Nullhost.eu

Audit your website

Concrete findings and recommendations. PDF report. No need to change hosting.

Analysis

Executive overview

€19 one-time
Kategorií
6
Stran PDF
10–15 pages
Dodání
24 h
  • Score indicator 0–100 and the five weakest areas
  • Pass / fail across standards
  • Findings grouped by severity (critical, warning, informational)
  • Table of measured values in the appendix
Recommended

Full audit

Deep analysis

€209 one-time
Modulů
25
Stran PDF
40–80 pages
Dodání
5 dní
  • Executive summary with annotated screenshots
  • Risk register per ISO 31000 methodology — ten findings ranked by impact and return on investment, with business impact descriptions
  • Section for each module: metrics, findings, evidence screenshots, recommendations
  • Remediation plan: critical priorities and warnings with concrete steps
  • Methodology and appendices with all measured values. We adhere to international standards.

How is this different from free scanners?

Free tools cover one area from one angle. This audit is a structured output you can defend in front of management or an auditor.

Eight areas in one report

Free tools typically address one area — headers, performance, or SEO. This audit covers all eight areas in a single pass and a single document.

We crawl the entire site

We follow the sitemap or a provided URL list. Coverage of up to 10,000 links to a depth of four levels. Real behaviour of the whole site, not just the homepage.

Multiple measurements, not one sample

We measure Core Web Vitals repeatedly. We report the median, 10th, and 90th percentile. Free tools give you a single measurement — statistically unreliable.

Annotated screenshots as evidence

Low-contrast text, a cookie banner with consent errors. Visual evidence you can show in a meeting.

Risk register with prioritisation

The ten most serious findings ranked by impact and return on investment, each with a business impact description. You know what to fix first.

Structured to ISO 19011

Audit methodology per ISO 19011, risk register per ISO 31000, and cited standards for web performance, security, and accessibility.

What we check in detail

8 areas, 10+ specific checks. No generic "we reviewed your site" — you see the exact list of measurements.

Security

TLS configuration, headers, email authentication, vulnerabilities, domain reputation.

  • TLS version and weak cipher detection (Heartbleed, POODLE, BEAST, FREAK, BREACH)
  • HTTPS certificate validity and expiry
  • Six security headers: HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
  • Mixed content (HTTPS page loading resources over HTTP)
  • Integrity of external scripts (Subresource Integrity)
  • Email configuration: SPF, DKIM, DMARC, DNSSEC
  • Domain reputation on blocklists: Spamhaus, Barracuda, SORBS, SpamCop
  • Google Safe Browsing check
  • Vulnerability scanning of WordPress core, plugins, and themes (CVE database)
  • Detection of exposed wp-config backups and SQL dumps
  • Magecart attack patterns in external scripts
  • Deep server vulnerability scan (Nikto)
  • Domain record expiry (critical under 30 days)
  • Certificate Transparency log volume

Performance and Core Web Vitals

Multiple measurements of key Google metrics, resource optimisation, startup time.

  • LCP (Largest Contentful Paint) — repeated measurement, median and percentiles
  • CLS (Cumulative Layout Shift)
  • TBT (Total Blocking Time)
  • INP (Interaction to Next Paint) — custom synthetic probe
  • FCP, Speed Index, TTFB
  • Page size in KB, number of HTTP requests
  • Image optimisation (WebP/AVIF, dimensions, lazy-load) + savings in KB per image
  • Render-blocking CSS and JS resources
  • JavaScript startup time, unused CSS and JS
  • HTTP compression (Brotli, gzip)
  • Critical rendering path (HTTP version, synchronous scripts in head)
  • DNS resolution time — repeated measurement

Accessibility (WCAG 2.2 AA + EAA 2025)

Compliance with the European Accessibility Act, contrast, keyboard, touch.

  • Six Lighthouse axe-core checks: contrast, button and link labels, ARIA attributes
  • Eight UX checks via Playwright: focus visibility, skip navigation, ARIA landmarks, form labels
  • Low-contrast text with annotated screenshots (red borders)
  • Mobile viewport, touch target area ≥ 44 px, readable font size
  • Responsive images (srcset and sizes attributes)
  • Heading hierarchy, image alt attributes

SEO and AI visibility

Structured data, rich results, AI crawlers, search engine accessibility.

