Skip to main content Headstrong Internet

WordPress Site Audit Checklist

Published: 2022-10-14 | Updated: 2022-10-14

The following is a discussion of various best practices for your WordPress website, including specific recommendations to improve the security, performance and usability.

General Site Configuration

Site Uses Secure Connection

These days, all websites should use a secure connection. This means the website address starts with https:// instead of just http:// and that visitors will see the padlock icon in the address bar.

Your site should also be configured to automatically redirect non-secure connections to the secure version.

Use “www” Consistently

You can choose whether to have the www. before your domain name or not. It’s quite old fashioned these days but it’s entirely up to you. The most important thing is to make sure your use of it is consistent.

Your site should be accessible with or without the www. , and it should also automatically redirect to whatever version you have decided upon. This ensures a consistent user experience, improves browser caching, and helps your SEO by only permitting a single URL per page of your site.

Use A Proxy Server

To help protect against malicious attacks, improve performance and the general security of your website, it’s highly recommended to put it behind a DNS proxy service such as Cloudflare. Free accounts are available.

Cloudflare automatically blocks a lot of malicious traffic, and helps stop targeted attacks on your website. Even when nothing bad is going on, it provides lots of tools to increase the performance of your website, tighten security, collect analytics and save bandwidth.

The following free plugins should be installed on every WordPress installation:

Security & Firewall

It is highly recommended to have a security plugin installed. Due to the popularity of WordPress, it is the target of a lot of hacking attempts, often by automatic bot networks trying various things to gain unauthorised access.

Security plugins take various steps to secure your WordPress installation, and prevent hackers gaining access. It’s a bit of a nightmare if an unauthorised user does gain access as they can insert malicious code anywhere and even after much time cleaning up your site you are never completely sure if you have mopped up everything. Prevention is much easier than the cure!

Image Optimiser

Many users don’t know how to optimise their images correctly for the web. This often results in oversized images which hugely slow your site down.

An image optimising plugin will automatically resize your images when you upload them, so you don’t have to remember to resize every image yourself. It will also process all of your existing images to ensure none of them are oversized.

Caching & Minifying

The way that WordPress and its plugin architecture is set up means that a typical site ends up getting slower and slower the more plugins you enable. Much of the time this is because each plugin adds new dependencies to the web page.

When the page loads, all of these dependencies have to be downloaded and processed. When a user visits a page for the first time, they have to wait. Your browser may cache a lot of these assets, speeding up subsequent page loads, but there is a better solution.

A caching plugin will bundle together a lot of the web site assets so that the user’s browser has to make many fewer requests to obtain all the required assets.

The plugin will also compress all the assets to speed up download time.

It can also cache the entire version of a page, so that WordPress does not even need to construct it for every request and the page can be served almost instantly.

Security Recommendations

Setup Two-Factor Authentication

It might seem like a pain, but username/password combinations are often easy to hack. Having a two-step authentication hugely improves the security of your login screens. This is usually in the form of a code sent by email or SMS that you enter in addition to your username and password.

Uninstall Redundant Plugins

Any code installed in your site is a potential security risk. If you are not using a plugin, do not just leave it installed or even just deactivated. Actively remove unused plugins by completely uninstalling them.

Most plugins will leave their settings in the database when removed, so re-installing them later if needed should be a very simple procedure.

Enable Plugin Auto-Update

Most plugins regularly release updates. Sometime this is for new functionality, but often it’s to resolve security issues. It is important to regularly update plugins to their latest versions.

WordPress has an auto-update feature for plugins. I recommend that, if you trust the plugin author (i.e. it’s a well established plugin with a wide user base), then you should enable auto-updates.

Manual Plugin Updates

For other plugins it’s recommended to perform manual updates and importantly test your site between each individual plugin upgrade. This allows you to immediately know which plugin broke your site in the even of a problem.

It does not matter where your website is hosted, if it sets cookies that track any kind of user data then you are legally obliged to present a Cookie Consent popup to visitors from the EU.

This also includes Google Analytics, which most sites have installed to monitor their traffic.

Search Engine Optimisation

This is a huge topic which is well outside the scope of this article. However, there are some basics which should be covered here.

Title & Meta Description Tags

Each page on your site should have a unique <title> tag. This is used as the main link when your site is shown in search results.

Additionally, each page should have a unique <meta name="description"> tag that provides a short description of what the page is about.

Provide A Sitemap File

It is best practice to help the search engines find the relevant content on your site. One of the best ways to do this is to provide a sitemap.xml file. This file contains links to each of the important pages on your site, and it a tool that allows you to guide search engines to the most important pages of your site.

Provide A Robots File

Another useful tool you can use to help search engines index your site properly is to provide a robots.txt file. This contains simple instructions about what areas of your site should be indexed by search engines, and which should be ignored. It only takes a few minutes to create a robots file and all sites should have one.


You should be consistent in the way you brand your website, and this applies to your logo, the font, the colour scheme and anything else linked to your branding. Not only does this make life easier for your visitors, it improves your performance on search engines.

Use A Favicon Image

A “favicon” a tiny version of your logo that is shown in the tab of the user’s web browser. It should be distinctive even at very small sizes, so many people use a simplified version of their logo, or just one part of their logo, to make this work.

NAP Consistency

NAP Consistency refers to the accuracy of a location-based business’s Name, Address, and Phone number across all business listings, local directories, social media profiles, and websites.

It is widely considered a search ranking factor for local SEO. Don’t forget about your homepage URL as well as this is the most important element to keep consistent.

Back to top

Application Development

Unlock the value in your business with custom software solutions.

Save time and money, and keep all your customers happy.

Cloud Server Management

We can manage your infrastructure, ensuring your application is always available and performant.

Flexible solutions for all types of app.

Software Consulting

Got a new software project? Don't know where to start?

We can help you plan, design and build a successful application for your business.

Website Design & Build

Development of all types of website from personal blogs to e-commerce sites.

We work with WordPress, CraftCMS, Symfony and more.

Headstrong Logo

©2022 Ben Roberts

Headstrong Internet Services Ltd
Registered in England and Wales
Company number 06500823

Working Hours

Monday - Friday 10:00 – 16:00
Saturday and Sunday Closed