A Hardt Web Studio prospect audit is not a technical exercise — it is a sales tool. Its purpose is to demonstrate specific expertise in the prospect's niche, show them something they did not know about their own site, and create a reason for a discovery call. Every finding you include should pass this test: would this matter to a practice owner or nonprofit director who is not technical? If not, leave it out.
The audit covers five dimensions in a fixed order. That order is deliberate — it moves from the issues most likely to cost the prospect money (performance, local search visibility) to the issues most likely to create legal or reputational risk (accessibility, security), then closes with the experience their clients or patients actually have (UX and trust signals).
Time target: A complete audit from first URL to finished PDF should take 45–75 minutes for a straightforward site. If you are spending more than 90 minutes, you are going too deep. This is a prospect tool, not a full technical audit. Identify the three to five most significant issues, explain them in plain English, and move on.
Never audit more than 10 pages of a prospect site before they become a client. Homepage, about, services, contact, and one or two key service pages is sufficient. Full site audits are paid work.
1
Open your audit toolkit (5 min)
Before visiting the prospect's site, open all six tools in separate tabs so you are not hunting for them mid-audit. Keep a Notion page or plain text file open for notes.
Tabs to open:
- PageSpeed Insights — pagespeed.web.dev
- WAVE — wave.webaim.org
- GTmetrix — gtmetrix.com
- SSL Labs — ssllabs.com/ssltest
- Google Rich Results Test — search.google.com/test/rich-results
- Moz Local Check — moz.com/local/search
- Your audit report HTML file — open in Chrome
- WebAIM Contrast Checker — webaim.org/resources/contrastchecker
2
First impression review — phone and desktop (5 min)
Open the prospect's site on your phone first — not your desktop. This is how most of their patients or donors will experience it. Note your immediate reactions before running any tools.
What to note in 60 seconds on mobile:
- Does the page load noticeably slowly?
- Is the phone number visible and tappable above the fold?
- Is the primary CTA (book, donate, contact) visible without scrolling?
- Does the site look dated or untrustworthy?
- Is the text readable without zooming?
These gut-level observations often become your most compelling audit findings because they are the ones the prospect will immediately recognize as true.
3
Run all diagnostic tools simultaneously (15 min)
Paste the prospect's homepage URL into all six tools at the same time and let them run in parallel while you continue with the manual review. Most tools take 30–90 seconds. This saves significant time over running them sequentially.
While tools are running: check the page source for obvious issues (Ctrl+U in Chrome), check how many pages Google has indexed (search site:theirdomain.com), and check their Google Business Profile by searching their practice name.
4
Read and record results (15 min)
Work through each tool's results systematically, recording only the findings that are significant, explainable in plain English, and relevant to the prospect's niche. Do not record every warning — record the three to five findings that matter most to their patients or donors.
Record in your Notion notes: the metric, the value, the benchmark, and one sentence of plain-English explanation. This becomes your audit report copy.
5
Fill in the audit report (15 min)
Open your audit report HTML file in Chrome. Click each editable field and type in the findings from your notes. Assign grades (A through F) to each dimension. Write the summary paragraph last — it should be two to three sentences that frame the most urgent issues in terms of patient or donor impact, not technical impact.
Fill in your Calendly URL and contact details in the CTA section before saving.
6
Save as PDF and send (5 min)
In Chrome: File → Print → Save as PDF. Enable "Background graphics." Save with filename: AuditReport_[PracticeName]_[YYYY-MM].pdf
Send as an email attachment with a three-sentence personal email — not a template. Reference one specific finding by name. Include your Calendly link. Do not attach the HTML file — only the PDF.
Performance is your strongest opening finding because the impact is immediate and quantifiable. Google has published data showing that 53% of mobile visitors abandon a page that takes more than 3 seconds to load. For a medical practice, each abandoned visit is a potential patient choosing a competitor.
