Blog · WordPress SEO

WordPress SEO Audit Checklist (2026): A Complete Step-by-Step Guide

Published: May 4, 2026

Reading time: 11 min

By: AuditDepot

WordPress powers a huge share of the open web — and a huge share of the avoidable SEO problems on it. A WordPress SEO audit isn't just a generic technical scan; it's a targeted walk through the settings, themes, plugins, and rendering quirks that quietly tank rankings on otherwise-healthy WordPress sites. This checklist covers every layer that matters in 2026, with the tools to run each step.

What Is a WordPress SEO Audit?

A WordPress SEO audit is a structured evaluation of a WordPress site against the technical and on-page factors search engines actually rank on, scoped to the platform's specific failure modes. WordPress is opinionated software: it ships with default settings, default URL structures, default category and tag pages, and an extension model that lets a single plugin add 200 new database queries per pageview. Each of these defaults can quietly suppress rankings if you don't audit them.

A generic technical audit will catch broken links, slow pages, and bad canonicals on any platform. A WordPress audit catches the platform-specific issues a generic crawl misses: a forgotten "Discourage search engines" checkbox in Settings → Reading, a default ?p=123 permalink structure that flattens topical signal, a Yoast/Rank Math conflict producing duplicate meta tags, attachment pages competing for the same query as your real content, and a page builder shipping 800KB of unused JavaScript on every pageview.

This checklist is organised into seven areas, in priority order: WordPress core settings, on-page SEO via your SEO plugin, indexation and sitemaps, speed and Core Web Vitals, internal linking and content, security, and structured data. Work through them top-down — early-stage settings problems make every later check meaningless until they're fixed.

1. WordPress Core Settings

Before touching any plugin, audit the settings that ship with WordPress itself. These are the highest-leverage checks because they're free, immediate, and almost always misconfigured on at least one of the sites you're auditing.

Reading and Visibility

Open Settings → Reading and confirm the "Discourage search engines from indexing this site" checkbox is unchecked. This single checkbox adds noindex to every page on the site. It's enabled by default on staging environments and gets carried into production more often than anyone wants to admit — and is the single most common WordPress SEO failure. Confirm the "Your homepage displays" setting matches your intended home page (a static page for most marketing sites, "Your latest posts" for blog-first sites). The wrong setting here results in the wrong page ranking — or no page ranking — for brand queries. Check that "Search engine visibility" is configured per environment. Staging and development copies of the site should have the checkbox enabled (and ideally a separate robots.txt); production must not.

Permalinks

Open Settings → Permalinks and confirm the structure is /%postname%/ or /%category%/%postname%/ — not the default ?p=123. Default permalinks produce URLs that carry zero topical signal, and changing the structure later requires careful redirect management. Pick one canonical permalink format and stick to it. Mixing /category/post/ URLs with bare /post/ URLs across different post types creates near-duplicate content paths that confuse Google. Verify Category and Tag base settings. Empty bases produce /topic/ URLs (clean), while leftover defaults produce /category/topic/. Whichever you choose, check existing crawled URLs and add 301 redirects for any change.

Default Categories and Tags

Rename the default "Uncategorized" category in Posts → Categories. A live /category/uncategorized/ URL ranks for nothing and signals abandonment. Audit category and tag pages. Each one is a real, indexable archive page on most WordPress themes — and many sites end up with 50 thin, near-empty tag archives competing with content pages. noindex tags or thin categories via your SEO plugin's taxonomy controls. Disable attachment pages. WordPress generates a /?attachment_id= page for every uploaded image. These are content-thin, indexable by default, and a recurring source of "Discovered – currently not indexed" errors. Yoast and Rank Math both have a one-click setting to redirect attachment URLs to the parent post.

2. SEO Plugin Configuration

Yoast and Rank Math both handle the same core jobs. The audit isn't about which plugin you've chosen — it's about whether it's configured correctly and running alone.

One Plugin, Configured Properly

Confirm exactly one SEO plugin is active. Running Yoast and Rank Math (or All in One SEO) simultaneously produces duplicate <title> tags and conflicting meta descriptions in page source. View the source of any page and grep for the literal string <title; it should appear once. If you're switching plugins, run the import tool inside the new plugin to migrate titles, meta descriptions, focus keywords, and noindex settings — then deactivate and uninstall the old one. Stale settings sitting in the database from an uninstalled plugin can leak into the page source if remnants are left behind. Configure the plugin's site-wide title and meta description templates. Most rely on a %%title%% %%sep%% %%sitename%% pattern by default, which is fine — but custom post types frequently inherit a broken template that produces titles like "%title% – ".