  • Title, meta description, canonical URL, Open Graph
  • robots.txt and sitemap.xml validation, lastmod currency
  • Heading hierarchy and detection of skipped levels
  • Broken links — site crawl to depth 4 (up to 10,000 links)
  • Structured data — JSON-LD validation, Schema.org coverage matrix
  • Rich results eligibility (Product, Article, FAQ, Organization)
  • AI crawler access (GPTBot, ClaudeBot, Googlebot-Extended, CCBot)
  • Detection of llms.txt and llms-full.txt files
  • E-E-A-T signals: authorship, dates, "About us" or "Team" page, RSS

GDPR and privacy

Cookie banner, retention per ÚOOÚ, pre-ticked consent, withdrawal mechanism.

  • Cookie banner detection with annotated screenshot
  • Cookies set BEFORE consent (ePrivacy violation Art. 5(3))
  • Presence of a "Reject" button and size symmetry with "Accept"
  • Pre-ticked consent (GDPR violation Art. 4(11))
  • Complete cookie inventory — 1st vs 3rd party, purpose, retention, attributes
  • Retention check per ÚOOÚ guidance (13-month limit)
  • Detection and content analysis of the Privacy Policy
  • Google Consent Mode v2 and IAB TCF API detection
  • Consent withdrawal mechanism
  • Cookie behaviour after rejection (whether opt-out is respected)

Mobile usability

Viewport, touch target area, readability, horizontal scroll.

  • Presence and configuration of the viewport meta tag
  • Touch target area ≥ 44 × 44 px
  • Readable font size on mobile devices
  • Responsive image attributes (srcset, sizes)
  • Mobile navigation patterns (hamburger, mobile menu)
  • Horizontal scroll detection

Content and readability

Sentence length, text density, navigation depth, language attribute.

  • Sentence length and word complexity
  • Paragraph density
  • Text-to-HTML ratio
  • Navigation depth
  • HTML language attribute

Business signals

Conversion elements, legal compliance, social networks, technology stack.

  • Domain age, sitemap coverage, content freshness, presence of a blog
  • Conversion signals: calls to action, contact form, testimonials, value proposition, trust signals
  • Legal compliance: imprint, terms and conditions
  • Social profile detection (LinkedIn, Facebook, Instagram, X, YouTube)
  • Technology stack identification (CMS, frameworks, analytics, CDN)

What's in each variant

The Audit summarises results into six categories. The Full audit breaks them down into 25 individual modules, each with its own section in the report.

Audit

Modules covered (6)

Executive overview for the site owner, marketing manager, or director.

  • Website security
  • Accessibility
  • Page load speed
  • Search engine visibility
  • AI search readiness
  • Personal data protection & GDPR
Recommended

Full audit

Modules covered (25)

Basis for management or an internal audit, structured per ISO 19011 methodology.

  • Performance
  • Encryption (SSL/TLS)
  • In-depth SSL/TLS analysis
  • Server security
  • Vulnerability scan
  • WordPress security scan
  • Email security
  • Domain reputation
  • Third-party risk
  • Accessibility (WCAG)
  • UX & accessibility
  • Mobile usability
  • SEO & AI visibility
  • Structured data
  • AI readiness
  • Broken links
  • Resource optimisation
  • Download and rendering priority
  • Interaction latency (INP)
  • GDPR & privacy
  • Legal compliance
  • Infrastructure
  • Technology stack
  • Social networks
  • Readability

References to international standards

The audit cites specific clauses of the standards. The output holds up in an audit or legal context.

  • WCAG 2.2 AA — W3C, web accessibility
  • EN 301 549 — ETSI, European accessibility standard for the public sector
  • OWASP Top 10:2025 — primary security risks for web applications
  • OWASP ASVS 5.0 — application security verification standard
  • ISO/IEC 25010:2023 — software quality model
  • ISO/IEC 27002:2022 — information security controls (~93 controls)
  • GDPR (EU 2016/679) — personal data protection regulation
  • ePrivacy Directive 2002/58/EC — legal basis for cookie consent
  • ISO 19011:2018 — auditing guidelines (report structure)
  • ISO 31000:2018 — risk management (risk register methodology)

Frequently asked questions

SEO (technical + on-page), Core Web Vitals (LCP, INP, CLS), accessibility (WCAG 2.2), security (full audit).
Analysis within 24 hours, full audit within 5 business days.
Concrete prioritised actions. The full audit also includes an implementation plan.
Yes, you receive a permanent PDF link by email.
The report is structured per ISO 19011:2018 methodology, the risk register follows ISO 31000, and the terminology conforms to ČSN ISO 19011. Annotated screenshots serve as visual evidence. No generic statements like "we found some issues".