WQI.web​qualityindex
Method v1.2.0 86 live / 86 total factors methodology

Hometwoclovesinapot.com

twoclovesinapot.com

Below Web Standards
Score withheldSite does not meet Web Standards

verdict counts34 pass6 warn27 fail9 n/a·method v1.2.0·scanned 2026-04-28

Built by Foodie Digital  | Support membership for food bloggers· detected via regex (99% confidence)

Fix these to meet Web Standards

Each item below is a binary check — pass or fail. Until they all pass, the contribution score is withheld.

  • No WordPress user enumeration · security
    exposed=true, user_count=0
  • Privacy policy published · legal
    found=false
  • Terms of service published · legal
    found=false

Web Standards · 3 failing

The table-stakes layer — every site either meets these or doesn’t. The Web Quality score is computed only when Web Standards passes.

Functional

pass3/3

Preconditions for being scored at all — the site responds, isn't on a phishing blocklist, and isn't a parked / for-sale page.

  • Site respondsprecondition
    HTTP 200
  • Not on safe-browsing blocklist
    not measured — dbl_query_refused
  • No deceptive redirectprecondition
    Final host matches requested (twoclovesinapot.com)
  • No critical mixed content
    No mixed content detected

Security

fail4/5

The minimum security baseline every site on the modern web should meet — valid TLS, baseline email auth, no exposed admin surfaces.

  • Valid TLS certificate
    ssl_days_remaining=364.9998501851852, not_after=2027-04-28T04:29:53.000Z, source=url_scanner
  • No exposed sensitive paths
    total_checked=6
  • DMARC published
    present=true, policy=quarantine
  • SPF record present
    present=true, raw="v=spf1 a mx include:spf.securedserverspace.com include:_spf.google.com include:_spf.mlsend.com ~all", qualifier=softfail
  • No WordPress user enumeration
    exposed=true, user_count=0

Legal

fail0/2

The legal disclosures the site is required to publish for the visitors it serves, based on jurisdiction and what data it collects.

  • Privacy policy published
    found=false
  • Terms of service published
    found=false
  • Cookie consent (where required)
    Not applicable to this site
  • CCPA opt-out link
    Not applicable to this site

Accessibility

pass3/3

The minimum WCAG-aligned accommodations every site owes the humans who land on it — readable contrast, alt text, navigable structure.

  • Image alt text coverage
    lighthouse_score=1, failing_count=0
  • Sufficient color contrast
    lighthouse_score=1, failing_count=0
  • Valid heading hierarchy
    lighthouse_score=1

Identity

pass3/3

Whether the site is honest about who runs it and how a visitor can reach a real human.

  • Operator is identifiable
    Organization schema or About page detected
  • At least one contact channel
    Contact form detected
  • Branded domain email
    branded=true, provider=google

In plain English · 7 questions, drilling down to the 98 factors

A reader-first rollup. Each card maps to the underlying factors — click to expand, or scroll for the full technical breakdown.

Can people find this site?