★
Google PageSpeed Insights — Primary tool
URL: pagespeed.web.dev
What it measures: Core Web Vitals (LCP, CLS, INP), overall performance score (0–100), and specific diagnostics with estimated savings for each fix.
Always test mobile first. Desktop scores are almost always higher and less meaningful for local healthcare prospects.
Key metrics to record:
- Performance score — overall 0–100
- LCP (Largest Contentful Paint) — how long until the main content loads. Target: under 2.5s.
- CLS (Cumulative Layout Shift) — how much the page jumps around as it loads. Target: under 0.1.
- INP (Interaction to Next Paint) — how quickly the page responds to taps. Target: under 200ms.
- Total Blocking Time — JavaScript blocking the main thread. Target: under 200ms.
Benchmarks for your niche: Any score below 50 on mobile is a Critical finding. 50–70 is High. 70–89 is Medium. 90+ is good and should not be a negative finding.
2
GTmetrix — Secondary confirmation
URL: gtmetrix.com
What it adds: Waterfall chart showing exactly which files are slowing the page down. Useful for identifying the specific cause of a poor PageSpeed score — whether it is unoptimized images, render-blocking JavaScript, or slow server response time.
Use GTmetrix when PageSpeed shows a poor score and you want to identify the specific culprit to mention in your audit findings. You do not need GTmetrix on every audit — only when the PageSpeed score is below 60 and you want to name a specific cause.
How to explain performance findings to a non-technical prospect: Never say "your LCP is 8.4 seconds." Say "Your site takes over 8 seconds to load on a phone. Most people give up after 3 seconds — which means a significant number of potential patients are leaving before they even see your phone number."
Most patients and donors find local organizations through Google Search and Google Maps. A practice with poor local SEO is invisible to the highest-intent searchers — people who are actively looking for exactly what they offer. This dimension examines whether the site and Google Business Profile are set up to appear in those searches.
★
Moz Local Check — NAP consistency
URL: moz.com/local/search
What it measures: Whether the business name, address, and phone number (NAP) are consistent across the major directories Google uses to verify local businesses — Yelp, Facebook, Apple Maps, Bing, YellowPages, and others.
What to look for:
- Inconsistent business name (e.g. "Norfolk Chiro" vs "Norfolk Chiropractic Center")
- Old address still appearing on some directories
- Missing listings on major directories
- Phone number variations (with or without area code)
Inconsistent NAP is a direct local SEO ranking factor. Even minor variations confuse Google and suppress map pack rankings.
2
Google Business Profile — Manual review
Search the practice name in Google. Look at their GBP listing directly.
Check for:
- Is the profile claimed? (Unclaimed profiles say "Own this business?")
- Are the hours current and complete?
- Are there photos? (Profiles with photos get 42% more direction requests)
- How many reviews and what is the average rating?
- Is the website URL correct and current?
- Is the GBP category specific enough? ("Chiropractor" vs "Medical clinic")
An unclaimed or neglected GBP is one of the most impactful and easiest-to-explain findings for a local prospect.
3
Google Rich Results Test — Schema markup
URL: search.google.com/test/rich-results
What it measures: Whether the site has structured data (schema markup) that helps Google understand what the business is, where it is located, and what it does.
Paste the homepage URL and check for LocalBusiness, MedicalOrganization, or NGO schema. Most small practice sites have no schema at all — which is an easy-to-explain gap with a clear fix.
4
Manual on-page SEO check
View page source (Ctrl+U) and check:
- Title tag — does it include the practice name and primary keyword? Is it under 60 characters?
- Meta description — does it exist? Is it compelling and under 155 characters?
- H1 tag — is there exactly one H1? Does it include a location keyword?
- Image alt text — search the source for
alt="" to find empty alt attributes
Also run a quick
site:theirdomain.com search in Google to see how many pages are indexed and whether the correct pages are appearing.
ADA website accessibility lawsuits and demand letters have increased significantly against small businesses, particularly in healthcare. Medical practices serving older patients or patients with disabilities are frequent targets. This is a meaningful finding for medical and nonprofit prospects because it creates real legal and reputational risk — not just a UX inconvenience.
