How to audit a law firm website: the complete checklist for 2026

What is "standard" in 2026 is meaningfully different from what it was in 2022. Core Web Vitals thresholds have tightened. Accessibility expectations have hardened. AI-driven search now rewards structured content and well-formed JSON-LD. The website that was acceptable three years ago may be substantially behind today. The audit produces an evidence-based answer.

Slow performance suppresses conversion. Poor accessibility creates legal exposure. Weak SEO architecture loses visibility to AI Overviews and traditional search. The audit identifies these costs concretely - estimated lost inquiries from a 6-second mobile LCP, estimated litigation exposure from missing accessibility features, estimated lost organic traffic from missing structured data. The cost numbers transform abstract findings into business cases.

Our State of Law Firm Websites 2026 report establishes cohort benchmarks for the elite legal industry. An audit places the firm somewhere on that distribution. Knowing the firm is in the bottom quartile on mobile performance, or the top decile on content velocity, changes the strategic conversation.

Most firms have dozens of issues that could be addressed. The audit prioritizes them by impact and effort, producing a sequence that maximizes value per dollar invested. Without prioritization, remediation work tends to address whatever is most visible rather than whatever is most valuable.

What is the site built on, how is it hosted, and how vulnerable is it? Covers CMS detection, framework analysis, hosting and CDN configuration, security headers, SSL implementation, plugin landscape (for WordPress sites), backup and disaster recovery posture.

How fast does the site load, how responsively does it interact, how stable is the visual experience? Covers Core Web Vitals (LCP, INP, CLS), page weight, third-party script load, image optimization, server response time, mobile versus desktop disparities.

Is the site organized in a way users can navigate? Is the content sufficient, current, and well-attributed? Covers site structure, navigation patterns, practice area organization, attorney profile completeness, publication archive structure, content freshness, author attribution, internal linking discipline.

Does the site express a coherent brand across surfaces? Covers logo implementation, color system consistency, typography rendering, photography quality and consistency, brand voice in writing, visual application across page types.

How effectively does the site convert visitor interest into business outcomes? Covers contact form design, call-to-action placement, CRM integration evidence, newsletter signup, calendar/scheduling integration, intake form complexity, follow-up infrastructure.

How findable is the site through traditional search and AI-driven discovery? Covers technical SEO (crawl, index, sitemap, robots.txt), on-page optimization, structured data (JSON-LD for Article, LegalService, Person, Organization), content gap analysis, AI search readiness (the new layer covered in our GEO guide).

Does the site meet legal and ethical accessibility standards? Covers WCAG 2.1 AA conformance, keyboard navigation, screen reader compatibility, color contrast, alt text completeness, accessibility tree integrity, privacy policy adequacy, cookie consent implementation, GDPR/CCPA posture.

Document the CMS, frontend framework, and hosting environment. For WordPress sites, document the theme, the active plugins, and which plugins are last-updated more than 12 months ago. For headless or custom architectures, document the API patterns and frontend implementation.

HTTPS enforced site-wide. Valid certificate from recognized authority. No mixed content warnings. Certificate renewal automation in place.

HSTS (HTTP Strict Transport Security) header present with appropriate max-age. Content Security Policy header configured. X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers present. Run through securityheaders.com - the firm should score at least an A.

For WordPress sites, run a vulnerability scan against the active plugin list. Cross-reference against Patchstack or WPScan vulnerability databases. Any plugin with a known CVE that has not been patched is a critical finding. As we covered in State of Law Firm Websites 2026, Patchstack documented 11,334 new WordPress vulnerabilities in 2025 alone, with median time to first exploitation of just 5 hours.

Automated daily backups configured. Backups stored off the primary server. Recovery time objective and recovery point objective documented and tested. Most law firms have backups in theory but have never tested recovery, which is the only way to know they work.

CDN (Cloudflare, Fastly, Akamai, or equivalent) in place. Origin server protected from direct traffic. Cache configuration appropriate to content type. Image optimization at the edge.

Production hosting on dedicated or enterprise-grade infrastructure, not shared hosting. Server location appropriate to client geography (US firms on US-East infrastructure, EU firms on EU infrastructure for GDPR data residency).

Uptime monitoring active. Performance regression monitoring. Security event monitoring. Someone receives alerts when something breaks - not just "the site is down" but also "performance dropped 30% this morning."

