WQI.web​qualityindex
Method v1.2.0 86 live / 86 total factors methodology

Homeeia-international.org

eia-international.org

Positive Web Contributor
63/ 100web quality

For press, decks, and citations.

verdict counts19 pass5 warn21 fail30 n/a·method v1.2.0·scanned 2026-04-28

Built by Charity web design· detected via regex (99% confidence)

Web Standards · all applicable pillars passed

The table-stakes layer — every site either meets these or doesn’t. The Web Quality score is computed only when Web Standards passes.

Functional

pass3/3

Preconditions for being scored at all — the site responds, isn't on a phishing blocklist, and isn't a parked / for-sale page.

  • Site respondsprecondition
    HTTP 200
  • Not on safe-browsing blocklist
    not measured — dbl_query_failed
  • No deceptive redirectprecondition
    Final host matches requested (eia-international.org)
  • No critical mixed content
    No mixed content detected

Security

fail4/5

The minimum security baseline every site on the modern web should meet — valid TLS, baseline email auth, no exposed admin surfaces.

  • Valid TLS certificate
    ssl_days_remaining=364.99985944444444, not_after=2027-04-28T05:00:50.000Z, source=url_scanner
  • No exposed sensitive paths
    findings={"path":"/wp-admin","status":200}|{"path":"/wp-login.php","status":200}|{"path":"/admin","status":200}, total_checked=6
  • DMARC published
    present=true, policy=quarantine
  • SPF record present
    present=true, raw="v=spf1 a mx include:servers.mcsv.net include:spf.protection.outlook.com include:spf.mandrillapp.com ip4:54.240.7.32 include:spf.hornetsecurity.com include:_spf.smtp.mailtrap.live include:_spf.intacct.com -all", qualifier=hardfail
  • No WordPress user enumeration
    exposed=false

Accessibility

fail2/3

The minimum WCAG-aligned accommodations every site owes the humans who land on it — readable contrast, alt text, navigable structure.

  • Image alt text coverage
    lighthouse_score=1, failing_count=0
  • Sufficient color contrast
    lighthouse_score=0, failing_count=7
  • Valid heading hierarchy
    lighthouse_score=1

Identity

pass3/3

Whether the site is honest about who runs it and how a visitor can reach a real human.

  • Operator is identifiable
    Organization schema or About page detected
  • At least one contact channel
    Contact channel detected (page link, tel:, widget, or address)
  • Branded domain email
    branded=true, provider=generic

In plain English · 7 questions, drilling down to the 98 factors

A reader-first rollup. Each card maps to the underlying factors — click to expand, or scroll for the full technical breakdown.

Can people find this site?