Per-Page SEO Output

Audit your top 20 pages by traffic. Each should have a unique, descriptive <title> tag (50–60 characters), a unique meta description (140–160 characters), and a single H1 that reflects the page's primary keyword and intent. Confirm Open Graph and Twitter Card tags are populated, with a default site-wide social image set in your SEO plugin's social settings. Missing OG tags produce ugly, click-killing previews on LinkedIn and X. Spot-check canonical tags on paginated archives, search results, and parameterised URLs. Canonical sloppiness is the most common source of duplicate content findings on WordPress, particularly on WooCommerce stores with filter/sort URL parameters.

3. Indexation and XML Sitemap

A WordPress site can be perfectly fast, well-themed, and meticulously linked — and still not show up in search if Google can't crawl it cleanly.

XML Sitemap

Confirm your XML sitemap is generated by your SEO plugin (/sitemap.xml or /sitemap_index.xml) and contains only canonical, indexable URLs. Custom post types, taxonomies, and authors should each be split into their own sub-sitemaps. Submit the sitemap in Google Search Console under Sitemaps. Status should read "Success" and the URL count should be within ~10% of the indexable URL count from a Screaming Frog crawl. A wide gap means either crawl-blocked URLs are in the sitemap or canonical URLs are being excluded. Disable WordPress's built-in /wp-sitemap.xml if your SEO plugin generates its own. Two competing sitemaps confuse crawl prioritisation; both Yoast and Rank Math do this automatically when active, but verify after any plugin deactivation.

Indexation Status

Open Search Console → Pages and read the "Why pages aren't indexed" breakdown. Common WordPress-specific entries: "Excluded by 'noindex' tag" (often attachment or tag pages), "Crawled — currently not indexed" (often thin author archives or empty taxonomies), and "Page with redirect" (often attachment URLs redirecting to parent). Run site:yourdomain.com in Google as a sanity check. The result count should approximate your published page count. Wildly inflated counts often surface attachment pages, paginated comment URLs, or duplicate query-string variants leaking into the index. Check robots.txt at yourdomain.com/robots.txt. WordPress generates a virtual file by default. Confirm /wp-admin/ is blocked but /wp-admin/admin-ajax.php is allowed (some themes and plugins use it for front-end functionality).

4. Speed & Core Web Vitals

WordPress performance is an audit category of its own. Themes and plugins compound: each adds CSS, JavaScript, and database queries on every pageview, regardless of whether the rendered page actually uses them.

Theme and Plugin Audit

List installed plugins (Plugins → Installed Plugins) and identify any not in active use. Inactive plugins still occupy disk and database space; deactivated-but-installed plugins do not run code, but they're a security and clarity drag — uninstall the ones you don't need. Audit the active theme. Visual page builders (Elementor, Divi, WPBakery) typically ship 200–500KB of theme CSS plus a similar JS payload before any page-specific assets load. Lightweight themes (GeneratePress, Astra, Kadence) routinely cut total page weight by 40% or more. Identify plugin sprawl. Sites running 30+ plugins almost always have overlap (two analytics plugins, two caching plugins, three security plugins). Consolidate where you can — every plugin is a maintenance, performance, and security surface.

Core Web Vitals

Pull field data from Search Console → Core Web Vitals. Target: LCP under 2.5s, INP under 200ms, CLS under 0.1 on the 75th percentile of mobile users. WordPress sites with stacked plugins commonly fail INP without anyone noticing. Install or audit a caching plugin: WP Rocket (paid), W3 Total Cache, LiteSpeed Cache (if your host runs LiteSpeed), or your host's built-in cache (Kinsta, WP Engine, SiteGround). Confirm full-page caching is enabled, browser caching headers are set, and minification of CSS/JS is on with no front-end breakage. Audit image delivery. Images should be served in WebP or AVIF, sized for their display dimensions, and lazy-loaded below the fold. Plugins like ShortPixel or Imagify automate this; native WordPress lazy-loading handles below-the-fold by default but doesn't compress. Check that the LCP element on key pages (typically the hero image) loads with fetchpriority="high" or a <link rel="preload"> hint. WordPress 6.3+ adds fetchpriority automatically for the first large image in the viewport — verify it's actually being applied by viewing page source.