★
WAVE — Primary accessibility tool
URL: wave.webaim.org
What it measures: WCAG 2.1 accessibility errors, alerts, and structural issues. Free. No account required. Shows issues visually overlaid on the page.
Key categories:
- Errors (red) — definite accessibility failures. Always report these.
- Alerts (yellow) — possible issues requiring manual review. Report significant ones.
- Contrast errors — text that fails the 4.5:1 contrast ratio requirement.
Most common findings on small practice sites: Missing image alt text, empty links, missing form labels, low color contrast, missing document language, and skipped heading levels.
Run WAVE on the homepage and the contact or booking page. These are the highest-traffic pages and the ones most likely to be used by patients with accessibility needs.
2
WebAIM Contrast Checker — Color contrast
URL: webaim.org/resources/contrastchecker
What it measures: Whether text color against its background meets the 4.5:1 minimum contrast ratio required by WCAG 2.1 AA.
Use the eyedropper tool to sample the foreground and background colors directly from the suspect site. Paste the hex values into the checker. Common failures: light grey body text on white backgrounds, white text on medium-blue backgrounds, and light-colored text on photography.
How to frame accessibility findings for non-technical prospects: Never say "your site has 14 WCAG 2.1 AA violations." Say "Your site has accessibility issues that could create legal exposure — ADA accessibility lawsuits against small medical practices have increased significantly in recent years. The most significant issue I found is [specific finding], which affects patients who use screen readers or have low vision."
★
SSL Labs — HTTPS and certificate check
URL: ssllabs.com/ssltest
What it measures: SSL certificate validity, configuration strength, and HTTPS implementation. Grades A through F.
Key things to check:
- Is SSL active at all? Visit the URL with http:// — does it redirect to https://?
- Does Chrome show a padlock or "Not Secure" in the address bar?
- Are there mixed content warnings? (Some resources loading over HTTP on an otherwise HTTPS site)
- Is the certificate current and not expired?
A "Not Secure" warning in Chrome on a medical site is an immediate critical finding. Patients see that warning and leave.
2
Manual WordPress security checks
Check for WordPress admin exposure: Visit theirdomain.com/wp-admin — does it load a WordPress login page? If so, the site is WordPress and the admin URL is exposed at the default location (a security risk).
Check WordPress version: View source and search for ?ver= in script and stylesheet URLs. If you can identify the WordPress version and it is outdated, note it.
Check for plugin update indicators: Some sites expose their plugin version numbers in page source. Outdated plugins are the most common WordPress attack vector.
Check for user enumeration: Visit theirdomain.com/?author=1 — if it redirects to a URL containing a username, the site exposes admin usernames.
3
Contact form review — HIPAA risk for medical
Review any contact or intake forms on the site. Note what fields they collect.
Critical for medical prospects: If the form collects health information (symptoms, conditions, medications, insurance) and is a standard WordPress form plugin (WPForms, Contact Form 7, Gravity Forms), the data is being stored in the WordPress database — which is a HIPAA compliance risk unless specific safeguards are in place.
This is one of the most powerful findings for medical prospects because it combines a technical issue with a serious legal risk they almost certainly are not aware of.
UX and trust signals are the qualitative dimension of the audit. These findings require human judgment rather than tool output. The question to ask for each element is: does this build or erode trust with a first-time visitor who has never heard of this practice?
1
Mobile experience review
Open the site on your actual phone — not Chrome DevTools. Check:
- Phone number visible and tap-to-call above the fold?
- Primary CTA (Book / Donate / Contact) visible without scrolling?
- Text readable without zooming? (16px minimum for body text)
- Buttons large enough to tap without precision? (44px minimum touch target)
- Forms usable on mobile? (Correct keyboard type triggered for each field)
- Images loading correctly at mobile resolution?
- Navigation accessible on small screen?
