WordPress audit for agencies: complete guide 2026
Performance, security, technical SEO, accessibility, GDPR: the structured method agencies use to turn a WordPress diagnosis into a priced action plan for their client.
- A WordPress audit covers five dimensions: performance, security, technical SEO, accessibility and GDPR compliance.
- Freelancers and agencies that audit regularly spot issues before they cost traffic, clients or credibility.
- Structuring an audit around clear priorities is what turns a diagnosis into action, and action into a signed contract.
You take over the maintenance of a WordPress site for a new client. The theme has not been updated in fourteen months, three plugins have known vulnerabilities, LCP exceeds 4 seconds on mobile and the login page is accessible at the default URL. The site owner sees none of this — they just see that "the site works". Without a structured WordPress audit, these issues stay invisible until the day they cause an outage, a breach or a ranking drop.
This guide details every step of a complete WordPress audit in 2026: the five dimensions to cover, the metrics to watch, the tools to use and the method to turn a technical diagnosis into a concrete action plan. Whether you are a freelancer, an agency or a consultant, you will leave with a reproducible approach for every client site.
Why a WordPress audit is essential in 2026
The invisible risks of an un-audited site
A WordPress site can look perfectly functional while silently accumulating problems. Outdated extensions are the top source of vulnerabilities: according to Patchstack, more than 22 new WordPress flaws are discovered every day in 2026. A plugin left unpatched for six months can expose an entire site to injection or brute-force attacks.
On performance, a poorly optimized theme or non-deferred JavaScript is enough to push a site above the critical 2.5-second LCP threshold. Google has used Core Web Vitals as a ranking signal since 2021: a slow site does not just lose visitors, it loses search positions too. Readers who want to understand what TTFB reveals about your server will find complementary insights in our dedicated article on Time to First Byte.
What Google expects from a WordPress site today
Google's evaluation criteria have sharpened. Replacing FID with INP (Interaction to Next Paint) in March 2024 raised the bar on responsiveness: it is no longer about the first interaction but about every user interaction across the visit. Thresholds remain the same for LCP (under 2.5 seconds) and CLS (under 0.1), but INP now requires a response time below 200 milliseconds on all interactions.
In parallel, E-E-A-T signals (Experience, Expertise, Authoritativeness, Trustworthiness) are cross-referenced with security and technical reliability data. An expired SSL certificate, a missing HSTS header or an unprotected login page send negative signals that go well beyond the PageSpeed score.
The five dimensions of a complete WordPress audit
Performance: beyond the PageSpeed score
A WordPress performance audit is not about typing a URL into PageSpeed Insights and reading the score. The score is a summary, not an action plan. What matters is the individual metrics and their real impact on user experience.
Start with TTFB (Time to First Byte): if it exceeds 800 milliseconds, the problem likely lies in the server or PHP configuration before the content even starts loading. Then check LCP: identify the largest above-the-fold element (often a hero image or slider) and optimize its loading first.
Non-critical JavaScript should be deferred or loaded asynchronously. A WordPress site with twenty active plugins often loads dozens of JS files per page even when only two or three are needed. The audit must identify these render-blocking resources and recommend optimization.
Security: the checks most site owners ignore
WordPress security relies on layered defenses, and each layer deserves its own audit. The first layer is access: is wp-login.php reachable at the default URL? Are login attempts rate-limited? Is two-factor authentication enabled for admin accounts?
The second layer is HTTP security headers. A serious audit checks for Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options and X-Content-Type-Options. These headers are not configured by default on most WordPress hosts, and their absence exposes the site to clickjacking, MIME sniffing or content injection.
The third layer concerns sensitive files. WordPress's readme.html, debug.log and unprotected plugin directories are all potential entry points. A frequent finding: production WordPress sites still expose their readme file, revealing the exact installed version.
Technical SEO: what search engines really see
A technical SEO audit starts with indexing. Check that robots.txt does not block strategic pages, that the XML sitemap is up to date and reachable, and that canonical tags are correctly placed on each page.
Then review meta tags: every page needs a unique title, a relevant meta description, and a logical heading hierarchy (a single H1, H2s and H3s properly nested). The most common WordPress mistakes include duplicate H1s (site title plus page title), missing meta descriptions on category pages, and misconfigured self-referencing canonicals.
Internal links are another critical axis. A WordPress site with hundreds of articles can contain orphan pages (not linked from anywhere) and broken links that degrade bot crawling. The audit must map the link graph and flag weak areas. For a detailed review of available tools, our WordPress audit tools comparison lays out the strengths and limits of each approach.