fail48
6 of 8 failing — expand to see which.
2 pass · 6 fail · 7 n/a
  • Hidden labels that explain your business to Google
    Behind the scenes, your pages can carry small tags that tell Google whether you're a restaurant, a dentist, or a law firm — and your hours, prices, and reviews. Without them, Google has to guess, and the rich result with stars and photos goes to a competitor instead.
  • A clear headline on every page
    Every page should announce, in one obvious sentence, what it's about. When that's missing, Google and skim-reading visitors both lose the thread of what you do.
  • Whether your behind-the-scenes labels are valid
    The hidden tags that describe your business to Google only work if they're written correctly. A typo or wrong format and Google ignores them, so the stars, hours, and prices never show up next to your listing.
  • A trail showing where visitors are on your site
    Those little 'Home > Services > Teeth Whitening' trails help Google understand how your pages connect, and they often appear right inside your search result. Without them, your listing looks plainer than competitors'.
  • Whether you're listed with the Better Business Bureau
    Older customers and people considering a big-ticket purchase still check the BBB. An accreditation badge — or just a clean profile — quietly answers the question 'is this business real and reachable if something goes wrong?'
  • How well your site feeds AI the right facts
    When ChatGPT or Perplexity describes your business, they're pulling from the structured details on your site. The thinner those details, the more the AI guesses — and the more often it gets your hours, prices, or services wrong.
  • How your site appears when shared or in search results
    The headline, blurb, and image that show up when someone posts your site on Facebook, sends it in iMessage, or sees it in Google. If they're missing or wrong, you look unfinished or attract the wrong clicks.
  • How easy it is to reach your deepest pages
    If a customer or Google has to click five or six times from your homepage to find a service or product page, most never make it. Important pages should be two or three clicks away, max.
  • A map of your site for search engines
    Google needs a list of every page you want it to find, plus a note about which ones to skip. Without it, parts of your site quietly go missing from search results.
  • Common questions answered in a Google-friendly way
    When your FAQs are formatted the way Google likes, your answers can show up directly in search — sometimes before anyone even clicks. That's free real estate competitors are taking from you.
  • Telling Google which language a visitor should see
    If you serve customers in more than one language or country, your site needs to tell Google which version is for whom. Otherwise a Spanish-speaking customer might land on your English page and bounce.
  • Visitor privacy on hostile networks
    Hides which website a visitor is opening from coffee-shop WiFi, corporate proxies, and government censors. It's a newer feature, so having it on is a real sign your site is keeping up with the modern web.
  • A summary file for AI assistants
    ChatGPT, Claude, and Perplexity look for a small text file at /llms.txt to understand what your business is and what to say about it. Without it, they guess, and the guess is often wrong.
  • Whether you're letting AI assistants read your site
    Your site can quietly tell ChatGPT, Claude, and Google's AI to stay out — or to come in. If you're blocking them by accident, you're invisible when customers ask AI for a recommendation in your category.
  • A direct line for AI assistants to your business
    A small file you can publish lets AI tools talk to your site directly — checking availability, prices, or booking. Without it, you're missing out as customers shift from Googling to asking ChatGPT.

Is it safe to visit?

fail75
1 of 3 failing — expand to see which.
2 pass · 1 fail · 18 n/a
  • Private files aren't open to the public
    Things like login pages, admin panels, and developer files should never be reachable by a stranger typing a guess into their browser. When they are, they become the front door for an attack.
  • Your padlock isn't about to expire
    The little padlock next to your address bar comes from a certificate that has to be renewed on a schedule. If it lapses, every browser slams a full-screen red warning in front of your customers and they bounce.
  • WordPress isn't leaking your usernames
    A default WordPress setting publishes a list of every login name on your site, which attackers feed straight into password-guessing tools. Turning it off takes one plugin or one line of config.
  • Browser-level protections for visitors
    Hidden settings your site sends to a visitor's browser to block common attacks like fake login overlays, hijacked sessions, and content sniffing. Modern hosting platforms set them by default; older custom-built sites often don't.
  • Your domain can't be quietly hijacked
    An extra signature on your domain settings that stops attackers on shared WiFi or shady networks from rerouting your customers to a fake version of your site. Most domain registrars offer it as a one-click toggle.
  • Only your approved vendors can issue your padlock
    A short list at your domain registrar that names which companies are allowed to issue security certificates for your site. Without it, a sloppy or compromised certificate vendor anywhere in the world could mint a fake one for your domain.
  • Your site is on the browser-baked-in safe list
    An opt-in list shipped inside Chrome, Safari, and Firefox themselves. Once your domain is on it, browsers will never let a visitor fall back to an unencrypted connection — even before they've ever visited you.
  • Your site uses up-to-date encryption
    Older versions of the encryption that powers the padlock have known holes and were retired by every major browser years ago. If your server still accepts them, security scanners and payment processors will start flagging you.
  • Forgotten subdomains aren't an open door
    If you ever spun up something like blog.yoursite.com or shop.yoursite.com and later abandoned it without cleaning up the DNS, a stranger can sometimes claim that address and put their own content under your name.
  • Your domain isn't on a spam blocklist
    Anti-virus tools, email filters, and corporate firewalls share lists of domains tied to malware or scams. If yours lands on one — even by mistake — your emails go to spam and your site gets blocked at offices and schools.
  • The padlock uses strong, modern math
    Inside every encrypted connection there's a recipe — newer recipes are bank-grade, older ones have known weaknesses. If your server still falls back to the old ones, security scanners and cyber-insurance audits will flag it.
  • Old recordings stay locked even if a key leaks
    If someone ever steals your server's master key, well-built encryption still protects every conversation that happened before the theft. Without it, an attacker who quietly recorded traffic for years can suddenly read all of it.
  • Your padlock isn't using outdated keys
    The certificate behind your padlock is signed with a kind of math that has to keep up with the times. Old, short keys are being phased out — sites still using them will start showing warnings in browsers.
  • Your padlock loads cleanly on every device
    Browsers can usually paper over a half-installed certificate, but phones, apps, and older email clients can't — they'll show an error and refuse to connect. This is one of the most common silently-broken setups on the web.
  • Visitors connect faster on the first click
    A small efficiency where your server checks once that the certificate is still valid and shares the answer with everyone, instead of every visitor's browser making its own trip across the internet to ask. Faster page loads, better privacy.
  • Your certificate is publicly logged
    Every legitimate certificate today gets recorded in a public ledger so fake ones get caught quickly. Browsers refuse to trust certificates that skip this step, and yours needs at least two log entries to clear the bar.
  • Future-proof against tomorrow's computers
    Researchers worry that quantum computers, when they arrive, could crack today's encrypted recordings after the fact. The newest encryption recipes already protect against that — and Chrome and Cloudflare turned them on in 2024.
  • Your padlock renews on a healthy schedule
    Short-lived certificates that auto-renew are the new normal — they prove your renewal automation works and limit the damage if a key ever leaks. Multi-year certificates from old paid vendors are increasingly seen as a smell.
  • Strict mode for your padlock check
    An advanced setting that tells browsers to refuse the connection if the freshness check on your certificate goes missing, instead of quietly accepting it. Rarely turned on — when it is, it's a clear sign someone competent runs the server.
  • Your padlock comes from a reputable vendor
    Some certificate vendors have been kicked out of browsers in the past for sloppy practices. Sticking with a well-known name — Let's Encrypt, DigiCert, Cloudflare, Google, Sectigo — means your padlock keeps working on every device for years.
  • Your site finishes its handshake quickly
    Before a page can even start loading, the browser and server have a quick back-and-forth to set up the encrypted connection. When that takes too long, every first-time visitor feels the lag — and Google notices it too.

