impressions trend
Content quality	0.20	0–5	Depth, freshness, E-E-A-T
Link equity	0.10	0–5	Backlinks/internal links
Effort to fix	0.10	0–5	Lower is better

Action rules

• Keep: score ≥ 4
• Refresh: score 2.5–3.9 with high relevance
• Consolidate: two+ URLs overlap → merge into strongest; 301 others
• Prune: low score, thin/obsolete, no links → 410/301 with care
  

Design & UX Audit

Heuristics to review

• Visual hierarchy: clear CTAs, scannable headings, adequate spacing.
• Navigation: predictable labels, shallow depth for key tasks, search where needed.
• Trust and clarity: social proof, policies, contact, performance cues.

Validation

• Run quick user journeys on mobile and desktop; watch for friction and layout shifts.

UX Test Scenarios (examples)

• Find and purchase a top product in < 3 clicks; measure steps and blockers.
• Complete a contact form on mobile; verify keyboard types and error handling.
• Read a long article on mid-range Android; check CLS and readability.

Heuristics (condensed)

• Visibility of system status; match between system and real world.
• User control and freedom; consistency and standards.
• Error prevention; recognition rather than recall.
• Flexibility and efficiency; aesthetic and minimalist design.
• Help users recognize, diagnose, and recover from errors.
  

Mobile & Accessibility

Mobile

• Responsive behavior on common breakpoints; touch target sizes; sticky headers not obstructing content.

Accessibility (quick checks)

• Color contrast, focus states, keyboard navigability.
• Image alt text and descriptive link text.

Additional accessibility sweeps

• Ensure form fields have programmatic labels and clear error messages.
• Maintain logical heading order and skip-to-content; avoid keyboard traps.
• Test with screen reader basics (NVDA/VoiceOver) for key journeys.

What good looks like

• All interactive elements reachable/focusable via keyboard.
• Visible focus outlines; minimum color contrast 4.5:1 for body text.
• Form errors announced and associated with fields; descriptive button text.
  

Analytics, Conversion, and Forms

Analytics

• Confirm GA is firing on all key templates; track events for CTAs and forms.
• In Search Console, review coverage, performance, and enhancements.

Forms and deliverability

• Test end-to-end: submission → email delivery → CRM/automation → thank-you tracking.
• Implement SMTP with authentication; avoid relying on PHP mail.

GA4/Events essentials

• Define conversions (add_to_cart, begin_checkout, purchase, lead_submit) and validate in DebugView.
• Track site search, file downloads, and outbound clicks if relevant.
• For WooCommerce, validate enhanced eCommerce events and attribution.

Email deliverability checklist

• Use SMTP with authentication/API; set SPF, DKIM, and DMARC.
• Test password resets and form notifications to multiple domains (Gmail/Outlook).
• Monitor bounce/spam rates; rotate sender domains cautiously if needed.

Tools Map & Equivalents

Audit Step	WordPress UI	Plugins/Services	CLI/Advanced
Updates & inventory	Dashboard → Updates; Plugins/Themes	Security suite, activity log	wp core/plugin/theme update; wp plugin list
Security	Users; Site Health	Wordfence/Sucuri	Server logs; headers via DevTools
Performance	–	PSI, GTmetrix, caching plugin	Preload headers; wp cache flush
SEO	–	AIOSEO/Yoast; Screaming Frog	Log-level crawl exports
Content	Posts/Pages; Media	Spreadsheet; content analysis tools	n/a
Analytics	–	GA, GSC	Event debug views
Backups/Staging	Hosting panel	Managed backups; staging	Snapshot/restore tests

Multisite/Enterprise Considerations

• Network vs site-level updates; shared plugins/themes and dependency pinning.
• Role scoping, Single sign-on/2FA enforcement, and de-provisioning workflow.
• Change windows with staging and rollback playbooks; audit logging centralization.
• Data governance: PII handling, access reviews, and least-privilege IAM on hosting/CDN.
• Fleet health: standardize cache/CDN, logging, and monitoring across sites.

Enterprise edge cases

• Network-active plugins: test in a sandbox site before global activation.
• Shared codebases: pin plugin/theme versions; use maintenance windows and canary rollouts.
• Compliance: ensure consent/CMP integration doesn’t block critical events.

Governance: Cadence, Staging, Rollbacks

• Cadence: quarterly for active sites; monthly performance snapshots for high-traffic sites.
• Staging first: validate with caches on/off; confirm backup integrity before deploys.
• Change freeze during remediation sprints; document outcomes in a running changelog.

Definition of done (examples)

• CWV: ≥ 75th percentile field data passes on top 10 templates.
• Security: 0 high-severity vulns; enforced 2FA for admins; tested restore.
• SEO: 0 accidental noindex; sitemap valid; +20% internal links to cornerstone pages.

Staging & Rollback Runbook

1. Clone production to staging; mask PII; disable external integrations (email/payment).
2. Apply changes in small batches; test with cache on/off and logged-in/out profiles.
3. Create restore point before deploy; document change set and expected impact.
4. Deploy during change window; monitor logs, CWV RUM, errors; be ready to roll back within 10 minutes.

Frequently Asked Questions

Q: What does a WordPress site audit include?

A: Security, performance/Core Web Vitals, SEO (on-page/technical/off-page), content quality, UX/accessibility, analytics and conversions, plus a prioritized remediation plan.

Q: How long does it take?

A: A focused triage takes about an hour; a thorough audit ranges from a day for small sites to multiple days for large or ecommerce sites.

Q: How often should I audit?

A: At least annually; quarterly for frequently updated or revenue-critical sites.

Q: Can I do it myself?

A: Yes—this guide is designed for that. For complex setups (multisite, bespoke themes, heavy commerce), consider professional assistance for speed and risk management.

Q: How much does a professional audit cost?

A: Ranges widely by scope and complexity—from basic $500–$2,500 to advanced $5,000+ for large, complex sites. Many teams bundle audits into ongoing maintenance.

Q: What deliverables should I expect?

A: An issues log with evidence links, a prioritized roadmap with owners/dates, before/after metrics snapshots, and clear rollback and monitoring plans.

Pro tip: Keep a running audit log and repeat key snapshots after fixes. Momentum and measurement make the results stick.