Field data via Chrome User Experience Report (CrUX) shows LCP under 2.5s, INP under 200ms, CLS under 0.1 for at least 75% of real user sessions. Lab data from Lighthouse is informative but secondary - field data is the metric Google uses for ranking.

Mobile LCP under 2.5s in field data. Mobile is the majority of traffic to law firm sites. Desktop-only optimization is the wrong target.

Top quartile of law firm sites ship 800KB-1.4MB homepages. Bottom quartile ship 4-7MB. The weight comes from uncompressed images, autoplay video, and third-party scripts. Each can be addressed.

All images served in modern formats (WebP, AVIF). All images appropriately sized for their rendering context. Hero images under 200KB. Attorney portraits under 50KB. Lazy loading implemented for below-the-fold images.

Count active third-party scripts (analytics, marketing, chat widgets, social embeds). Quantify their performance impact. As we documented in State of Law Firm Websites 2026, some AmLaw 50 firms run 47+ third-party scripts - a level of bloat with measurable INP consequences.

Web fonts loaded with appropriate font-display strategy (typically font-display: swap or fallback). Critical fonts preloaded. No render-blocking font requests.

Initial JavaScript bundle under 200KB compressed. Code splitting implemented for route-based loading. Unused JavaScript identified and removed.

Server response time measured at the edge. TTFB above 600ms suggests origin server issues, missing caching, or geographic distance problems.

Top-level navigation reflects the firm's actual practice and audience structure. URL patterns are predictable and consistent. Breadcrumb navigation present and accurate.

Each practice area has a dedicated page of at least 800 words. Pages include named representative matters where possible, named partner authorship, contact links to relevant attorneys. Generic boilerplate practice descriptions (200-400 words of legal industry cliché) are a finding.

Each attorney has a profile with: photograph, bio, practice areas, education, bar admissions, languages, contact methods, representative matters (where confidentiality permits), publications, speaking engagements. Profiles that are missing any of these categories indicate inconsistent content discipline.

Last publication date visible. Frequency of new content documented. Stale insights archives (nothing published in past 90 days) are a finding. As we documented in our publications guide, content velocity correlates with search visibility.

Every publication, insight, or alert attributed to named partner(s) with clickable bio links. Schema.org Person markup on author references. Articles without named authors are a finding.

Practice area pages link to related insights. Insights link to authoring attorney profiles. Attorney profiles link to their practice areas and publications. The site forms a coherent hypertext rather than a collection of disconnected pages.

On-site search functional and returns useful results. For larger firms (50+ attorneys, 100+ insights), AI-powered search (Coveo, Algolia, semantic search via embeddings) substantially outperforms basic keyword search.

For multi-jurisdictional firms, languages handled as first-class architectural concerns rather than retrofitted localization. URL patterns (subdirectory or subdomain) consistent. Hreflang tags correct. No partial translations (English content presented under a non-English URL).

Custom 404 page that helps users find what they were looking for rather than dead-ending them. 5xx errors logged and monitored.

Logo rendered at appropriate resolution across viewport sizes. SVG version used where appropriate. Logo loads first (or is preloaded) to avoid layout shift.

Brand colors used consistently across pages. No off-brand colors introduced by plugins, ads, or third-party widgets. Color accessibility meets WCAG contrast ratios (covered in accessibility section).

Limited number of typefaces (typically 1-2). Type scale consistent across pages. Body text size minimum 16px. Line height appropriate for readability (1.5x font size or more for body).

Attorney portraits shot in a consistent style. Environmental photography consistent in lighting and composition. No stock photography presented as firm imagery. As we covered in our photography guide, photography is one of the strongest brand differentiation opportunities most firms underutilize.

Practice area descriptions, attorney bios, insights articles, and other content express a recognizable consistent voice. Variations in voice signal that the brand voice has not been articulated or that content production lacks editorial discipline.

Email signatures, proposal documents, social media graphics, recruitment materials use the same brand system. As we covered in our branding article, brand inconsistency across touchpoints is the most common failure mode in legal industry branding.

The primary path from homepage to contact form is no more than 2 clicks. Contact options visible in primary navigation and footer.