Is it fast?

fail62
5 of 11 failing — expand to see which.
4 pass · 2 warn · 5 fail · 1 n/a
  • Your site uses the newest connection style
    The latest version of the web's delivery protocol shaves real time off how fast your site feels, especially on spotty mobile networks. It's a free upgrade that better hosts and CDNs already include.
  • Reachable on the modern internet
    A growing share of phone and home networks now use the newer addressing system. Sites stuck on the old one get a small but real ranking nudge against them and load slower for those visitors.
  • Your photos are saved in modern formats
    Older photo formats can be five times heavier than newer ones, so your homepage drags on a phone and Google notices. Most hosts and platforms can convert your images automatically.
  • Your text shows up while fonts load
    If custom fonts aren't set up right, your headlines stay blank for a second or two — visitors see a flash of nothing where your name should be, then bounce. The fix is one line of code at the font.
  • Photos lower on the page wait their turn
    When every image loads at once, the top of your page stalls because the phone is busy fetching pictures nobody can see yet. Loading them as a visitor scrolls is a one-line fix that makes the first screen pop in faster.
  • How fast your site loads on a phone
    Google's mobile-first index means slow sites rank lower in search and lose visitors before the page paints. Most fixes are configuration changes, not rebuilds.
  • How fast your site loads on a laptop
    Even if most visitors are on phones, a sluggish desktop experience hurts the customers most likely to fill out a long form, book a service, or buy something expensive.
  • How real visitors actually experience your speed
    Google quietly collects loading times from actual Chrome users on your site and uses that — not lab tests — to decide your search ranking. If real visitors are seeing slow pages, your rankings already feel it.
  • Your site uses a modern web connection
    An older connection style makes every image, font, and script load one after another instead of together — so your phone visitors wait longer than they should. Flipping this on is usually a single setting at your host.
  • Pages get squeezed before they're sent
    Without compression, your visitors download files that are roughly four times bigger than they need to be — burning their data plan and your search ranking. Every modern host supports this; it's almost always just a checkbox.
  • Your homepage isn't bloated
    A homepage that weighs several megabytes punishes anyone on cell service and silently knocks down your Google ranking. Usually the bulk is one giant hero image or a stack of unused plugins.
  • You're not shipping code visitors don't use
    Themes and page builders often ship piles of features your site never uses, and the visitor's phone has to download all of it anyway. Trimming this is the single biggest speed win on most small-business sites.

