Read-only WordPress audit: comparing existing tools and why they don't all serve the same need
A practical comparison of external audit tools and the gap they leave for freelancers and agencies.
- The WordPress audit market is segmented: performance, SEO, and security tools each cover their domain but leave gaps between them
- No existing tool fully answers the freelancer's core question: what to do, in what order, and how to justify it to clients
- Orilyt fills this gap by transforming external technical findings into structured, client-ready decisions
If you work on WordPress — as a freelancer, an agency, or in training — you have certainly used an audit tool before. GTmetrix for performance. WPScan for security. Ahrefs or Semrush for technical SEO. Google PageSpeed Insights for Core Web Vitals.
These tools are useful. Some are even excellent in their domain.
But do they really meet the practical needs of a freelancer who wants to quickly understand a WordPress site's health, decide what to prioritize, justify an intervention to a client, or structure a maintenance offer?
Not always. And this is precisely the observation that led to Orilyt.
In this article, we review the main read-only WordPress audit tools — meaning no back-office access, no plugin to install, no FTP — and explain how their approaches fundamentally differ.
What "read-only audit" means
A read-only audit relies on a simple principle: analyzing a WordPress site solely from the outside, through HTTP requests, crawling, or public API calls.
In practice, this means no administrator access is required, no plugin needs to be installed on the audited site, and no FTP or database access is necessary.
This approach has several advantages. It is quick to set up, completely non-intrusive, and usable on a prospect's site before signing any contract. The trade-off is partial visibility: you only see what is publicly exposed, without access to the CMS's internal settings.
All tools covered in this article primarily operate in this mode.
Performance-focused tools
Google PageSpeed Insights
PageSpeed Insights is Google's reference tool for measuring web performance. It combines Lighthouse lab data with Chrome User Experience Report (CrUX) field data to produce scores on Core Web Vitals: Largest Contentful Paint, Cumulative Layout Shift, Interaction to Next Paint.
The tool is free, requires no account, and provides detailed technical recommendations. It is a mandatory step for any developer who cares about performance.
However, the results are raw, very technical, and hard to use for a client presentation. A score of 45 out of 100 says nothing about what to do concretely or in what order.
Pricing: entirely free.
GTmetrix
GTmetrix goes further than PageSpeed by offering a detailed visual analysis: waterfall chart, filmstrip, performance history, and the ability to test from different geographic locations.
It is a tool appreciated by developers for its depth of analysis. The waterfall allows you to understand precisely which file slows down loading and why.
But like PageSpeed, GTmetrix remains a technical tool that speaks to developers. A non-technical client will not find an answer to the question "what should I do?".
Pricing: limited free version (3 URLs), Pro plans from $5/month (Micro) up to $42.50/month (Growth).
Technical SEO tools
Screaming Frog
Screaming Frog is an extremely powerful desktop crawler. It analyzes the full structure of a site: metadata, internal links, redirects, page depth, canonical tags, structured data.
For an in-depth technical SEO audit, it is probably the most comprehensive tool on the market. It allows you to export massive data and cross-reference metrics that few other tools offer.
The problem: its interface is dense, its exports are voluminous, and without SEO expertise, the data produced is hard to interpret. It is not a tool you use to convince a client — it is a tool you use to analyze an already identified problem.
Pricing: free version limited to 500 URLs, full license at £259/year.
Ahrefs and Semrush (Site Audit)
The two SEO heavyweights each offer a site audit module. These tools crawl a domain and produce a technical health score along with a list of issues ranked by severity: broken links, orphan pages, missing tags, server response time.
Their strength lies in the ecosystem: the audit is part of a complete SEO suite (backlinks, rankings, keyword research). Their limitation, in the context that concerns us, is that they are oriented toward marketing and SEO, not specifically WordPress. They don't detect plugin versions, don't check for known vulnerabilities, and don't structure their recommendations for a freelancer who needs to sell a service.
Pricing: Ahrefs from $129/month, Semrush from $139/month. No complete free version.
WordPress security tools
WPScan
WPScan is the historical reference for WordPress security. Acquired by Automattic (the company behind WordPress.com), it maintains a database of over 55,000 known vulnerabilities, updated daily by specialists.
In external scan mode, WPScan detects the WordPress version, exposed plugins and themes, and compares them against its vulnerability database. It is an essential tool for anyone interested in WordPress security.
However, WPScan covers neither performance, nor SEO, nor the site's overall structure. And its command-line interface (CLI) makes it not very accessible to non-developers.
