Website Audit Checklist 2026: 25 Points Every Site Must Pass

Running a website without regular audits is like driving without ever checking the dashboard. You might feel fine — until something breaks. This checklist covers every critical audit point for 2026, including the new GEO checks most people miss.

SEO Audit (Points 1–7)

1. Title tag on every page

Every page needs a unique title tag under 60 characters. This is the single most important on-page SEO element. Check that your homepage title includes your brand name and primary keyword.

2. Meta descriptions that sell

Write unique meta descriptions (150–160 characters) for every page. These appear in Google results and directly affect click-through rates. Include a benefit and a call to action.

3. Heading hierarchy (H1 → H2 → H3)

Every page should have exactly one H1 tag. Use H2 and H3 tags to structure your content logically. Screen readers and search engines both rely on heading hierarchy to understand your content.

4. Open Graph and Twitter Card tags

When someone shares your page on social media, OG tags control the preview image and text. Missing OG tags mean ugly, generic previews that nobody clicks. Add og:title, og:description, og:image, and og:url to every page.

5. Canonical URLs

Duplicate content kills rankings. Add <link rel="canonical"> to every page pointing to the preferred URL. This is especially important if your site is accessible via both www and non-www, or HTTP and HTTPS.

6. Image alt text

Every image needs descriptive alt text. It's not just for accessibility — it's how Google Image Search indexes your images. Missing alt text is one of the most common issues we find in website audits.

7. Internal linking

Link your pages to each other with descriptive anchor text. This helps search engines discover and understand the relationship between your pages. Every page should be reachable within 3 clicks from the homepage.

GEO Audit — AI Search Readiness (Points 8–13)

This is the section most audit checklists miss entirely. GEO (Generative Engine Optimization) is about making your site visible in AI-generated answers from ChatGPT, Perplexity, and Google AI Overviews.

8. AI crawler access

Check your robots.txt for AI crawlers. Make sure you're not blocking GPTBot (ChatGPT), ClaudeBot (Anthropic), PerplexityBot, or Google-Extended. Many sites accidentally block these, cutting themselves off from AI citations.

9. Structured data (JSON-LD)

AI models love structured data. Add schema markup to your pages: FAQPage for Q&A content, Article for blog posts, Organization or LocalBusiness for your entity, HowTo for tutorials. This is the single biggest lever for GEO. Validate your markup with our free Structured Data Tester.

10. FAQ sections

Add a FAQ section with FAQPage schema to your key pages. AI assistants frequently extract and cite FAQ content because it's structured as clear question-answer pairs.

11. Citation-friendly content

Write content that's easy for AI to cite: use numbered lists, comparison tables, clear definitions, and data points. AI models look for concise, authoritative statements they can quote directly.

12. Entity identity markup

Does your site have Organization, Person, or LocalBusiness schema? This tells AI models who you are, what you do, and where you operate. Without it, AI can't confidently recommend your business.

13. Content depth and structure

AI models favor comprehensive, well-structured pages. Use clear headings, paragraphs of 2–4 sentences, and sufficient depth on each topic. Thin pages with little content rarely get cited.

Performance Audit (Points 14–17)

14. Core Web Vitals

Google uses three metrics to judge page experience: LCP (Largest Contentful Paint — under 2.5s), INP (Interaction to Next Paint — under 200ms), and CLS (Cumulative Layout Shift — under 0.1). Check yours with our Core Web Vitals guide.

15. Page load time

Your pages should fully load in under 3 seconds on a 4G connection. Every additional second of load time increases bounce rate by about 7%. Test on real mobile devices, not just desktop.

16. Image optimization

Use modern formats (WebP or AVIF), lazy-load below-the-fold images, and serve responsive images with srcset. Images are typically the largest resource on any page.

17. Render-blocking resources

Check for CSS and JavaScript that blocks the initial render. Defer non-critical scripts, inline critical CSS, and remove unused code. Tools like Google PageSpeed Insights will flag these.

Security Audit (Points 18–22)

18. HTTPS everywhere

Every page must load over HTTPS. Check for mixed content (HTTPS pages loading HTTP resources). HTTP pages are marked "Not Secure" in browsers and ranked lower by Google.

19. HSTS header

The Strict-Transport-Security header forces browsers to always use HTTPS. Without it, attackers can intercept the initial HTTP request before the redirect happens.

20. Content Security Policy

CSP prevents cross-site scripting (XSS) attacks by telling browsers which sources of content are trusted. It's the most impactful security header you can add.

21. X-Frame-Options

This header prevents your site from being embedded in iframes on other domains (clickjacking protection). Set it to DENY or SAMEORIGIN.

22. Referrer-Policy and Permissions-Policy

Referrer-Policy controls what URL information is shared when users navigate away. Permissions-Policy restricts browser features (camera, microphone, geolocation) that your site doesn't need.

Accessibility Audit (Points 23–25)

23. Color contrast

Text must have a contrast ratio of at least 4.5:1 against its background (WCAG AA). Low contrast makes content unreadable for users with visual impairments — and annoying for everyone in bright sunlight.

24. Keyboard navigation

Every interactive element (links, buttons, forms) must be usable with keyboard alone. Try navigating your site with just the Tab key. If you get stuck or can't reach something, it needs fixing.

25. HTML lang attribute

Set <html lang="en"> (or your language) on every page. Screen readers use this to know which language to speak in. It's a one-line fix that most sites miss.

The audit checklist summary

How to automate your audits

Manually checking 25 points is tedious. Here are the tools that automate it:

• Foglift — The only tool that checks SEO + GEO + performance + security + accessibility in one scan. Free for basic scans, $9 for a full report.
• Google Search Console — Free. Monitors indexing, search performance, and Core Web Vitals. Essential but doesn't check GEO.
• Google PageSpeed Insights — Free. Detailed Core Web Vitals analysis. Performance only.
• Screaming Frog — Free for up to 500 URLs. Deep crawl analysis for technical SEO.
• WAVE — Free browser extension. Detailed accessibility checking.

For ongoing monitoring, Foglift Pro ($49/mo) runs weekly automated scans and emails you when scores change — so you catch regressions before they hurt your traffic.

Frequently asked questions