fail61
6 of 12 failing — expand to see which.
5 pass · 1 warn · 6 fail · 3 n/a
  • How your site appears when shared or in search results
    The headline, blurb, and image that show up when someone posts your site on Facebook, sends it in iMessage, or sees it in Google. If they're missing or wrong, you look unfinished or attract the wrong clicks.
  • Hidden labels that explain your business to Google
    Behind the scenes, your pages can carry small tags that tell Google whether you're a restaurant, a dentist, or a law firm — and your hours, prices, and reviews. Without them, Google has to guess, and the rich result with stars and photos goes to a competitor instead.
  • A clear headline on every page
    Every page should announce, in one obvious sentence, what it's about. When that's missing, Google and skim-reading visitors both lose the thread of what you do.
  • Whether you're listed with the Better Business Bureau
    Older customers and people considering a big-ticket purchase still check the BBB. An accreditation badge — or just a clean profile — quietly answers the question 'is this business real and reachable if something goes wrong?'
  • A summary file for AI assistants
    ChatGPT, Claude, and Perplexity look for a small text file at /llms.txt to understand what your business is and what to say about it. Without it, they guess, and the guess is often wrong.
  • A direct line for AI assistants to your business
    A small file you can publish lets AI tools talk to your site directly — checking availability, prices, or booking. Without it, you're missing out as customers shift from Googling to asking ChatGPT.
  • How well your site feeds AI the right facts
    When ChatGPT or Perplexity describes your business, they're pulling from the structured details on your site. The thinner those details, the more the AI guesses — and the more often it gets your hours, prices, or services wrong.
  • A map of your site for search engines
    Google needs a list of every page you want it to find, plus a note about which ones to skip. Without it, parts of your site quietly go missing from search results.
  • Whether your behind-the-scenes labels are valid
    The hidden tags that describe your business to Google only work if they're written correctly. A typo or wrong format and Google ignores them, so the stars, hours, and prices never show up next to your listing.
  • A trail showing where visitors are on your site
    Those little 'Home > Services > Teeth Whitening' trails help Google understand how your pages connect, and they often appear right inside your search result. Without them, your listing looks plainer than competitors'.
  • How easy it is to reach your deepest pages
    If a customer or Google has to click five or six times from your homepage to find a service or product page, most never make it. Important pages should be two or three clicks away, max.
  • Whether you're letting AI assistants read your site
    Your site can quietly tell ChatGPT, Claude, and Google's AI to stay out — or to come in. If you're blocking them by accident, you're invisible when customers ask AI for a recommendation in your category.
  • Common questions answered in a Google-friendly way
    When your FAQs are formatted the way Google likes, your answers can show up directly in search — sometimes before anyone even clicks. That's free real estate competitors are taking from you.
  • Telling Google which language a visitor should see
    If you serve customers in more than one language or country, your site needs to tell Google which version is for whom. Otherwise a Spanish-speaking customer might land on your English page and bounce.
  • Visitor privacy on hostile networks
    Hides which website a visitor is opening from coffee-shop WiFi, corporate proxies, and government censors. It's a newer feature, so having it on is a real sign your site is keeping up with the modern web.

Is it safe to visit?

fail67
3 of 9 failing — expand to see which.
4 pass · 2 warn · 3 fail · 12 n/a
  • Your domain can't be quietly hijacked
    An extra signature on your domain settings that stops attackers on shared WiFi or shady networks from rerouting your customers to a fake version of your site. Most domain registrars offer it as a one-click toggle.
  • Only your approved vendors can issue your padlock
    A short list at your domain registrar that names which companies are allowed to issue security certificates for your site. Without it, a sloppy or compromised certificate vendor anywhere in the world could mint a fake one for your domain.
  • Your site is on the browser-baked-in safe list
    An opt-in list shipped inside Chrome, Safari, and Firefox themselves. Once your domain is on it, browsers will never let a visitor fall back to an unencrypted connection — even before they've ever visited you.
  • Browser-level protections for visitors
    Hidden settings your site sends to a visitor's browser to block common attacks like fake login overlays, hijacked sessions, and content sniffing. Modern hosting platforms set them by default; older custom-built sites often don't.
  • WordPress isn't leaking your usernames
    A default WordPress setting publishes a list of every login name on your site, which attackers feed straight into password-guessing tools. Turning it off takes one plugin or one line of config.
  • Your site uses up-to-date encryption
    Older versions of the encryption that powers the padlock have known holes and were retired by every major browser years ago. If your server still accepts them, security scanners and payment processors will start flagging you.
  • Your padlock isn't about to expire
    The little padlock next to your address bar comes from a certificate that has to be renewed on a schedule. If it lapses, every browser slams a full-screen red warning in front of your customers and they bounce.
  • Private files aren't open to the public
    Things like login pages, admin panels, and developer files should never be reachable by a stranger typing a guess into their browser. When they are, they become the front door for an attack.
  • Forgotten subdomains aren't an open door
    If you ever spun up something like blog.yoursite.com or shop.yoursite.com and later abandoned it without cleaning up the DNS, a stranger can sometimes claim that address and put their own content under your name.
  • Your domain isn't on a spam blocklist
    Anti-virus tools, email filters, and corporate firewalls share lists of domains tied to malware or scams. If yours lands on one — even by mistake — your emails go to spam and your site gets blocked at offices and schools.
  • The padlock uses strong, modern math
    Inside every encrypted connection there's a recipe — newer recipes are bank-grade, older ones have known weaknesses. If your server still falls back to the old ones, security scanners and cyber-insurance audits will flag it.
  • Old recordings stay locked even if a key leaks
    If someone ever steals your server's master key, well-built encryption still protects every conversation that happened before the theft. Without it, an attacker who quietly recorded traffic for years can suddenly read all of it.
  • Your padlock isn't using outdated keys
    The certificate behind your padlock is signed with a kind of math that has to keep up with the times. Old, short keys are being phased out — sites still using them will start showing warnings in browsers.
  • Your padlock loads cleanly on every device
    Browsers can usually paper over a half-installed certificate, but phones, apps, and older email clients can't — they'll show an error and refuse to connect. This is one of the most common silently-broken setups on the web.
  • Visitors connect faster on the first click
    A small efficiency where your server checks once that the certificate is still valid and shares the answer with everyone, instead of every visitor's browser making its own trip across the internet to ask. Faster page loads, better privacy.
  • Your certificate is publicly logged
    Every legitimate certificate today gets recorded in a public ledger so fake ones get caught quickly. Browsers refuse to trust certificates that skip this step, and yours needs at least two log entries to clear the bar.
  • Future-proof against tomorrow's computers
    Researchers worry that quantum computers, when they arrive, could crack today's encrypted recordings after the fact. The newest encryption recipes already protect against that — and Chrome and Cloudflare turned them on in 2024.
  • Your padlock renews on a healthy schedule
    Short-lived certificates that auto-renew are the new normal — they prove your renewal automation works and limit the damage if a key ever leaks. Multi-year certificates from old paid vendors are increasingly seen as a smell.
  • Strict mode for your padlock check
    An advanced setting that tells browsers to refuse the connection if the freshness check on your certificate goes missing, instead of quietly accepting it. Rarely turned on — when it is, it's a clear sign someone competent runs the server.
  • Your padlock comes from a reputable vendor
    Some certificate vendors have been kicked out of browsers in the past for sloppy practices. Sticking with a well-known name — Let's Encrypt, DigiCert, Cloudflare, Google, Sectigo — means your padlock keeps working on every device for years.
  • Your site finishes its handshake quickly
    Before a page can even start loading, the browser and server have a quick back-and-forth to set up the encrypted connection. When that takes too long, every first-time visitor feels the lag — and Google notices it too.