Accessibility: an often neglected angle
Web accessibility is not a luxury reserved for large institutional sites. In France, the law imposes increasing obligations on public sites and companies, and search engines reward accessible sites.
A WordPress accessibility audit checks for: alt attributes on images, sufficient contrast between text and background, functional keyboard navigation, correct semantic HTML structure and explicitly labelled forms. These directly shape user experience and, indirectly, the behavioral signals Google measures.
GDPR compliance: third-party scripts under the microscope
GDPR imposes strict obligations on consent and personal data processing. Maximum fines can reach 4% of global turnover or 20 million euros. For a WordPress site, the most common risks come from third-party scripts loaded without prior consent.
Google Fonts pulled from Google's servers, Google Analytics firing before the cookie banner click, Facebook or LinkedIn tracking pixels injected into the theme: each external script is a potentially non-compliant data transfer. The GDPR audit must list every external request, check whether it requires consent, and make sure the cookie banner actually covers every tracker identified.
Method: how to structure a WordPress audit step by step
Prepare the ground before analysis
Before firing up any tool, gather context. Which host? What PHP version is active? How many plugins are installed, and which are critical to site operation? Is caching in place?
This context steers the analysis and avoids false positives. A high TTFB on a 3-euro shared host is not the same diagnosis as a high TTFB on a dedicated server. Likewise, a degraded CLS can come from a misconfigured ad slot rather than a theme issue.
Take the time to review Google Search Console too. Indexing data, coverage errors and field-data Core Web Vitals reports (not lab data) are irreplaceable indicators to prioritize fixes.
Run the audit with the right tools
A WordPress freelancer does not need ten tools to run a complete audit. The point is to cover the five dimensions with complementary tools and to know how to read the results.
Google PageSpeed Insights provides lab performance data and Chrome User Experience Report field data. Google Search Console gives access to indexing errors and real performance in search results. For security and technical SEO, a tool like Orilyt runs a full analysis in seconds — no plugin to install, no admin access to request from the client site.
That is crucial for freelancers in prospecting mode: being able to audit a site before signing any contract, with nothing installed, dramatically speeds up the sales cycle. Run a full audit for free on Orilyt to see how the diagnosis is structured in real time.
Prioritize fixes: impact, effort, risk
The most common mistake after an audit is trying to fix everything at once. An effective action plan ranks every recommendation on three axes: impact on the site (traffic, security, conversion), effort required (time, skills, cost) and risk of inaction.
High-impact, low-effort fixes go first: update WordPress and plugins, fix missing title tags, add HTTP security headers. Structural fixes (host migration, theme rebuild, script rewrites) come next, planned over several weeks.
This hierarchy is also a client-communication tool. Presenting fixes by priority tier shows the client that you understand their budget and time constraints, and that each action maps to a measurable gain.
From audit to contract: turning the diagnosis into revenue
Present results that trigger action
An audit report that sits in a Google Drive folder generates zero revenue. The value of a WordPress audit lies in its ability to trigger a client decision. That means the report must be readable by a non-technical reader: clear severity levels (critical, important, recommended), plain-language explanations and concrete actions attached to each finding.
Freelancers who separate the client report (plain-language version) from the technical report typically see higher engagement with recommendations. Splitting the two makes the findings easier to grasp for non-technical decision-makers.
Build a recurring offer around the audit
A one-off audit is useful. A recurring audit is a business model. By offering monthly or quarterly follow-ups, you turn a single diagnosis into a recurring maintenance contract. Automated monitoring tracks score evolution and alerts the client as soon as an indicator degrades.
For freelancers who want to structure this approach, our detailed guide explains how to turn an audit into a maintenance contract with tiered pricing and a target monthly recurring revenue (MRR).
A typical scenario: a freelancer and a skeptical prospect
Picture this: an SME owner running WordPress contacts you because "the site has felt slow for weeks". You launch an Orilyt audit in thirty seconds. The report reveals a 2.3-second TTFB, five outdated plugins (two with known vulnerabilities), an SSL certificate expiring in eleven days, zero security headers and an accessibility score of 42 out of 100.
You share the client report. The owner sees the red flags, grasps the risks and asks you for a quote to fix everything. Without the audit, you would have spent thirty minutes explaining why the site is slow, with no visual proof and no decision lever.
