Your website sucks.

Analyzes database tables for fragmentation and auto-increment limits.

Analyzes MySQL configuration, slow query log, buffer sizes, and connection usage.

Verifies that the server delivers compressed responses (gzip/deflate/brotli).

Validates PHP memory_limit, max_execution_time, and upload size configuration.

Checks for Redis or Memcached object caching to reduce database load.

Analyzes PHP OPcache status and configuration for optimal performance.

Monitors disk space, memory usage, CPU load, and inode consumption on the server.

Verifies Cache-Control, ETag, Last-Modified, and Expires headers for efficient browser caching.

Estimates the CO2 emissions per page view based on page weight and resource count, using Green Web Foundation methodology.

Measures real-user experience metrics: LCP (loading), CLS (visual stability), and INP (interactivity) using headless Chrome.

Detects CSS @import rules that create additional render-blocking round trips.

Counts DOM elements to detect overly complex pages that slow down rendering.

Checks font loading strategy, number of font families, and font-display usage.

Checks if the server supports HTTP/2 for faster page loading.

This site does not advertise HTTP/3 (QUIC) support.

Checks for modern formats (WebP/AVIF), explicit dimensions, responsive images, and optimization.

Checks for inline critical CSS and render-blocking stylesheet optimization.

Checks that offscreen images use loading="lazy" and above-the-fold images do not, to optimize loading performance.

Measures the total transfer size of the HTML document.

Checks for dns-prefetch, preconnect, preload, and prefetch link hints to optimize resource loading.

Checks compression, render-blocking resources, lazy loading, and page size.

Analyzes external scripts loaded on the page and their impact on performance.

Measures server response time — the delay before the first byte of the page is received.

Probes for publicly accessible sensitive files and directories (.git, .env, backups, config files).

Checks if admin panels and database tools are publicly accessible without restrictions.

Cross-references your CMS version, plugins, and themes against known CVE vulnerabilities from NVD, WPScan, and Packagist.

CMS-specific security and performance checks tailored to your platform.

Analyzes composer.lock for outdated or vulnerable packages.

Checks database user privileges, MySQL/MariaDB version, and remote access settings.

Detects if debug/development modes are enabled in production across CMS and frameworks.

Detects default database usernames, table prefixes, admin accounts, and security keys.

Checks if directory listing (index of files) is enabled on public directories.

Checks for exposed .env files, database backups, debug pages, and debug mode.

Compares CMS core file checksums against official versions to detect unauthorized modifications.

Checks chmod permissions on critical configuration files and directories.

Validates HTTP to HTTPS redirect and www/non-www consistency.

Scans for database and cache service ports accessible on localhost.

Audits PHP version, dangerous INI directives, extensions, and OPcache status.

Checks for dangerous extensions loaded in production and missing recommended extensions.

Checks if the PHP version still receives security patches.

Analyzes .htaccess, server headers, and directory listing settings.

Checks session cookie configuration: Secure, HttpOnly, SameSite, and strict mode.

Validates expiration, trust chain, and TLS protocol version (1.2 minimum).

Audits permissions on /tmp and PHP session storage directories.

Checks if the server exposes its software version in HTTP headers.

Checks if the WordPress REST API exposes sensitive data like user listings.

Checks if WordPress XML-RPC endpoint is publicly accessible.

Verifies Secure, HttpOnly, and SameSite attributes on cookies.

Cross-Origin Resource Sharing headers are misconfigured.

Your Content Security Policy is missing or contains weak directives that reduce its effectiveness.

Detects email addresses displayed in plain text on the page.

Checks if sensitive files (.env, .git, backups, debug logs) are publicly accessible.

Your HSTS header is missing or not fully configured for preload submission.

Verifies CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

Detects HTTP resources loaded on an HTTPS page.

Checks for excessive HTTP redirections that slow down page loading.

No security.txt file found at /.well-known/security.txt.

Checks whether JavaScript source maps (.map files) are publicly accessible, which exposes your original source code.

Validates expiration, trust chain, and TLS protocol version (1.2 minimum).

Checks whether external scripts and stylesheets use the integrity attribute to prevent tampering.

No or insufficient author attribution detected. Author bios and bylines are key E-E-A-T signals.

Breadcrumb navigation lacks structured data markup.

Tests internal links for 404 and server errors.

Validates that the canonical URL is correctly configured: no duplicates, absolute URL, correct protocol, and consistent domain.

Citation quality is weak. Linking to authoritative sources demonstrates expertise and authoritativeness.

Missing or insufficient contact information. Visible contact details are essential for trustworthiness.

Evaluates page word count and text-to-HTML ratio to detect thin or low-quality content.

No professional credentials or expertise signals found. Displaying qualifications builds E-E-A-T.

Validates hreflang tags for multilingual/multi-region SEO.

Analyzes the number of internal links and anchor text quality to assess site navigation and SEO link equity.

Compares server-rendered HTML with JS-rendered HTML to detect content that is only visible after JavaScript execution, which impacts SEO crawlability.

Checks Open Graph (og:) and Twitter Card meta tags for social media sharing.

No original research or first-hand data signals found. Original content is a key Experience signal.

Paginated content is missing rel="next"/"prev" link tags.

Missing privacy policy or compliance signals. Privacy compliance is essential for trustworthiness.

Checks for a valid robots.txt file with sitemap reference.

Structured data schemas have missing or invalid required properties.

Checks title tag, meta description, headings, canonical URL, and robots directives.

Validates the presence and format of an XML sitemap.

Detects JSON-LD, Microdata, or RDFa structured data (Schema.org).

Insufficient trust signals found. Trust indicators like terms of service, reviews, and date information improve E-E-A-T.

Checks alt attributes, form labels, viewport meta, skip links, and heading hierarchy.

No accessibility statement page found on this site.

Validates ARIA roles, landmarks, and accessible interactive elements.

Checks for small fonts, low contrast patterns, and zoom restrictions.

Checks that form inputs have associated labels (via <label>, aria-label, or aria-labelledby) and proper autocomplete attributes.

Checks for keyboard accessibility issues: negative tabindex on interactive elements and removed focus outlines.

Measures actual foreground/background color contrast ratios using computed styles. WCAG 2.1 AA requires 4.5:1 for normal text and 3:1 for large text.

Animations detected but no prefers-reduced-motion media query found.

Checks interactive elements meet the WCAG 2.2 minimum target size of 24×24 CSS pixels for mobile usability.

Some videos are missing captions or subtitles.

Checks for inactive plugins, outdated components, and excessive plugin count.

Checks WordPress WP-Cron configuration, overdue scheduled tasks, and last execution time.

Validates PHP error reporting, logging configuration, and error frequency in logs.

Analyzes PHP error logs for fatal errors, recurring warnings, and deprecations.

Checks DNS records for SPF, DKIM, and DMARC email authentication to prevent spoofing and improve deliverability.

Detects JavaScript errors logged to the browser console during page load using headless Chrome.

Verifies that 404 error pages return proper status codes and custom designs.

Detects obsolete HTML tags and attributes that should be replaced with modern CSS.

Checks for the presence of a favicon (browser tab icon).

Checks for essential legal pages and cookie consent mechanisms required by GDPR, ePrivacy Directive, and other regulations.

Validates viewport configuration and responsive design indicators.

Checks for HTML5 landmark elements (header, nav, main, footer, article, section) to ensure a well-structured, accessible document.

No service worker detected on this site.

Web app manifest is missing or incomplete.