Review the site for the presence or absence of trust signals appropriate to the niche:
Medical & alternative health:
- Credentials and license numbers displayed?
- Professional photos or generic stock?
- Google reviews widget or testimonials?
- Insurance accepted clearly listed?
- Privacy policy and medical disclaimer present?
- Copyright year current?
Nonprofit & church:
- 501(c)(3) status and EIN visible on donation pages?
- Staff and board listed with photos?
- Annual report or financial transparency?
- Impact numbers or program statistics?
Check for signs that the site has not been updated recently:
- Copyright year in footer — still showing a year 3+ years ago?
- Blog or news section — last post more than a year old?
- Events calendar showing past events?
- Staff page listing people who may no longer work there?
- Broken images or links?
- Promotions or offers that have clearly expired?
A visibly stale site signals to patients and donors that the organization may not be well-managed or may have changed significantly since the site was built.
Tool: Screaming Frog SEO Spider (free tier crawls up to 500 URLs)
URL: screamingfrog.co.uk/seo-spider
Run a crawl of the prospect's domain. Filter for 404 errors. Note broken internal links — particularly on navigation, contact pages, and any booking or donation links.
A broken booking link on a medical site is a Critical finding — every visitor who clicks it and gets a 404 is a lost patient inquiry. This is the kind of specific, concrete problem that motivates a discovery call.
Grades are assigned to each of the five dimensions and to the audit overall. The grade reflects the severity of the issues found and their likely impact on patient or donor acquisition — not a purely technical assessment.
| Grade | Meaning | Action required |
|---|
| A | No significant issues. Meets or exceeds best practices. | Acknowledge as a strength. No remediation needed. |
| B | Minor issues present. Not actively costing opportunities. | Note as improvements, not urgent problems. |
| C | Moderate issues. Likely affecting user experience and conversion. | Recommend addressing within 3–6 months. |
| D | Significant issues. Actively losing patients or donors. | Recommend addressing within 30 days. |
| F | Critical failures. Creating legal risk or blocking conversion entirely. | Urgent. Address before anything else. |
| Dimension | F | D | C | B | A |
|---|
| Performance | PageSpeed <30 | 30–49 | 50–69 | 70–89 | 90+ |
| Local SEO | No GBP, no schema, inconsistent NAP | Unclaimed GBP or major NAP issues | GBP exists, schema missing, some NAP issues | GBP active, schema present, minor issues | Fully optimized GBP, schema, consistent NAP |
| Accessibility | 5+ WAVE errors or no SSL | 3–4 WAVE errors | 1–2 WAVE errors | Alerts only, no errors | Zero errors, zero significant alerts |
| Security | No SSL or active malware | SSL present, major config issues | SSL present, mixed content or outdated plugins | SSL A-grade, minor hardening gaps | SSL A+, all hardening best practices met |
| UX & Trust | No CTA, broken booking, no phone number | CTA buried, stale content, no trust signals | Basic UX functional, trust signals thin | Good mobile UX, trust signals present | Excellent mobile UX, comprehensive trust signals |
Overall grade: The overall grade is not an average. It is weighted toward the worst-performing dimension, because a single critical failure in one area can negate strength in others. An F in Security combined with A grades elsewhere should produce an overall D or F, not a C.
1
Writing findings in plain English
Every finding in the report must pass the "practice owner test": could a non-technical medical practice owner or nonprofit director read this and immediately understand why it matters to them?
Technical → Plain English rewrites:
- "LCP 8.4s" → "Your site takes over 8 seconds to fully load on a phone. Most visitors leave after 3 seconds."
- "No LocalBusiness schema" → "Google cannot read your location and hours from your website code, which suppresses your map pack ranking."
- "34 WAVE errors" → "Your site has 34 accessibility issues that could create ADA legal exposure — medical practices are a frequent target."
- "wp-login.php exposed" → "Your WordPress login page is at the default address, making it easier for automated attacks to target your site."