Common mistakes to avoid during a WordPress audit
Confusing PageSpeed score with site quality
A PageSpeed score of 95 does not mean the site is problem-free. It measures one dimension (lab performance) out of five. A site can post an excellent score while carrying critical security flaws, poor internal linking or flagrant GDPR non-compliance.
Conversely, a 60 on mobile is not necessarily alarming if field data (CrUX) shows 80% of real users experience a "good" session. The audit must contextualize each metric, not read them in isolation.
Overlooking WordPress-specific checks
WordPress accounts for about 43% of websites worldwide according to W3Techs. This dominance brings specific risks that generic audit tools do not always cover: exposed readme.html, reachable xmlrpc.php, unrestricted REST API, publicly navigable plugin directories.
A complete WordPress audit must check these CMS-specific points on top of the universal ones (performance, SEO, HTTP security). That is what separates a surface-level diagnosis from a truly actionable analysis. To go further, the Orilyt documentation details each test and its interpretation.
Delivering a report without an action plan
The classic trap: shipping a twenty-page report loaded with technical data but no ranking and no concrete recommendation. The client ends up with a list of problems they cannot read or prioritize, and the report dies in a drawer. A good WordPress audit always ends with an action plan structured in three phases: urgent fixes (week 1), priority optimizations (month 1) and deeper improvements (quarter 1).
Quick checklist: the essential points of your WordPress audit
Rather than an exhaustive list, here are the checks that cover 80% of problems found on production WordPress sites.
Performance: TTFB under 800 ms, LCP under 2.5 s, INP under 200 ms, CLS under 0.1, Gzip or Brotli compression enabled, images in WebP and browser cache configured.
Security: HTTPS forced on every page, HSTS, CSP, X-Frame-Options and X-Content-Type-Options headers present, protected login page, readme.html removed or blocked, xmlrpc.php disabled if unused and every plugin up to date.
SEO: accessible up-to-date XML sitemap, coherent robots.txt, unique title and meta description on every page, logical H1-H2-H3 structure, broken links fixed and canonicals correctly placed.
GDPR: third-party scripts inventoried, cookie banner that actually blocks before consent, Google Fonts self-hosted where possible, privacy policy up to date.
Frequently asked questions
How long does a complete WordPress audit take?
Duration depends on analysis depth and site size. With a tool like Orilyt, automated analysis takes 30 to 90 seconds and covers performance, security, technical SEO, accessibility and GDPR. Interpreting the results and drafting the action plan then takes one to three hours depending on site complexity. For an experienced freelancer, the full loop — from launch to client presentation — fits in half a day.
Can you audit a WordPress site without admin access?
Yes. Read-only audits analyze a site from the outside using HTTP requests and public crawling. This approach needs no plugin, no FTP access and no credentials. It is the ideal method to diagnose a prospect site before a contract is signed, or to check a site without risking disruption. Some internal checks (PHP version, database configuration) require dashboard access, but most critical issues are detectable from the outside.
What is the difference between a WordPress audit and an SEO audit?
An SEO audit focuses specifically on organic search: indexing, content, keywords, backlinks and performance in search results. A WordPress audit is broader: it also covers security, updates, GDPR compliance, accessibility and CMS-specific technical points. In practice the two complement each other, and a well-structured WordPress audit always includes a technical SEO component. The main difference is scope, not methodology.
Does Orilyt only work on WordPress?
No. Orilyt analyzes any type of website. The vast majority of tests target universal criteria (performance, HTTP security, technical SEO, GDPR) that apply regardless of CMS. Specific tests exist for WordPress, but also for Drupal, Joomla, PrestaShop, Magento and other platforms. Sites on hosted solutions like Shopify or Wix receive a specific badge on tests the user cannot directly control.
How often should you run a WordPress audit?
A complete audit every quarter is a good rhythm for most professional sites. Between two full audits, a monthly review of key indicators (Core Web Vitals, update status, SSL certificate) lets you catch regressions before they become visible. High-traffic sites or those publishing content frequently benefit from continuous monitoring that alerts automatically as soon as an indicator degrades.
Sources and references
- Google, Core Web Vitals and Google search results — LCP, INP, CLS thresholds and ranking role
- W3Techs, Usage statistics of WordPress — WordPress market share and CMS statistics
- CNIL, GDPR compliance and cookies — legal obligations on consent and personal data
- MDN Web Docs, HTTP Headers — technical documentation on HTTP security headers
- OWASP, WordPress Security Implementation Guideline — web and WordPress security best practices