Hosting

Confirm your host runs PHP 8.1 or newer. PHP 7.4 reached end-of-life in late 2022; running it now is a security and performance liability. Most managed WordPress hosts upgrade automatically, but shared hosting often lags. Check Time to First Byte (TTFB) using PageSpeed Insights or webpagetest.org. Anything over 600ms on a cached page indicates a hosting bottleneck — typically slow shared hosting, an undersized database, or no full-page caching layer.

5. Internal Linking and Content

WordPress makes content easy to publish and easy to lose. A site with 400 published posts and no internal linking strategy is leaving most of its potential equity on the table.

Internal Links

Run a Screaming Frog crawl (free up to 500 URLs) and identify orphaned pages — pages with zero internal links pointing to them. On a typical blog-heavy WordPress site, 10–20% of posts are orphans because they only got linked from the homepage's recent-posts feed when first published. Audit anchor text on internal links. Generic anchors ("read more", "click here") pass no topical signal. Use descriptive, keyword-relevant anchors when linking between contextually related posts. Identify your top three to five revenue or conversion pages. Each should have at least 10 contextually relevant internal links from other content, not just from the navigation menu. Equity from menu and footer links flows to those pages thinly; equity from in-content links flows much more strongly. Find and fix all 4xx broken internal links. Use a crawler or the Broken Link Checker plugin (run periodically and uninstall — leaving it active is a known performance drag).

Content Quality

Identify thin content (under 300 words on indexable URLs). For blog posts and content pages, expand or noindex. For product or category pages, add unique descriptive copy beyond the templated boilerplate. Identify cannibalisation. Two posts targeting the same primary keyword split rankings and confuse Google. Either consolidate them with a 301, or differentiate the secondary keyword each targets. Audit the content calendar. Pages that haven't been updated in 18+ months and rank in positions 4–15 are usually one refresh away from a meaningful rankings lift. Prioritise refreshes over net-new content for evergreen topics.

6. Security and Maintenance

A hacked WordPress site is an SEO problem, not just a security one. Malware injections that go undetected for weeks produce manual actions in Search Console and crater rankings until cleaned up. The small business website audit checklist covers some of these items in less depth — this one is the WordPress-specific version.

Updates and Hardening

Confirm WordPress core, all active plugins, and the active theme are running their latest stable versions. Out-of-date plugins are the dominant attack vector for WordPress compromises. Remove unused themes. Inactive themes still receive updates and present the same vulnerability surface as active ones; keep one default backup theme (twentytwentyfive) and remove the rest. Confirm the admin user is not named admin. Default usernames are the first guess in any brute-force login attempt. Create a new admin-role user with a strong password, log in as that user, and delete the original. Audit user accounts. Every user with an admin or editor role should still need that level. Old freelancers, ex-employees, and dormant accounts should be downgraded or removed.

Monitoring

Confirm a backup solution is active and tested. Check that backups complete successfully, are stored off-server (S3, Backblaze, host-managed), and that you've actually performed a restore in the last six months. Untested backups are a coin flip when you need them. Install a security plugin (Wordfence, iThemes Security, Solid Security) or rely on host-level firewall + malware scanning. Verify the firewall is in front of WordPress (Cloudflare, Sucuri) rather than running entirely in PHP — PHP-only firewalls slow every request. Confirm SSL is correctly configured. https://yourdomain.com should resolve, http:// should 301 to https://, and the site should pass an SSL Labs scan with at least an A grade. Mixed-content warnings are a quiet ranking and trust drag.

7. Schema and Structured Data

Yoast and Rank Math both ship sensible default schema. The audit is verifying it actually outputs without errors, and that any custom schema additions don't conflict.

Validate your homepage and a representative content page with Google's Rich Results Test. Both should detect WebSite, WebPage, and BreadcrumbList schema with no errors. For blog and article content, confirm Article schema is present with headline, datePublished, dateModified, author, and mainEntityOfPage populated correctly. Default Yoast/Rank Math output handles this; custom themes sometimes break it. For pages with FAQ blocks, validate FAQPage schema. Note: Google reduced FAQ rich result eligibility in 2023 — schema still parses, but visible FAQ rich results are now mainly reserved for government and authoritative health domains. Implement it for AI search and LLM citation rather than for SERP rich results. For local businesses, confirm LocalBusiness schema is present with name, address, telephone, openingHours, and matching Google Business Profile information. Inconsistent NAP across schema, profile, and footer is one of the most common local SEO findings. For e-commerce (WooCommerce), validate Product, Offer, and AggregateRating schema on product pages. Most issues here come from theme or page builder overrides that strip or duplicate the WooCommerce default output.