Pricing: free CLI for non-commercial use (25 API requests/day), enterprise pricing on request. Jetpack Protect offers a free version based on WPScan data.
Sucuri SiteCheck
Sucuri offers a quick external scan that checks for malware, blacklist status (Google, Norton, etc.) and security headers. It is a useful but superficial first level of verification.
The free scan only detects what is publicly visible, which considerably limits its depth. Advanced features (firewall, malware cleanup) require a subscription.
Pricing: free basic scan, protection plans from $199/year.
Generalist tools
Website Grader (HubSpot)
Website Grader quickly analyzes a site across four axes: performance, SEO, security, and mobile. It produces a global score and some high-level recommendations.
It is probably the tool closest to a "client-friendly" format, but its analysis depth remains limited and its recommendations are too generic to be directly actionable. It is not specific to WordPress.
Pricing: entirely free.
The observation: a segmented market, a blind spot
When mapping these tools, a clear pattern emerges. The read-only WordPress audit market is segmented into three broad categories, and each excels in its domain without trying to cover the others.
Performance tools (PageSpeed, GTmetrix) produce precise but technical metrics. SEO tools (Screaming Frog, Ahrefs, Semrush) analyze structure and visibility but ignore WordPress security. Security tools (WPScan, Sucuri) focus on vulnerabilities but don't address performance or SEO.
None of these tools answers a question that is fundamental for a freelancer or a small agency.
Where Orilyt fits
Orilyt is not a head-on competitor to GTmetrix, Ahrefs, or WPScan. That is not its goal.
Orilyt does not try to crawl 10,000 pages, produce 200 metrics, or analyze every micro-resource in a waterfall. Other tools already do that very well.
Orilyt focuses on a different objective: turning external technical findings into actionable decisions.
Each audit item in Orilyt is structured according to a decision-making logic: the observed facts, a clear interpretation of what it means, why it matters, what to do, what not to do, how to verify that the fix is effective, and an estimate of effort and risk.
This structure serves a specific purpose: enabling a freelancer to make a decision, prioritize interventions, justify a service to a non-technical client, and sell recurring maintenance based on factual evidence.
Summary comparison table
| Criteria | PageSpeed | GTmetrix | Screaming Frog | Ahrefs / Semrush | WPScan | Sucuri | Orilyt |
|---|---|---|---|---|---|---|---|
| Read-only | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Performance | ★★★★ | ★★★★ | ★★ | ★★ | — | — | ★★★ |
| Technical SEO | ★ | ★ | ★★★★ | ★★★★ | — | — | ★★ |
| Security | — | — | — | ★ | ★★★★ | ★★★ | ★★★ |
| WP Vulnerabilities | — | — | — | — | ★★★★ | ★★ | ★★ |
| Client-ready report | — | — | — | Partial | — | — | ★★★★ |
| Decision structure | — | — | — | — | — | — | ★★★★ |
| WordPress-specific | — | — | — | — | ★★★★ | ★★★ | ★★★★ |
| Entry price | Free | Free | Free (limited) | ~130 $/m | Free (limited) | Free (limited) | Free (limited) |
When to use which tool
The question is not which tool is "the best" — it is which one answers your current need.
- PageSpeed / GTmetrix — Use PageSpeed or GTmetrix if you are optimizing a site in depth, if you need a detailed waterfall, or if you are working on micro-performance optimizations.
- Screaming Frog / Ahrefs / Semrush — Use Screaming Frog, Ahrefs, or Semrush if you are conducting an advanced technical SEO audit, analyzing a large site, or need massive data about a domain's structure.
- WPScan — Use WPScan if you are checking for known vulnerabilities in WordPress plugins or themes, or if you are specifically working on security.
- Orilyt — Use Orilyt if you need to quickly decide what to do on a WordPress site, if you are preparing a quote, if you need to convince a non-technical client, if you want to structure recurring audits, or if you are looking for a clear and actionable tool for freelance or small agency use.
What's missing in the market
The WordPress audit market is full of tools that produce findings. Scores, lists, metrics, charts.
But very few tools turn these findings into decisions. Very few structure their results so a professional can use them directly in their client relationship. Very few take into account that an audit, in the real life of a freelancer, primarily serves to answer three questions:
- What is the actual state of this site?
- What should be done first?
- How do I justify this intervention to the client?
It is in this space — between technical findings and business decisions — that Orilyt has chosen to position itself.
And that is precisely what sets it apart.