3-5 fields for primary contact form. Name, email, message, optional jurisdiction or practice area. Forms requiring 10+ fields suppress senior counsel inquiries (we documented this pattern in State of Law Firm Websites 2026).

Phone, email, contact form, and (where appropriate) calendar booking all available. Different prospects prefer different channels.

Contact form submissions flow into a CRM, not a plain email inbox. Lead scoring, follow-up automation, and attribution tracking in place. Our CRM integration guide details what this looks like.

Newsletter signup available. Topical or jurisdictional segmentation offered (not just "firm-wide updates"). Confirmation email sent immediately. Subscribers can manage preferences.

For practice areas where initial consultations are common (immigration, employment, smaller business matters), direct calendar booking via Calendly or similar reduces friction. For high-value corporate work, calendar booking is typically inappropriate.

After contact form submission, the user sees an immediate confirmation (not a redirect to a generic thank-you page). Expected response time stated. Next steps clear.

No auto-launching chatbots within first 5 seconds. No popup modals interrupting content. No countdown timers. As we documented in State of Law Firm Websites 2026, elite firms avoid consumer-grade conversion tactics because they signal the wrong things to corporate clients.

robots.txt configured correctly - allowing crawlers to index public content while restricting admin or duplicate paths. XML sitemap present, current, and submitted to Google Search Console.

Google Search Console index coverage reviewed. Indexed page count matches expected publishable content. Soft 404s, noindex errors, and crawl errors investigated.

URLs descriptive, lowercase, hyphenated. No URL parameters for permanent content. Trailing slash conventions consistent. Canonical tags correct.

Every indexable page has a unique meta title (50-60 characters) and meta description (140-155 characters). Titles include primary keyword. Descriptions are written for human CTR, not keyword stuffing.

Each page has exactly one H1. H2 through H6 used hierarchically. Heading text describes the section content. As one Search Engine Journal analysis noted, broken heading hierarchy creates structural problems for both screen readers and AI agents.

JSON-LD for Organization, LegalService, Person (attorneys), and Article (insights) implemented site-wide. According to W3Techs data, approximately 53% of the top 10 million websites now use JSON-LD - law firms below this baseline are losing AI search visibility.

Content structured for AI Overview and ChatGPT citation: clear answers to specific questions early in articles, definitional sections, FAQ structure where appropriate. Cloudflare's Q1 2026 data shows 30.6% of web traffic now comes from bots, with AI crawlers a growing share.

Internal links use descriptive anchor text. Important pages receive more internal links than peripheral pages. No orphan pages (pages with no internal links pointing to them).

Inbound link profile from Ahrefs, Moz, or Semrush reviewed for quality and diversity. Toxic links identified. Major referring domains documented for relationship maintenance.

For firms with physical offices, Google Business Profile claimed and complete for each location. Schema.org LocalBusiness markup. Consistent NAP (name, address, phone) data across the web.

Run axe DevTools, WAVE, or Lighthouse accessibility audit on key page templates. Document violation count. The WebAIM Million 2026 report found that the average web page has 56.1 accessibility errors, up 10.1% from 2025. Most firms are at or above this average - which means most firms have substantial accessibility debt.

Every interactive element reachable via keyboard alone (Tab, Enter, Space, Arrow keys). Focus indicators visible. Skip-to-content link present at top of page. Modal dialogs trap focus appropriately.

Test with NVDA (free, Windows), VoiceOver (Mac/iOS), or JAWS. Page structure announced correctly. Forms have associated labels. Images have descriptive alt text. Decorative images marked as such.

Body text minimum 4.5:1 contrast against background. Large text minimum 3:1. Interactive elements (buttons, links) meet contrast requirements. Color is not the sole means of conveying information.

Where ARIA attributes are used, they enhance rather than duplicate semantic HTML. Critical finding from WebAIM 2026: pages with ARIA averaged 59.1 accessibility errors versus 42 errors on pages without ARIA. Incorrect ARIA is worse than no ARIA.

Footer link to an accessibility statement describing the firm's commitment, the standards followed (typically WCAG 2.1 AA), and a contact method for users encountering barriers.

The site does not use accessiBe, UserWay, or similar overlay widgets as a substitute for code-level accessibility. The FTC fined accessiBe $1M in January 2025 for misrepresenting overlay effectiveness; the ABA and disability advocacy organizations have consistently rejected overlays as compliance solutions.