Is the business real?

fail55
5 of 10 failing — expand to see which.
3 pass · 2 warn · 5 fail · 4 n/a
  • Your reviews on Trustpilot
    For online stores and B2B services, Trustpilot is often the first place a cautious buyer checks. An empty profile, or no profile at all, makes it easy to walk away from the purchase.
  • Your company page on LinkedIn
    B2B buyers, recruits, and reporters all check LinkedIn before reaching out. An empty page, or no page, makes you look smaller and less established than you actually are.
  • Your listing on Apple Maps
    Every iPhone user who asks Siri for directions or searches Apple Maps is using this. If you're not listed, customers driving toward you literally can't find you.
  • Your site can be saved to a phone's home screen
    When this is set up, customers who use your site often can pin it to their home screen like an app — which keeps you a tap away instead of buried in a search. It's a small file, but a missing one signals an older build.
  • A contact form people can actually find
    A visible 'get in touch' form is the easiest way to turn a curious visitor into a lead. If finding one takes more than a few seconds, most people just close the tab.
  • Your listing on Google Maps and search
    When someone Googles your business name, this is the panel that shows your address, hours, photos, phone, and reviews. Without one, a customer ready to walk in the door may end up at a competitor.
  • How long your site has been online
    Public web archives quietly record when your site first appeared and how often it's updated. A site with years of history reads as established; a site that just popped up reads as a pop-up.
  • Whether anyone's written about you lately
    Recent news mentions — local paper, industry blog, podcast — tell both customers and Google that your business is active and relevant. A long silence reads as a business that's gone quiet.
  • How long your domain has existed
    First-time visitors and fraud-detection systems both treat brand-new domains as suspicious by default. A domain registered yesterday tells the same story to humans and to spam filters.
  • Whether you have a Wikipedia entry
    A Wikipedia page is one of the strongest signals to Google and AI assistants that you're a real, notable business. Most small businesses don't have one — but if you're big enough, missing it is a wasted credibility win.
  • Your reviews on Yelp
    Plenty of customers still check Yelp before booking, especially for restaurants, salons, and home services. No listing — or worse, a listing with two angry reviews and no replies — sends them to the next result.
  • Your listing on Bing and Microsoft Maps
    Bing powers search for millions of Windows users, ChatGPT search, and DuckDuckGo. Without a listing, you're invisible to all of them — and increasingly to AI tools that pull from Bing.
  • Your site can work for a moment offline
    Modern sites can show a useful page even when a customer's phone briefly loses signal — like in an elevator or a bad reception area. Without it, they get a blank error and assume your site is broken.
  • Whether your site is set up to take payments online
    If you sell anything, customers expect to pay on the site without a phone call or invoice email. Missing checkout means lost sales the moment they hesitate.

Does it respect visitor privacy?

unscored
Nothing measurable in this scan yet.
  • Cookie consent banner for European visitors
    If anyone from the European Union or California can land on your site, the privacy laws there (GDPR and CCPA) require a banner that lets visitors say no to tracking. Fines start at thousands of dollars and the regulators don't warn you first.
  • You have a privacy policy page
    Every state and country with a privacy law requires one, and Google, Apple, and Meta all refuse to run ads from sites without it. Missing this is the fastest way to get an ad account suspended or a lawyer's letter.
  • You have a terms of service page
    Without one, you have no written agreement with the people using your site — which makes refund disputes, chargebacks, and copied content much harder to fight. A basic version takes an afternoon and protects you for years.
  • How many outside companies you let watch your visitors
    Every analytics, ad, and chat tool you've added quietly shares your visitors' behavior with another company — and you're legally on the hook for what they do with it. Most small-business sites are running twice as many as the owner realizes.
  • California privacy opt-out link
    California law requires a clearly labeled "Do Not Sell or Share My Personal Information" link in your footer if you have visitors from California and use ad or analytics tools. The state Attorney General has been actively fining small businesses for missing it.
  • What your site actually drops on visitors' phones
    Tools like Facebook Pixel and Google Ads quietly set tracking cookies the moment someone lands — often before they've agreed to anything. Under European and California law, that gap between landing and consent is what triggers fines.

