The word "audit" doesn't help. It sounds like something unpleasant being done to you by someone with a clipboard. Like tax audits, or health & safety audits. The kind of audit where you find out about problems you didn't know you had and then have to deal with them.
A website audit isn't quite like that. Or it shouldn't be. Done well, it's more like having someone experienced look at your site with fresh eyes and tell you honestly what they see, and what it would take to make it work harder for the business behind it.
Here's what I actually look at.
The first pass: what a visitor experiences
The first thing I do is visit the site as a potential customer would. I like to go in blind, without the benefit of knowing what the site is supposed to do. Just clicking through it as a stranger would.
This sounds simple, but it reveals a lot. After spending months or years building and editing a site, the people who own it are often completely blind to the obvious things. The homepage that doesn't explain what the business actually does. The About page that talks about values and mission but not about the actual people. The Services page where none of the services have descriptions. The Contact page that has a form but no email address, phone number, or indication of when anyone will respond.
These aren't technical problems, but they show a lack of clarity, which can make the biggest difference when you're trying to make website improvements.
Security
Security gets overlooked on small business websites because owners assume nothing bad will happen to them. But a compromised site costs real money. Take into account downtime, recovery time, and lost trust, and one security issue can hurt any business.
I look at whether HTTPS is properly configured and whether the SSL certificate is valid and not approaching expiry. I check for security headers, things like Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and a handful of others. These are HTTP headers that instruct browsers how to handle the site's content, and they're missing on the majority of small business websites.
For WordPress sites (which is most small business websites), I also check whether the login URL is still at the default /wp-login.php path, which makes brute force attacks significantly easier. I check whether the REST API is open in ways it shouldn't be, and whether XML-RPC is accessible. I note whether plugins and themes are up to date, whether any appear to be abandoned by their developers, and whether a backup system exists and is actually running. These are also the things a good WordPress maintenance plan keeps on top of between audits.
None of this requires specialist tools. A lot of it just requires knowing what to look for.
Speed and Core Web Vitals
Speed matters more than most people realise. A site that takes more than a few seconds to load on a mobile connection loses a significant chunk of visitors before they've seen anything. And Google's page experience signals mean slow sites also tend to rank worse.
I run performance checks against Google's PageSpeed Insights for both mobile and desktop, which gives performance scores alongside the Core Web Vitals metrics Google actually uses as ranking signals: LCP (how quickly the main content loads), INP (how responsive the page is to interaction), and CLS (how much the layout shifts around as the page loads). Google considers a site to be performing well only when all three of these pass their threshold, and many small business websites fail on at least one of them.
I also check mobile-friendliness at a technical level: whether the viewport is configured correctly, whether text is readable without zooming, whether tap targets are large enough to use without precision-tapping on a phone.
On-page SEO
I'm not doing a deep keyword analysis at this stage. I'm doing a sense-check of whether the site is doing the basics.
That means checking whether each page has a title tag and whether it's the right length. Checking whether meta descriptions exist and are useful. Checking that each page has a single, descriptive H1 heading. Checking that images have alt text. Checking whether a sitemap exists and whether there's a properly configured robots.txt file.
These are the fundamentals. They're not sufficient on their own for strong search rankings, but getting them wrong works against everything else.
Local SEO
For local businesses, there's a separate layer of things that matter. I check whether the site has LocalBusiness structured data (JSON-LD schema markup) that tells search engines what kind of business it is, where it is, and how to contact it. I check whether the site links to a Google Business Profile. I check whether the NAP (name, address, phone number) is consistent across the site and across major directories like Yell, Google Maps, Bing Places, Thomson Local, Apple Maps, and Facebook.
Inconsistent business information across the web confuses search engines and can actively harm local rankings. It's a straightforward thing to fix, but only once someone has checked it.
Accessibility
Accessibility is the most overlooked area on small business websites, and it's one where the gap between "technically compliant" and "actually usable" is often significant.
I run automated checks using axe-core against the WCAG 2.1 AA standard, which identifies violations by severity — critical, serious, moderate, minor. But automated tools only catch around 30-40% of accessibility issues. The rest require human judgment: manually checking keyboard navigation, reviewing heading hierarchy, checking colour contrast against backgrounds, verifying that form labels are properly associated with their inputs, checking that a screen reader would make sense of the page structure.
WCAG 2.1 AA compliance is also a legal requirement in the UK under the Equality Act. Most small business websites don't meet it.
Content and design
Beyond the technical, I look at what the site actually says and how it's presented.
Content-wise: does the site explain clearly what the business does and who it's for? Are the service pages actually useful, or are they vague and brief? Are there pages that exist but serve no real purpose? Is there a blog, and if so, when did it last publish something? Is the content fresh or is it showing obvious signs of not being touched in years?
Design and UX-wise: I work through a structured review covering first impressions and visual design, trust signals, navigation and information architecture, calls to action, content presentation, and mobile experience. Does a new visitor understand what the business does within five seconds? Is there social proof? Are testimonials real and attributed? Are the calls to action clear and prominent? Does the navigation make it easy to find what you're looking for, or does it require guesswork?
I also keep an eye out for the red flags that I see regularly: autoplay video or audio, intrusive pop-ups on arrival, carousels that hide important content, outdated copyright years in the footer, and value propositions so vague they could apply to any business in any sector.
Analytics
Where Google Analytics and Google Search Console data is available, I look at what the numbers are actually saying.
Traffic trends over time: is the site growing, flat, or declining? Has there been a sudden drop that might correspond with a Google algorithm update? Where is the traffic coming from, and is the business overly dependent on a single channel?
Search Console data tells a different story: what queries is the site actually ranking for, what position, and what click-through rate? Are there queries with high impressions but low clicks — "quick win" opportunities where the content exists but isn't compelling enough to click? What's the brand versus non-brand query split?
This data contextualises everything else. A site with declining organic traffic and a single traffic source has different priorities than one that's stable but simply not converting.
The website audit report
At the end of an audit, I write up what I found and what I'd suggest doing about it. Not a list of everything that could theoretically be better, but a prioritised set of recommendations: quick wins that can be addressed immediately, short-term improvements worth planning for, and longer-term strategic work.
The priority is always: what is this site failing to do that it should be doing? Not what could be improved for improvement's sake, but what is actually costing the business in terms of lost enquiries, lost credibility, or lost visibility.
What to expect from the process
A thorough audit of a small business website takes several hours, or days of focused attention. It's not a half-hour scan with an automated tool. Those tools have their place, but they miss the clarity and communication problems that are often the bigger obstacles, and they can't tell you whether your content would actually persuade a real person to get in touch.
After the audit, you get a clear written website audit report covering every area I've looked at, with findings explained in plain English and a prioritised roadmap for what to address first. You shouldn't come away feeling overwhelmed by a hundred problems. You should come away knowing what to fix first and why. And if you're hiring me to improve your website, I'll help you prioritise each task.
If you're not sure whether your site is doing its job properly, a website audit is usually the best place to start. You probably don't need a website redesign, just a detailed assessment of what you've got and what it would take to make it work better.