Is it fast?

fail85
2 of 12 failing — expand to see which.
9 pass · 1 warn · 2 fail
  • Your site uses the newest connection style
    The latest version of the web's delivery protocol shaves real time off how fast your site feels, especially on spotty mobile networks. It's a free upgrade that better hosts and CDNs already include.
  • Photos lower on the page wait their turn
    When every image loads at once, the top of your page stalls because the phone is busy fetching pictures nobody can see yet. Loading them as a visitor scrolls is a one-line fix that makes the first screen pop in faster.
  • Your photos are saved in modern formats
    Older photo formats can be five times heavier than newer ones, so your homepage drags on a phone and Google notices. Most hosts and platforms can convert your images automatically.
  • You're not shipping code visitors don't use
    Themes and page builders often ship piles of features your site never uses, and the visitor's phone has to download all of it anyway. Trimming this is the single biggest speed win on most small-business sites.
  • How fast your site loads on a phone
    Google's mobile-first index means slow sites rank lower in search and lose visitors before the page paints. Most fixes are configuration changes, not rebuilds.
  • Your site uses a modern web connection
    An older connection style makes every image, font, and script load one after another instead of together — so your phone visitors wait longer than they should. Flipping this on is usually a single setting at your host.
  • Pages get squeezed before they're sent
    Without compression, your visitors download files that are roughly four times bigger than they need to be — burning their data plan and your search ranking. Every modern host supports this; it's almost always just a checkbox.
  • Reachable on the modern internet
    A growing share of phone and home networks now use the newer addressing system. Sites stuck on the old one get a small but real ranking nudge against them and load slower for those visitors.
  • How fast your site loads on a laptop
    Even if most visitors are on phones, a sluggish desktop experience hurts the customers most likely to fill out a long form, book a service, or buy something expensive.
  • How real visitors actually experience your speed
    Google quietly collects loading times from actual Chrome users on your site and uses that — not lab tests — to decide your search ranking. If real visitors are seeing slow pages, your rankings already feel it.
  • Your text shows up while fonts load
    If custom fonts aren't set up right, your headlines stay blank for a second or two — visitors see a flash of nothing where your name should be, then bounce. The fix is one line of code at the font.
  • Your homepage isn't bloated
    A homepage that weighs several megabytes punishes anyone on cell service and silently knocks down your Google ranking. Usually the bulk is one giant hero image or a stack of unused plugins.