Can everyone use it?

fail82
1 of 5 failing — expand to see which.
4 pass · 1 fail · 2 n/a
  • Text is dark enough to read
    Pale-gray text on white is the single most-cited problem in accessibility lawsuits. It also loses customers over 50, who already squint at their phones.
  • Your site works for visitors with disabilities
    About one in four American adults has a disability the courts recognize, and your site is legally required to work for them under the Americans with Disabilities Act (ADA). Lawsuits over this hit small businesses every week, and most settle for $5,000 to $20,000.
  • Your buttons and forms are labeled for screen readers
    When a button is just an icon — a magnifying glass, a hamburger menu, a shopping cart — a blind visitor's screen reader has nothing to announce unless someone added a hidden label. Without these, your contact form and checkout are unusable for them, and that's the kind of thing that ends up in a demand letter.
  • Your photos have written descriptions
    Blind visitors use software that reads pages out loud, and it can only describe a photo if you've written a short caption behind it. Missing alt text is the single most common item cited in accessibility lawsuits — and Google uses the same text to understand your images.
  • Your headings are in a sensible order
    Screen readers let blind visitors jump heading-to-heading the way you skim with your eyes — but only if the headings are nested in order. Out-of-order headings also confuse Google about what your page is actually about.
  • You have an accessibility statement
    Posting one signals to the courts and to disabled visitors that you're taking accessibility seriously, and it's the first thing a plaintiff's lawyer looks for when deciding whom to sue. Roughly 4,000 small businesses got accessibility lawsuits last year.
  • A way to skip past the menu
    Visitors who navigate by keyboard instead of mouse — usually because of a motor or vision impairment — otherwise have to tab through every nav link on every page just to reach your content. It's a small link at the top, and it's checked in nearly every accessibility audit.

Will email from this domain actually arrive?

fail68
3 of 8 failing — expand to see which.
4 pass · 1 warn · 3 fail · 5 n/a
  • A real tool for sending receipts and confirmations
    Order confirmations, password resets, and appointment reminders need to land in the inbox every single time. Sending them through a dedicated service — instead of straight from your website — is the difference between customers getting their receipt and them calling you confused.
  • A clickable email link on your site
    On a phone, tapping an email address should open the mail app with everything pre-filled. When it's just text someone has to copy and paste, half of them give up.
  • Your email is being forwarded, not hosted
    Instead of having a real inbox at your domain, mail to your address is being bounced over to a personal Gmail or Yahoo account. It works, but it's fragile — replies often look broken to customers, and the setup tends to fall apart as your business grows.
  • What's actually running your email
    We can usually tell whether your email is on Google Workspace, Microsoft 365, your web host, or something custom. The platform behind your email shapes how reliable it is, how well it filters spam, and how easy it is for a new employee to get an inbox.
  • Stops scammers from emailing customers as you
    Without this, anyone can send phishing email pretending to be from your business — and your customers may receive it as if it really came from you. The fix is a few DNS records your email provider can usually add in under an hour.
  • Lists who's allowed to email as your business
    This tells the rest of the internet which mail services — your provider, your booking system, your CRM — are actually permitted to send email from your domain. Without it, your real messages look as suspicious as a stranger's, and your invoices and confirmations start hitting spam.
  • You email from your own domain, not Gmail
    Customers trust hello@yourbusiness.com a lot more than yourbusiness@gmail.com — the free address makes a real company look like a side hustle, and it's one of the fastest ways to lose a lead before they even reply.
  • You get reports when someone fakes your email
    When this is on, mail providers send you a daily summary of who tried to send email pretending to be your business — so you can spot impersonation attempts before customers do. Without it, scammers can spoof you for months and you'd never know.
  • Proves your email actually came from you
    When your email arrives, this is the invisible signature that tells Gmail and Outlook it really came from your business and wasn't tampered with along the way. Without it, your messages are more likely to land in spam or get blocked.
  • Keeps your email private in transit
    These settings tell other mail servers they must use encryption when delivering email to you, so an attacker on the network can't read or quietly redirect it. Most small businesses don't have this turned on yet, and the bigger your domain gets, the more it matters.
  • Shows your logo next to your emails
    When this is set up, Gmail and Apple Mail can display your verified logo in the inbox next to messages from your business — which both looks more professional and helps customers spot real email from you versus impersonators.
  • A real tool for sending newsletters
    If your business sends marketing email, doing it through a service like Mailchimp or Klaviyo (instead of from your personal inbox) is what keeps you out of spam folders and out of legal trouble with unsubscribe rules.
  • Your email setup is under a hidden limit
    There's a behind-the-scenes ceiling on how many email tools can be authorized to send as your business at once. When you add too many — newsletter, booking, invoicing, helpdesk — you quietly cross the line and all of them start landing in spam.