How to Prioritise WordPress SEO Audit Findings

A serious audit on a WordPress site with a few years of history will surface dozens of findings. The instinct is to rank by alarm level — but a "critical" finding that takes two days of dev work is the wrong place to start when there's a 30-second checkbox change worth more organic traffic. Use impact × effort^-1 to sort the list.

Fix today

The Reading visibility checkbox is enabled, default ?p= permalinks are still in place, two SEO plugins are running simultaneously, attachment pages are indexed, the SSL certificate has expired, or critical pages have a stray noindex tag. Each of these is fixable in under five minutes and bleeds organic visibility every day it sits.

Fix this month

Theme and plugin consolidation, caching layer setup, sitemap cleanup, internal linking from key pages, content cannibalisation resolution, schema implementation, and PHP/host upgrades. These are the structural wins that compound over a quarter — they don't bleed traffic the way indexation breakage does, but they accumulate meaningful gains.

Maintain quarterly

Re-check Core Web Vitals after any theme or major plugin update; confirm sitemap completeness; spot-check robots.txt after any plugin or hosting change; re-run a crawl to surface new orphans introduced by publishing activity; and audit user accounts and update lag. WordPress drifts faster than most platforms — quarterly hygiene catches drift before it compounds.

If you'd rather not run six tools and a spreadsheet, AuditDepot runs the full WordPress-aware audit automatically and ranks every issue by impact and effort — so you can skip the triage and go straight to the fix list.

Frequently Asked Questions

What is a WordPress SEO audit?

A WordPress SEO audit is a structured review of how a WordPress site is configured, performs, and gets crawled. It looks at WordPress-specific settings (Reading visibility, permalinks, attachment pages, default categories), the impact of the active theme and installed plugins on speed and Core Web Vitals, and the SEO output produced by plugins like Yoast or Rank Math — alongside the universal technical SEO checks Google performs on every site.

Why do WordPress sites need a separate audit approach?

Because most SEO problems on WordPress sites are caused by WordPress itself: forgotten Reading visibility checkboxes that block indexing, default permalinks that produce ?p=123 URLs, conflicting SEO plugins generating duplicate meta tags, page builders that ship 800KB of unused CSS, and out-of-date plugins introducing security vulnerabilities. A generic audit will miss these because they are surfaced inside wp-admin, not in a crawler.

Which is the best WordPress SEO audit tool — Yoast or Rank Math?

Both Yoast and Rank Math handle the core jobs (titles, descriptions, XML sitemap, breadcrumbs, schema) competently. Rank Math's free tier ships more features (multiple keyword tracking, deeper schema types, redirect manager) than Yoast's free tier, while Yoast's UI and content guidance are more polished. The honest answer: pick one, configure it properly, and never run two SEO plugins at once — duplicate output is one of the most common audit findings. For deeper site-wide checks, pair your SEO plugin with AuditDepot or a dedicated crawler.

How long does a WordPress SEO audit take?

A focused audit on a small WordPress site (under 50 pages) takes 60 to 90 minutes if you have a checklist and the right tools open. A larger site with multiple custom post types, an active blog archive, and an e-commerce section typically runs three to four hours for the manual pass, plus another hour to triage and prioritise findings. Automated audits compress the discovery phase but still need human judgment to rank fixes.

What are the most common WordPress SEO audit findings?

Five problems show up in almost every audit: the Reading → Search Engine Visibility checkbox is enabled (blocking indexation), default ?p= permalinks are still in place, the active theme loads 1MB+ of unused JavaScript on every page, attachment pages are indexed and competing with real content, and either no SEO plugin is configured or two are running simultaneously. Fixing these five accounts for the majority of organic gains on most WordPress sites.

Conclusion

A WordPress SEO audit isn't a single plugin scan. It's a methodical walk through seven layers — core settings, on-page SEO output, indexation, performance, internal linking, security, and structured data — each of which can independently suppress organic visibility on a site that otherwise looks fine. Work through them in order: WordPress-specific settings and plugin configuration first, because they nullify everything downstream when broken; indexation and Core Web Vitals next, because they affect every page; internal linking and content quality after that, because they're where compounding equity lives; and security and schema last, because they're the refinements that protect and amplify the foundation.

The goal isn't a clean audit report — it's a ranked fix list your team can actually ship. Use the prioritisation framework above to start with the high-impact, five-minute fixes, then work through the structural improvements that compound over a quarter. That's the audit cadence that produces durable organic gains on WordPress, not just a well-documented snapshot of problems.

Run a free WordPress audit on your site →