Is the business real?

fail38
9 of 11 failing — expand to see which.
1 pass · 1 warn · 9 fail · 3 n/a
  • Your listing on Google Maps and search
    When someone Googles your business name, this is the panel that shows your address, hours, photos, phone, and reviews. Without one, a customer ready to walk in the door may end up at a competitor.
  • Whether anyone's written about you lately
    Recent news mentions — local paper, industry blog, podcast — tell both customers and Google that your business is active and relevant. A long silence reads as a business that's gone quiet.
  • Whether you have a Wikipedia entry
    A Wikipedia page is one of the strongest signals to Google and AI assistants that you're a real, notable business. Most small businesses don't have one — but if you're big enough, missing it is a wasted credibility win.
  • Your reviews on Trustpilot
    For online stores and B2B services, Trustpilot is often the first place a cautious buyer checks. An empty profile, or no profile at all, makes it easy to walk away from the purchase.
  • Your company page on LinkedIn
    B2B buyers, recruits, and reporters all check LinkedIn before reaching out. An empty page, or no page, makes you look smaller and less established than you actually are.
  • Your listing on Apple Maps
    Every iPhone user who asks Siri for directions or searches Apple Maps is using this. If you're not listed, customers driving toward you literally can't find you.
  • Your site can be saved to a phone's home screen
    When this is set up, customers who use your site often can pin it to their home screen like an app — which keeps you a tap away instead of buried in a search. It's a small file, but a missing one signals an older build.
  • Your site can work for a moment offline
    Modern sites can show a useful page even when a customer's phone briefly loses signal — like in an elevator or a bad reception area. Without it, they get a blank error and assume your site is broken.
  • A contact form people can actually find
    A visible 'get in touch' form is the easiest way to turn a curious visitor into a lead. If finding one takes more than a few seconds, most people just close the tab.
  • How long your site has been online
    Public web archives quietly record when your site first appeared and how often it's updated. A site with years of history reads as established; a site that just popped up reads as a pop-up.
  • How long your domain has existed
    First-time visitors and fraud-detection systems both treat brand-new domains as suspicious by default. A domain registered yesterday tells the same story to humans and to spam filters.
  • Your reviews on Yelp
    Plenty of customers still check Yelp before booking, especially for restaurants, salons, and home services. No listing — or worse, a listing with two angry reviews and no replies — sends them to the next result.
  • Your listing on Bing and Microsoft Maps
    Bing powers search for millions of Windows users, ChatGPT search, and DuckDuckGo. Without a listing, you're invisible to all of them — and increasingly to AI tools that pull from Bing.
  • Whether your site is set up to take payments online
    If you sell anything, customers expect to pay on the site without a phone call or invoice email. Missing checkout means lost sales the moment they hesitate.

Does it respect visitor privacy?

fail55
2 of 4 failing — expand to see which.
2 pass · 2 fail · 2 n/a
  • You have a privacy policy page
    Every state and country with a privacy law requires one, and Google, Apple, and Meta all refuse to run ads from sites without it. Missing this is the fastest way to get an ad account suspended or a lawyer's letter.
  • You have a terms of service page
    Without one, you have no written agreement with the people using your site — which makes refund disputes, chargebacks, and copied content much harder to fight. A basic version takes an afternoon and protects you for years.
  • How many outside companies you let watch your visitors
    Every analytics, ad, and chat tool you've added quietly shares your visitors' behavior with another company — and you're legally on the hook for what they do with it. Most small-business sites are running twice as many as the owner realizes.
  • What your site actually drops on visitors' phones
    Tools like Facebook Pixel and Google Ads quietly set tracking cookies the moment someone lands — often before they've agreed to anything. Under European and California law, that gap between landing and consent is what triggers fines.
  • Cookie consent banner for European visitors
    If anyone from the European Union or California can land on your site, the privacy laws there (GDPR and CCPA) require a banner that lets visitors say no to tracking. Fines start at thousands of dollars and the regulators don't warn you first.
  • California privacy opt-out link
    California law requires a clearly labeled "Do Not Sell or Share My Personal Information" link in your footer if you have visitors from California and use ad or analytics tools. The state Attorney General has been actively fining small businesses for missing it.