Technical breakdown · deeper data behind the verdict

Categories

8 categories · worst grade F
CategoryGradeScoreApplicable
Privacy 0/6
AI-readinessF 301/4
SEOF 507/11
Brand presenceF 5112/21
PerformanceD 6211/12
Email healthD 6411/16
SecurityC 753/21
AccessibilityB 825/7

Standards compliance

19 satisfied · 7 partial · 7 failed · 67 n/a
StandardCategoryVerdictWhy it matters
HTTP/3PerformancefailedReal-world wins on mobile, lossy networks, and high-latency users. Cloudflare, Fastly, and CloudFront support it with a single toggle.
font-displayPerformancefailedDefault browser behaviour blocks text rendering for up to 3 seconds while a web font downloads — that's a Flash of Invisible Text (FOIT) and it tanks LCP, especially on slow connections. `swap` fli…
WebP / AVIFPerformancefailedImages are typically 50–70% of homepage weight. Cutting that in half with format conversion alone moves LCP, mobile data costs, and bounce rate measurably. Most CDNs (Cloudflare Polish, Fastly Imag…
Schema.orgSEOfailedSchema is the single highest-leverage SEO change for AI search era. ChatGPT, Perplexity, Gemini, and Google Knowledge Graph all parse it. No schema = no rich snippets and weak AI citation.
HeadingsSEOfailedSearch engines weight h1 heavily for page topicality. Screen readers use the heading tree to navigate. Failing this is rarely a render bug — it's almost always a CMS misconfig.
BreadcrumbsSEOfailedWhen Google shows breadcrumbs instead of the raw URL, mobile click-through measurably lifts. Breadcrumb schema is one of a shrinking set of rich-result types still supported (FAQ and HowTo lost the…
C2PAAI-readinessfailedProvenance is the new credibility signal in an AI-generated content world. Major newsrooms (BBC, NYT) and platforms (LinkedIn, TikTok via experiments) verify C2PA manifests; OpenAI signs DALL·E and…
WCAG AAAccessibilitypartialWCAG AA is the conformance target referenced by the ADA, EAA, Section 508, and most procurement contracts. Falling short isn't just a UX problem — it's the standard plaintiffs' lawyers cite in acce…

View all 100 standards →

Site profile + facts

Corporate / B2B · 12 attributes detected · 8 n/a by applicability

Classification driving applicability · deep detection

Site type
Corporate / B2Bconfidence 20%
Vertical
Other
Jurisdiction
United States
Detected stack
cms: wordpress · hosting: wp-engine · cdn: cloudflare

Site facts

Hosting
WPEngine, Inc.
Managed host
WP Engine
CDN / WAF
Cloudflare / Cloudflare
DNS provider
Cloudflare
Platform
wordpress
Email provider
custom-or-self-hosted
Spam protection
Mail forwarder
Marketing ESP
mailchimp-mandrill
DMARC policy
quarantine
Hosting country
United States
Registrar

8 factors marked n/a by applicability rules — see the factors table for per-factor reasons.

