A single human-written audit covering security, privacy, performance, accessibility, and design. No noisy scanners. No fearmongering. Just a clear list of what is wrong, what it would cost to fix, and what to do next.
Eight to fifteen pages, severity-sorted, every finding includes a one-line fix.
Extends beyond the homepage to the standard attack surface: login, REST API, sitemap, feed, common WordPress paths, and a sample of internal pages.
One representative page rebuilt to show how the recommendations land, with your brand and advertisers preserved.
A short presentation of the audit and the proposal, ready to share with your team or the people who pay for the work.
45 minutes. I take you through every finding, answer questions, and help you prioritise.
| Security | CMS version disclosure, REST API enumeration, XML-RPC, login brute-force protection, admin path exposure, third-party script supply chain, OAuth tokens, full security-header pass. |
|---|---|
| Privacy | Trackers loaded before consent, cookies set on first visit, leaked emails in public content, RSS or sitemap information disclosure. |
| Performance | Page weight, third-party origin count, render-blocking assets, image lazy-loading, font loading strategy, estimated Lighthouse score. |
| Accessibility | WCAG 2.1 AA contrast, viewport zoom, heading order, image alt coverage, focus visibility, skip link, keyboard navigation. |
| Design | Typography hierarchy, layout consistency, mobile breakpoints, ad placement quality, social preview cards, broken shortcodes. |
| Code quality | Dead CSS, unused plugins, invalid HTML, version fingerprinting, abandoned dependencies, inline event handlers. |
| SEO and structure | robots.txt, sitemap, canonical tags, redirect map readiness for any future migration. |
No noisy scanners. Every probe is a single HEAD or GET request made with a standard browser User-Agent, the way a real visitor's browser behaves.
You share the URL and any context I should know. Advertisers, recent incidents, things you do not want changed.
No access to your hosting needed for the standard package. I probe public endpoints only.
I write the report and build the slide deck. Live homepage demo if you booked that package.
I take you through every finding, prioritise, and hand over the full folder.
Any of the above can be quoted as a separate engagement.
Nigerian news commentary site. 15 security findings including open REST API user enumeration, no brute-force protection on the login page, and 10+ trackers running without consent. Full report, redesign demo, and slide deck.
UK enterprise tech site. Already well-hardened. Audit found two High items (WCAG-blocking viewport and a missing CSP) plus a tight list of minor improvements. About 16 engineering hours of remediation.
Nigerian pension fund administrator. Regulated financial services site. Strong baseline hardening, four High items, all best-practice gaps rather than active vulnerabilities. About 24 engineering hours plus a clear follow-up.
Same checklist across all three. Same severity grading. Same deliverables. The reports themselves are free to read before you decide.
One-line email with your site URL. I reply within one business day with a 30-minute slot.