Can everyone use it?

fail90
1 of 7 failing — expand to see which.
6 pass · 1 fail
  • You have an accessibility statement
    Posting one signals to the courts and to disabled visitors that you're taking accessibility seriously, and it's the first thing a plaintiff's lawyer looks for when deciding whom to sue. Roughly 4,000 small businesses got accessibility lawsuits last year.
  • Your site works for visitors with disabilities
    About one in four American adults has a disability the courts recognize, and your site is legally required to work for them under the Americans with Disabilities Act (ADA). Lawsuits over this hit small businesses every week, and most settle for $5,000 to $20,000.
  • Your photos have written descriptions
    Blind visitors use software that reads pages out loud, and it can only describe a photo if you've written a short caption behind it. Missing alt text is the single most common item cited in accessibility lawsuits — and Google uses the same text to understand your images.
  • Your headings are in a sensible order
    Screen readers let blind visitors jump heading-to-heading the way you skim with your eyes — but only if the headings are nested in order. Out-of-order headings also confuse Google about what your page is actually about.
  • Text is dark enough to read
    Pale-gray text on white is the single most-cited problem in accessibility lawsuits. It also loses customers over 50, who already squint at their phones.
  • Your buttons and forms are labeled for screen readers
    When a button is just an icon — a magnifying glass, a hamburger menu, a shopping cart — a blind visitor's screen reader has nothing to announce unless someone added a hidden label. Without these, your contact form and checkout are unusable for them, and that's the kind of thing that ends up in a demand letter.
  • A way to skip past the menu
    Visitors who navigate by keyboard instead of mouse — usually because of a motor or vision impairment — otherwise have to tab through every nav link on every page just to reach your content. It's a small link at the top, and it's checked in nearly every accessibility audit.

Will email from this domain actually arrive?

fail73
4 of 12 failing — expand to see which.
7 pass · 1 warn · 4 fail · 1 n/a
  • Keeps your email private in transit
    These settings tell other mail servers they must use encryption when delivering email to you, so an attacker on the network can't read or quietly redirect it. Most small businesses don't have this turned on yet, and the bigger your domain gets, the more it matters.
  • Shows your logo next to your emails
    When this is set up, Gmail and Apple Mail can display your verified logo in the inbox next to messages from your business — which both looks more professional and helps customers spot real email from you versus impersonators.
  • A real tool for sending receipts and confirmations
    Order confirmations, password resets, and appointment reminders need to land in the inbox every single time. Sending them through a dedicated service — instead of straight from your website — is the difference between customers getting their receipt and them calling you confused.
  • A clickable email link on your site
    On a phone, tapping an email address should open the mail app with everything pre-filled. When it's just text someone has to copy and paste, half of them give up.
  • Your email setup is under a hidden limit
    There's a behind-the-scenes ceiling on how many email tools can be authorized to send as your business at once. When you add too many — newsletter, booking, invoicing, helpdesk — you quietly cross the line and all of them start landing in spam.
  • Stops scammers from emailing customers as you
    Without this, anyone can send phishing email pretending to be from your business — and your customers may receive it as if it really came from you. The fix is a few DNS records your email provider can usually add in under an hour.
  • Lists who's allowed to email as your business
    This tells the rest of the internet which mail services — your provider, your booking system, your CRM — are actually permitted to send email from your domain. Without it, your real messages look as suspicious as a stranger's, and your invoices and confirmations start hitting spam.
  • You email from your own domain, not Gmail
    Customers trust hello@yourbusiness.com a lot more than yourbusiness@gmail.com — the free address makes a real company look like a side hustle, and it's one of the fastest ways to lose a lead before they even reply.
  • What's actually running your email
    We can usually tell whether your email is on Google Workspace, Microsoft 365, your web host, or something custom. The platform behind your email shapes how reliable it is, how well it filters spam, and how easy it is for a new employee to get an inbox.
  • You get reports when someone fakes your email
    When this is on, mail providers send you a daily summary of who tried to send email pretending to be your business — so you can spot impersonation attempts before customers do. Without it, scammers can spoof you for months and you'd never know.
  • A real tool for sending newsletters
    If your business sends marketing email, doing it through a service like Mailchimp or Klaviyo (instead of from your personal inbox) is what keeps you out of spam folders and out of legal trouble with unsubscribe rules.
  • Your email is being forwarded, not hosted
    Instead of having a real inbox at your domain, mail to your address is being bounced over to a personal Gmail or Yahoo account. It works, but it's fragile — replies often look broken to customers, and the setup tends to fall apart as your business grows.
  • Proves your email actually came from you
    When your email arrives, this is the invisible signature that tells Gmail and Outlook it really came from your business and wasn't tampered with along the way. Without it, your messages are more likely to land in spam or get blocked.