All factors

45 scored · 19 pass · 5 warn · 21 fail · 30 n/a of 75 applicable
#FactorCategoryVerdictScoreEvidence
7Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)Securityfail25findings={"path":"/wp-admin","status":200}|{"path":"/wp-login.php","status":200}|{"path":"/admin","status":200}, total_checked=6
30HTTP/3 supportPerformancefail30supports_h3=false
31IPv6 supportPerformancefail30aaaa_count=0
32Image optimization (WebP/AVIF)Performancefail30id=image-delivery-insight, lighthouse_score=0, displayValue=Est savings of 268 KiB
36Font loading strategy (FOUT/FOIT/swap)Performancefail30id=font-display-insight, lighthouse_score=0
12Schema.org structured data presenceSEOfail30structured_data_absent
13H1 tag presenceSEOfail30h1_count=0
39Schema.org type validity (parsed JSON-LD)SEOfail30total=0, valid=0
40Breadcrumb schemaSEOfail30present=false
61Better Business Bureau accreditationSEOfail30no_link_on_site
45JSON-LD richness score for LLMsAI-readinessfail30org_complete=false, has_address=false, has_contact_point=false, has_same_as=false, has_content_type=false, breakdown={"coreOrg":0,"contact":0,"sameAs":0,"contentType":0}
56Color contrast (WCAG AA)Accessibilityfail30lighthouse_score=0, failing_count=7
60Trustpilot presence + ratingBrand presencefail30no_link_on_site
62LinkedIn Company Page (presence + employee count + follower count)Brand presencefail30no_link_on_site
64Apple Maps presence (Apple Business Connect)Brand presencefail30no_link_on_site
67Web App Manifest (manifest.json)Brand presencefail30present=false
83Visible contact form on siteBrand presencefail30detected=false, count=0
81Transactional email provider detected (from SPF includes)Email healthfail30no SPF record
84Mailto: direct contact link presentEmail healthfail30Scored
85Email forwarding service detected (improvmx, forwardemail, etc.)Email healthfail30no MX records
35Lazy loading on below-fold imagesPerformancefail40id=image-delivery-insight, lighthouse_score=0, displayValue=Est savings of 268 KiB
19Google Business Profile presence + ratingBrand presencewarn50found=true
8Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS)Performancewarn63performance_score=62, lcp_ms=15989.621219193514, cls=0, components={"perf":62,"lcp":30,"cls":100}
18Wayback Machine site age & last snapshotBrand presencewarn65first_snapshot=1999-11-28T06:51:23Z, last_snapshot=1999-11-28T06:51:23Z, estimated_age_years=26.4, first_years_ago=26.414573766794685, last_days_ago=9647.92306832176
33Desktop PageSpeed scorePerformancewarn67performance_score=67, lighthouse_score=0.67
76Email provider class (Workspace / 365 / Zoho / self-hosted / shared)Email healthwarn70provider=unclassified_enterprise, mx=clusterb.ignite.co.uk|clustera.ignite.co.uk, source=mx_classifier
1DMARC enforcementEmail healthpass80present=true, policy=quarantine
20News mentions in last 30 daysBrand presencepass85news_mentions_count=9
53axe-core / WAVE accessibility scanAccessibilitypass87accessibility_category=0.87
34Core Web Vitals from CrUX (Real User Monitoring)Performancepass90overall_category=AVERAGE, lcp_ms=2659, cls_x100=0, inp_ms=153, components={"name":"lcp","raw":2659,"score":70}|{"name":"cls","raw":0,"score":100}|{"name":"inp","raw":153,"score":100}
57ARIA labels presence and validityAccessibilitypass92total_aria_audits=22, applicable=12, passing=11, failing=aria-tooltip-name
5SSL certificate validity & expiration windowSecuritypass100ssl_days_remaining=364.99985944444444, not_after=2027-04-28T05:00:50.000Z, source=url_scanner
6WordPress REST API user enumeration exposureSecuritypass100exposed=false
9HTTP/2 supportPerformancepass100perf_http2=true
10Compression (Brotli / gzip)Performancepass100perf_compression=br
37Total homepage byte weightPerformancepass100html_bytes=0, subresource_bytes=0, total_bytes=0, total_kb=0, sampled=0, total_refs=0
