Guide

The One-Day WordPress Audit

Anyone evaluating whether their WordPress site needs a real audit, or evaluating the audit proposal currently on their desk. One day on staging, one afternoon to read.

Download file
Size
0.32 MB
Price
Free

The idea behind this audit spec is the one Iris and I land on in the episode: a real audit produces three to five findings, each one actionable, each one fixable in a sprint. The forty-page binder version makes the client feel they spent the money well. The three-finding version is the one that actually changes the site.

What follows is the shape of an audit that earns its name.

What the auditor needs from you (before they start)

  • Staging access that mirrors production (admin login, SFTP or git access)
  • Last 30 days of analytics — page views, top 10 pages, bounce rates, search terms
  • Last 30 days of error log — PHP errors, 500-level, cron failures
  • Hosting tier + plan — so the auditor knows what’s available
  • Plugin list, exported — easier to read than scrolling the admin
  • An honest one-paragraph description of the site’s business goal — what the site is supposed to do, in plain language

If the auditor doesn’t ask for these things before quoting a fixed price, the audit they’re quoting is the binder, not the service.

What the auditor delivers (the actual findings)

A real audit produces a written deliverable with three to five findings. Each finding has the same shape:

  1. Symptom — what’s actually happening, observable, measurable
  2. Cause — what’s causing it, traced through staging
  3. Impact — what it’s costing in dollars, traffic, conversions, or risk
  4. Remediation — what to do about it, in the order of cheapest-first
  5. Effort estimate — hours to implement, with the auditor’s confidence in the estimate

Findings that don’t have all five aren’t findings. They’re notes.

The five things every real audit covers

If any of these aren’t in the deliverable, ask why before signing off:

1. Database health

  • Slow query log: top 10 queries by total time
  • wp_options table size and autoload percentage
  • Index health on wp_postmeta, wp_termmeta, wp_usermeta
  • Orphaned data: revisions, transients, trashed-and-not-emptied

2. Plugin and theme load

  • Active plugin count + justification for each
  • Plugins firing on every page load (not just on the pages they’re meant for)
  • Theme functions.php complexity score
  • Page-builder content that bypasses caching

3. Caching layer

  • Persistent object cache status (connected and serving, or silently failed?)
  • Page-cache hit rate at the host layer
  • CDN cache rules — what’s edge-cacheable that isn’t?
  • Browser cache headers on static assets

4. Front-end performance (real, not Lighthouse)

  • Largest Contentful Paint on the highest-traffic page, real-user data
  • Cumulative Layout Shift on the highest-traffic page
  • Total Blocking Time during interaction with the most-clicked element
  • (Lighthouse scores are noted but not the deliverable — see episode 7 for why)

5. Security and access

  • Plugin update lag — how far behind the available updates is the install?
  • Admin user count + role audit
  • File permissions on wp-content/uploads and wp-config.php
  • HTTPS / HSTS / security headers via curl -I against the production URL

What an audit does NOT include

These belong in different deliverables. If they show up in the audit, the auditor is padding:

  • Implementation — fixing the findings. That’s a separate engagement.
  • Strategy — what the site should do, beyond what it is doing. Different conversation.
  • Design review — visual / UX assessment. Different specialist.
  • Content audit — editorial review of pages. Different specialist.
  • SEO audit — keyword research, link analysis, technical SEO at the search-engine layer. Different deliverable.

A WordPress site audit is technical and operational. Bundling it with strategy or design is what produces the forty-page binder.

Red flags in an audit proposal

If you see any of these in the proposal, ask follow-up questions before signing:

  • “We’ll deliver a comprehensive 40-page report.” Page count is not the deliverable.
  • “Three weeks to complete.” A real audit is a day on staging plus an afternoon to write up. Three weeks means they’re padding or doing other work.
  • No mention of staging access. They’re going to look at the site from the outside and guess.
  • Fixed-price audit without a scoping call first. They don’t know what’s there yet.
  • Auto-generated tool output (Lighthouse, WebPageTest screenshots) as the deliverable. You can run those yourself; that’s not the audit.
  • No specific output spec. “Comprehensive analysis” isn’t a deliverable; “three to five findings with cost and effort estimates” is.

The cost of a real audit

For most Canadian service businesses, a real WordPress audit by a senior practitioner is in the range of $1,500 to $4,000 — half a day to a full day of senior time plus a half-day of writing. If the proposal is above that range, the auditor is either inexperienced, padding, or planning to deliver something other than an audit.

If it’s below that range, the auditor is either underpaying themselves (which means they’ll either burn out or compromise the deliverable) or running a templated script that doesn’t really look at your specific site.

The right audit is small in scope and high in signal. Resist the binder.

Built to go with episode 2 of Sites I’ve Never Seen, and the source essay The WordPress Site Audit Most Agencies Skip in 2026.

Christopher Ross

Your consultant

Christopher Ross

I lead the work personally, from discovery and architecture through delivery and handoff.

  • Twenty-two years delivering training and nineteen years building with WordPress.
  • Direct delivery for media, education, and federal government programs.

Sectors covered: Media · Education · Government

View profile Get in touch

Read the article about this

Ready to put these resources to work?

Grab what you need. When a template hits the wall of your specific situation, book a 20-minute call and I will help you figure out the next move.

Book a 20-min call Browse services