Technical breakdown · deeper data behind the verdict

Categories

8 categories · worst grade F
CategoryGradeScoreApplicable
Brand presenceF 5118/21
AI-readinessF 534/4
PrivacyF 554/6
SEOD 658/11
SecurityD 679/21
Email healthC 7315/16
PerformanceB 8512/12
AccessibilityA 907/7

Standards compliance

45 satisfied · 8 partial · 14 failed · 33 n/a
StandardCategoryVerdictWhy it matters
BIMIEmail healthfailedVisible-logo branding lifts open rates 10–20% and builds anti-phishing trust. Gmail and Apple Mail enforce VMC; Yahoo and Fastmail accept self-asserted records.
MTA-STSEmail healthfailedWithout MTA-STS a STARTTLS handshake can be silently stripped by anyone on the wire and your inbound mail goes plaintext. The policy is a one-time setup; the reporting half (TLS-RPT) tells you when…
TLS-RPTEmail healthfailedSetting MTA-STS without TLS-RPT is flying blind. Reports surface expired certs, broken cipher suites, and MITM downgrade attempts before users complain. Trivial to enable; pays for itself the first…
HSTS PreloadSecurityfailedEliminates the trust-on-first-use gap in vanilla HSTS. Required for finance, healthcare, and any site where a single MITM at first visit is unacceptable.
DNSSECSecurityfailedDNSSEC + DANE is the only way to fully secure SMTP-in-transit without trusting the public CA system. .gov mandates it; major banks deploy it.
CAASecurityfailedPrevents a compromised or misconfigured CA from issuing a valid cert for your domain. One DNS record, large attack-surface reduction.
DANE-SMTPSecurityfailedCloses the same downgrade gap as MTA-STS but with stronger guarantees — provided you have DNSSEC. Major European ISPs (Deutsche Telekom, Comcast inbound) and government MTAs require it; large mail…
HTTP/3PerformancefailedReal-world wins on mobile, lossy networks, and high-latency users. Cloudflare, Fastly, and CloudFront support it with a single toggle.

View all 100 standards →

Site profile + facts

Corporate / B2B · 12 attributes detected · 4 n/a by applicability

Classification driving applicability · deep detection

Site type
Corporate / B2Bconfidence 20%
Vertical
Other
Jurisdiction
Canada
Detected stack
cms: wordpress · hosting: cloudflare-pages · cdn: cloudflare

Site facts

Hosting
Cloudflare, Inc.
Managed host
Hostinger / GoDaddy
CDN / WAF
Cloudflare / Cloudflare
DNS provider
Cloudflare
Platform
wordpress
Email provider
google
Spam protection
Mail forwarder
Marketing ESP
mailerlite
DMARC policy
quarantine
Hosting country
Canada
Registrar
eNom, LLC

4 factors marked n/a by applicability rules — see the factors table for per-factor reasons.