11Title, meta description, OG, Twitter cards, canonicalSEOpass100title=true, description=true, og=true, twitter=true, canonical=true
43Internal link depth (clicks from homepage to deepest content)SEOpass100max_depth=0, pages_fetched=0, pages_seen=1, capped_at=50
54Image alt text coverageAccessibilitypass100lighthouse_score=1, failing_count=0
55Heading hierarchy validityAccessibilitypass100lighthouse_score=1
17Domain age (RDAP / WHOIS)Brand presencepass100domain_age_years=26.4
21Wikipedia entityBrand presencepass100found=true, title=Erie International Airport, url=https://en.wikipedia.org/wiki/Erie_International_Airport
3SPF record present and validEmail healthpass100present=true, raw="v=spf1 a mx include:servers.mcsv.net include:spf.protection.outlook.com include:spf.mandrillapp.com ip4:54.240.7.32 include:spf.hornetsecurity.com include:_spf.smtp.mailtrap.live include:_spf.intacct.com -all", qualifier=hardfail
75Branded domain email address (vs free Gmail/Yahoo)Email healthpass100branded=true, provider=generic
77DMARC aggregate reporting enabled (rua=)Email healthpass100has_dmarc_reporting=true, audit_flag=true, derived_from_raw=true, source=derived_from_raw, dmarc_raw="v=DMARC1; p=quarantine; rua=mailto:chrisbuckler@eia-international.org"
4Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options)Securityn/an/a:This platform doesn't allow site owners to set custom HTTP response headers, so security-headers grading isn't fair
22DNSSEC validationSecurityn/afetch failed
23CAA recordsSecurityn/afetch failed
26HSTS preload list inclusionSecurityn/afetch failed
28Subdomain takeover surfaceSecurityn/afetch failed
29Spam / phishing blocklist presenceSecurityn/anot measured — dbl_query_failed
38Largest unused JavaScript bundlePerformancen/an/a:no_deferred_scripts
14Sitemap.xml + robots.txt presenceSEOn/an/a:This platform manages robots.txt centrally and doesn't let site owners customize it
41FAQ / HowTo schema (where applicable)SEOn/an/a:not_applicable
42hreflang for multi-language sitesSEOn/an/a:single_language
15llms.txt presenceAI-readinessn/an/a:This platform doesn't let site owners publish arbitrary root-path files like /llms.txt
16AI crawler robots.txt directivesAI-readinessn/an/a:AI crawler directives live inside robots.txt, which this platform doesn't let site owners edit
44AI plugin manifest (.well-known/ai-plugin.json)AI-readinessn/afetch failed
46Cookie banner presence + CMP detectionPrivacyn/afetch failed
47Privacy policy page presencePrivacyn/afetch failed
48Terms of service page presencePrivacyn/afetch failed
49Third-party tracker countPrivacyn/afetch failed
50CCPA "Do Not Sell or Share My Personal Information" linkPrivacyn/afetch failed
51Cookie scan — actual cookies set on first loadPrivacyn/afetch failed
52Accessibility statement pageAccessibilityn/afetch failed
58Skip-to-content linkAccessibilityn/afetch failed
59Yelp presence + rating + review countBrand presencen/an/a:Yelp listings are scored only for local-business sites
63Bing PlacesBrand presencen/an/a:no_public_url_convention
68Service Worker / PWA capabilityBrand presencen/an/a:Service Worker registration requires header control + a root-scope script, which this platform doesn't allow
70Payment processors detectedBrand presencen/afetch failed
2DKIM signingEmail healthn/an/a:DKIM is only graded for sites that send mail (branded domain email present)
24MTA-STS & TLS-RPTEmail healthn/afetch failed
25BIMI + VMCEmail healthn/afetch failed
80Email Service Provider (ESP) detectedEmail healthn/an/a:ESP detection requires a newsletter signup to be present
82SPF lookup count (10-limit deliverability check)Email healthn/an/a:no SPF record
writes a fresh score to the registry

Scores computed under method v1.2.0. See the methodology for the full factor list and per-factor specifications.