- "Missing alt text on 12 images" → "12 images on your site are invisible to screen readers, affecting patients with visual impairments."
2
The Claude prompt for audit report copy
After collecting your raw findings, use this Claude prompt to draft the report copy:
"You are a web developer writing a website audit report for a [medical clinic / nonprofit / church] in Norfolk VA. The audience is a non-technical [practice owner / executive director / pastor]. Write plain-English findings for each issue below. Frame each finding in terms of patient/donor impact — not technical severity. Keep each finding to 2–3 sentences maximum. Here are the raw findings: [paste your notes]"
Edit the output for accuracy and your voice before pasting into the report.
Send the PDF with a three-sentence email. No template — write it fresh for each prospect, referencing one specific finding by name.
Structure:
Sentence 1: What you found and why it matters to them specifically.
Sentence 2: The full findings are in the attached report.
Sentence 3: Calendly link for a 20-minute call to discuss.
Example: "Hi Sarah — I took a look at [their URL] and found that your site takes 9 seconds to load on a mobile phone, which means most patients searching on their phone are leaving before they see your booking button. Full findings in the attached report — happy to walk through it on a 20-minute call if useful: [Calendly link]."
4
Saving the PDF correctly
Open the filled audit report in Chrome. Click "Save as PDF" in the toolbar.
Chrome print settings:
- Destination: Save as PDF
- Layout: Portrait
- Paper size: Letter
- Margins: Default
- Scale: Default (100%)
- Options: Check "Background graphics" — required for colored sections
Filename format: AuditReport_[PracticeNameNoSpaces]_[YYYY-MM].pdf
Example:
AuditReport_NorfolkChiropractic_2026-06.pdf
Save a copy in the client's Google Drive folder in case they ask for it later.
| Skill | Resource | Format | Time |
|---|
| Core Web Vitals & performance |
web.dev/learn/performance (Google) |
Free course |
3–4 hrs |
| Reading PageSpeed reports |
web.dev/performance — PageSpeed Insights documentation |
Free docs |
1 hr |
| Local SEO fundamentals |
Whitespark blog — whitespark.ca/blog |
Free articles |
2–3 hrs |
| Local SEO — video |
Ranking Academy on YouTube |
Free YouTube |
Ongoing |
| Google Business Profile optimization |
BrightLocal Academy — brightlocal.com/learn |
Free course |
2 hrs |
| Schema markup |
Google Search Central — developers.google.com/search |
Free docs |
1–2 hrs |
| Web accessibility — WCAG 2.1 |
WebAIM Introduction to Accessibility — webaim.org/intro |
Free course |
2 hrs |
| Accessibility — using WAVE |
WebAIM WAVE documentation — wave.webaim.org/help |
Free docs |
30 min |
| WordPress security fundamentals |
Wordfence Learning Center — wordfence.com/learn |
Free articles |
2–3 hrs |
| SSL and HTTPS |
SSL Labs documentation — github.com/ssllabs/research |
Free docs |
1 hr |
| HIPAA and websites |
HHS.gov HIPAA for covered entities — hhs.gov/hipaa |
Free gov resource |
1–2 hrs |
| UX heuristics & usability |
Nielsen Norman Group free articles — nngroup.com |
Free articles |
Ongoing |
| UX — foundational book |
Don’t Make Me Think — Steve Krug |
Book (~$30) |
3–4 hrs |
| Screaming Frog for broken links |
Screaming Frog tutorials — screamingfrog.co.uk/learn |
Free docs & video |
1 hr |
| Audit writing & plain English |
Anthropic prompting guide — docs.claude.ai |
Free docs |
1 hr |
Practice before prospecting: Before running your first prospect audit, run a complete audit on three real businesses that are not prospects — one medical practice, one nonprofit, one church. Use businesses you find on Google Maps that you will never contact. Running the full workflow three times under no pressure builds muscle memory for the tools and sharpens your plain-English explanation skills before anything is at stake.