All factors

67 scored · 34 pass · 6 warn · 27 fail · 9 n/a of 76 applicable
#FactorCategoryVerdictScoreEvidence
22DNSSEC validationSecurityfail30ds_present=false, ad_bit=false
23CAA recordsSecurityfail30has_issue=false, has_iodef=false
26HSTS preload list inclusionSecurityfail30hsts_header=max-age=15552000; preload, preload_status=unknown
30HTTP/3 supportPerformancefail30supports_h3=false
11Title, meta description, OG, Twitter cards, canonicalSEOfail30title=true, description=false, og=false, twitter=false, canonical=false
12Schema.org structured data presenceSEOfail30structured_data_absent
13H1 tag presenceSEOfail30h1_count=0
61Better Business Bureau accreditationSEOfail30no_link_on_site
15llms.txt presenceAI-readinessfail30has_llms_txt=false
44AI plugin manifest (.well-known/ai-plugin.json)AI-readinessfail30status=404
47Privacy policy page presencePrivacyfail30found=false
48Terms of service page presencePrivacyfail30found=false
52Accessibility statement pageAccessibilityfail30found=false
19Google Business Profile presence + ratingBrand presencefail30found=false
20News mentions in last 30 daysBrand presencefail30news_mentions_count=0
21Wikipedia entityBrand presencefail30found=false
60Trustpilot presence + ratingBrand presencefail30no_link_on_site
62LinkedIn Company Page (presence + employee count + follower count)Brand presencefail30no_link_on_site
64Apple Maps presence (Apple Business Connect)Brand presencefail30no_link_on_site
67Web App Manifest (manifest.json)Brand presencefail30present=false
68Service Worker / PWA capabilityBrand presencefail30registered=false, reachable=false
83Visible contact form on siteBrand presencefail30detected=false, count=0
24MTA-STS & TLS-RPTEmail healthfail30policy_ok=false
25BIMI + VMCEmail healthfail30no_bimi
81Transactional email provider detected (from SPF includes)Email healthfail30Scored
84Mailto: direct contact link presentEmail healthfail30Scored
35Lazy loading on below-fold imagesPerformancefail40id=image-delivery-insight, lighthouse_score=0.5, displayValue=Est savings of 200 KiB
45JSON-LD richness score for LLMsAI-readinesswarn50org_complete=true, has_address=false, has_contact_point=false, has_same_as=true, has_content_type=false, breakdown={"coreOrg":25,"contact":0,"sameAs":25,"contentType":0}
4Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options)Securitywarn65security_headers_score=65, missing=X-Frame-Options|Referrer-Policy|Permissions-Policy
18Wayback Machine site age & last snapshotBrand presencewarn65first_snapshot=2026-01-01T00:00:00.000Z, last_snapshot=2026-03-07T04:30:15.518Z, first_years_ago=0.3208423808527898, last_days_ago=52, source=archive_org
6WordPress REST API user enumeration exposureSecuritywarn70exposed=true, user_count=0
32Image optimization (WebP/AVIF)Performancewarn70id=image-delivery-insight, lighthouse_score=0.5, displayValue=Est savings of 200 KiB
82SPF lookup count (10-limit deliverability check)Email healthwarn70lookups=9, limit=10
27TLS minimum version supported?Securitypass80method=heuristic, https=true, final_url=https://twoclovesinapot.com/, hsts=true
38Largest unused JavaScript bundlePerformancepass80deferred_scripts=4, sample=https://scripts.scriptwrapper.com/tags/b3e2a716-cc9f-4a53-9a09-77f356bc0390.js|https://twoclovesinapot.com/wp-content/cache/min/1/wp-content/plugins/social-pug/assets/dist/front-end-free.js?ver=1776393789|https://twocloves…
49Third-party tracker countPrivacypass80count=2, hosts=fonts.googleapis.com|scripts.scriptwrapper.com
51Cookie scan — actual cookies set on first loadPrivacypass80count=1, names=__cf_bm, with_cmp=false
1DMARC enforcementEmail healthpass80present=true, policy=quarantine
17Domain age (RDAP / WHOIS)Brand presencepass85domain_age_years=7
8Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS)Performancepass98performance_score=97, lcp_ms=1951.0166622480374, cls=0.021304, components={"perf":97,"lcp":100,"cls":100}
5SSL certificate validity & expiration windowSecuritypass100ssl_days_remaining=364.9998501851852, not_after=2027-04-28T04:29:53.000Z, source=url_scanner
7Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)Securitypass100total_checked=6
28Subdomain takeover surfaceSecuritypass100dangling_count=0
9HTTP/2 supportPerformancepass100perf_http2=true
10Compression (Brotli / gzip)Performancepass100perf_compression=br
31IPv6 supportPerformancepass100aaaa_count=2, aaaa=2a06:98c1:3100::6812:2545|2606:4700:4408::ac40:96bb
33Desktop PageSpeed scorePerformancepass100performance_score=100, lighthouse_score=1
34Core Web Vitals from CrUX (Real User Monitoring)Performancepass100overall_category=FAST, lcp_ms=1200, cls_x100=5, inp_ms=141, components={"name":"lcp","raw":1200,"score":100}|{"name":"cls","raw":5,"score":100}|{"name":"inp","raw":141,"score":100}
36Font loading strategy (FOUT/FOIT/swap)Performancepass100id=font-display-insight, lighthouse_score=1
37Total homepage byte weightPerformancepass100html_bytes=230796, subresource_bytes=0, total_bytes=230796, total_kb=225, sampled=4, total_refs=4
14Sitemap.xml + robots.txt presenceSEOpass100has_robots_txt=true, has_sitemap=true
39Schema.org type validity (parsed JSON-LD)SEOpass100total=1, valid=1
40Breadcrumb schemaSEOpass100present=true
43Internal link depth (clicks from homepage to deepest content)SEOpass100max_depth=1, pages_fetched=50, pages_seen=154, capped_at=50
16AI crawler robots.txt directivesAI-readinesspass100robots_ai_blocked_count=0
53axe-core / WAVE accessibility scanAccessibilitypass100accessibility_category=1
54Image alt text coverageAccessibilitypass100lighthouse_score=1, failing_count=0
55Heading hierarchy validityAccessibilitypass100lighthouse_score=1
56Color contrast (WCAG AA)Accessibilitypass100lighthouse_score=1, failing_count=0
57ARIA labels presence and validityAccessibilitypass100total_aria_audits=22, applicable=10, passing=10
58Skip-to-content linkAccessibilitypass100found=true, href=#genesis-content, text=Skip to main content
3SPF record present and validEmail healthpass100present=true, raw="v=spf1 a mx include:spf.securedserverspace.com include:_spf.google.com include:_spf.mlsend.com ~all", qualifier=softfail
75Branded domain email address (vs free Gmail/Yahoo)Email healthpass100branded=true, provider=google
76Email provider class (Workspace / 365 / Zoho / self-hosted / shared)Email healthpass100provider=google
77DMARC aggregate reporting enabled (rua=)Email healthpass100has_dmarc_reporting=true, audit_flag=true, derived_from_raw=true, source=derived_from_raw, dmarc_raw="v=DMARC1; p=quarantine; rua=mailto:7de9370d113b4629bdf11bd6ee368869@dmarc-reports.cloudflare.net,mailto:no@twoclovesinapot.com;"
80Email Service Provider (ESP) detectedEmail healthpass100providers=MailerLite
85Email forwarding service detected (improvmx, forwardemail, etc.)Email healthpass100hosts=aspmx.l.google.com|alt3.aspmx.l.google.com|alt4.aspmx.l.google.com|alt1.aspmx.l.google.com|alt2.aspmx.l.google.com, provider=Google Workspace, kind=branded
29Spam / phishing blocklist presenceSecurityn/anot measured — dbl_query_refused
41FAQ / HowTo schema (where applicable)SEOn/an/a:not_applicable
42hreflang for multi-language sitesSEOn/an/a:single_language
46Cookie banner presence + CMP detectionPrivacyn/an/a:Cookie consent banners are graded for sites serving EU / UK / California users (GDPR, ePrivacy, CPRA). Other sites get n/a.
50CCPA "Do Not Sell or Share My Personal Information" linkPrivacyn/an/a:CCPA "Do Not Sell or Share" is a California requirement; non-US sites follow GDPR / local equivalents
59Yelp presence + rating + review countBrand presencen/an/a:Yelp listings are scored only for local-business sites
63Bing PlacesBrand presencen/an/a:no_public_url_convention
70Payment processors detectedBrand presencen/an/a:no_payment_detected
2DKIM signingEmail healthn/an/a:DKIM is only graded for sites that send mail (branded domain email present)
writes a fresh score to the registry

Scores computed under method v1.2.0. See the methodology for the full factor list and per-factor specifications.