Privacy policy reflects current GDPR (for EU client exposure) and state privacy laws (CCPA, VCDPA, CPA, etc.). Names specific data processors and subprocessors. Updated within the last 12 months.

Cookie consent banner present where required. Genuine opt-in (not pre-checked boxes). Granular consent options. Compliance with relevant frameworks (GDPR for EU traffic, state-specific requirements for US traffic).

Contact and intake forms collect only data necessary for the stated purpose. Optional fields clearly marked. Data retention policy documented.

For US firms, content compliant with state bar advertising rules. Specifically, claims of expertise compliant with Rule 7.4 of the ABA Model Rules. Disclaimers present where required. Past results discussed appropriately. For non-US firms, equivalent jurisdictional requirements observed.

Real-user performance data for Core Web Vitals. Free, official, definitive. Lab data from Lighthouse complements but does not replace field data.

Indexing status, search performance, mobile usability, structured data validation. Requires verified property access from the firm.

Crawl-based analysis. Identifies broken links, missing meta data, redirect chains, indexability issues. Free version handles up to 500 URLs; paid version unlimited.

Automated accessibility violation detection. axe DevTools browser extension is the de facto standard. WebAIM's WAVE provides an alternative perspective.

Security header scan. Produces an A through F grade against accepted best practices.

Technology stack identification. CMS detection, framework identification, third-party service detection.

SEO data including keyword visibility, backlink profile, competitor analysis. Paid tools but generally worth the audit-level subscription.

User behavior analytics. Session recordings, heatmaps, scroll depth. Microsoft Clarity is free and increasingly capable. Requires installation prior to audit, so historical data is only available if previously instrumented.

Significant portions of the audit require human judgment - brand consistency, content quality, attorney profile completeness, photography style. Automation supports manual review but cannot replace it for law firm-specific evaluation.

Quick wins with substantial business impact. Usually 5-15 findings in this category. These typically include: missing security headers, missing meta descriptions on key pages, missing alt text on hero images, missing structured data on attorney profiles, basic contact form simplification.

Significant projects that justify substantial investment. Usually 3-8 findings. These typically include: CMS migration, performance overhaul, redesign of practice area pages, accessibility remediation across the site, content velocity improvement.

Minor improvements with minor business impact. Address opportunistically. Usually the largest category.

Findings that look fixable but offer poor return. Document them, but do not invest in them. Sometimes called the "interesting but ignore" pile.

Every quick-win finding gets a named owner with a deadline before the report is presented. Without ownership, findings drift.

High-impact, high-effort findings need to be calendared, not just listed. A redesign project that "we should do sometime" never happens. A redesign project with a Q3 start date typically does.

Re-audit key categories quarterly. Performance, accessibility, and SEO can be re-measured cheaply. The re-measurement provides accountability and surfaces drift.

The full audit report goes to leadership and the implementation team. Specific findings go to the people who can act on them. Distribution of the full report to a broad internal audience often produces defensiveness without action.

The web changes. The audit captures a moment. Ongoing budget for maintenance, content velocity, and incremental improvement is what keeps the site current between major projects.

A site that loaded acceptably at launch typically slows over years as plugins, scripts, and image assets accumulate. Most firms have not measured performance since launch and discover their site is in the bottom quartile of their peer cohort.

Firms expect 5-15 accessibility issues. They typically find 50-150 against the WebAIM 2026 average of 56.1 per page.

Most firms have basic Organization schema and nothing else. Article schema, Person (attorney) schema, and LegalService schema are typically missing - leaving substantial AI search visibility unrealized.

Publication cadence at most firms peaks 1-2 years after launch then declines. Firms that publish 50 articles in Year 1 often publish 5 in Year 3 without the leadership being aware.

Forms tend to accrete fields over time as different stakeholders request "just one more piece of information." Many firms end up with 8-12 field forms when 3-5 would convert dramatically better.

The website maintains brand discipline but proposal templates, email signatures, social graphics, and recruitment materials drift over years into a fragmented visual identity.

Sites accumulate plugins faster than they remove them. The active plugin list often exceeds 30 plugins on long-running WordPress sites, with substantial percentages unmaintained for over a year.