Documentation
Audit websites for SEO, security, performance, and WordPress intelligence — no login required.
Use the web app or REST API at http://localhost:8997/api/v1.
Overview
WP Audit Platform crawls your site (breadth-first, same origin), analyzes each page with passive HTML and header checks, then builds a report with scores, issues, and recommendations. No browser is opened for every URL during crawl, so scans stay fast and stable.
- No authentication — start audits from the UI or API without registering or sending tokens
- SEO — titles, meta, headings, canonicals, schema, images, duplicates, robots/sitemap
- Security — HTTPS, SSL, security headers, mixed content, WordPress exposures
- Performance — scripts, CSS, DOM size, lazy loading, cache headers
- WordPress — detection confidence, plugins, themes, version leaks
- Technology stack — CMS, CDN, analytics, frameworks
Deployment note: In public mode, anyone who can reach this server can run audits and view audit history. Use on localhost or a trusted network unless you add your own access controls.
How it works
- Submit — You enter a URL in the UI or
POST /audits; no auth step. - Queue — The audit is queued (
status: queued). - Crawl — BFS discovers pages (up to
CRAWL_MAX_PAGES, default 50). Progress 5–40%. - Analyze — SEO, security headers, WP fingerprinting, tech stack per page; site-wide robots and WP probes.
- Performance — Lightweight metrics always; optional Lighthouse if enabled.
- Report — Issues deduplicated, report saved;
status: completed.
URL → API → Crawl (BFS) → Analyzers → Performance step → Report → Done
Queue mode: QUEUE_MODE=inline runs jobs inside the API process (local dev).
QUEUE_MODE=bullmq uses Redis and a worker process for production.
Using the web UI
- Open New audit and enter a URL (e.g.
example.com— https is added automatically). - Watch progress on the audit page; open the report when complete.
- Use History to see past audits on this server.
- Expand issues and page rows for full descriptions and recommendations.
There is no sign-up, login, or API token stored in the browser.
API access
All /audits endpoints are open. Send JSON requests with Content-Type: application/json only —
do not send Authorization: Bearer ….
POST http://localhost:8997/api/v1/audits
Content-Type: application/json
{ "url": "https://example.com" }
The app uses an internal guest user in MongoDB so data models stay consistent. The dashboard lists all recent audits on this instance.
API endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /audits | Start audit (202) |
| GET | /audits | List recent audits |
| GET | /audits/:id | Get audit details |
| GET | /audits/:id/status | Poll progress |
| GET | /audits/:id/report | Full report (when completed) |
| DELETE | /audits/:id | Delete audit and data |
| GET | /health | Server health (at app root, not under /api/v1) |
Base path: http://localhost:8997/api/v1. Rate limit: 100 requests / 15 min per IP by default.
API workflow
1. Start an audit
POST http://localhost:8997/api/v1/audits
Content-Type: application/json
{ "url": "https://example.com" }
Returns 202 with data.id — save that audit ID.
2. Poll status
GET http://localhost:8997/api/v1/audits/AUDIT_ID/status
Statuses: queued → crawling → analyzing → generating → completed or failed. Poll every 3–10 seconds.
3. Fetch report
GET http://localhost:8997/api/v1/audits/AUDIT_ID/report
Returns 404 or an error if the audit is still running.
Example (curl)
AUDIT_ID=$(curl -s -X POST http://localhost:8997/api/v1/audits \
-H "Content-Type: application/json" \
-d '{"url":"https://example.com"}' | jq -r '.data.id')
curl -s http://localhost:8997/api/v1/audits/$AUDIT_ID/status
curl -s http://localhost:8997/api/v1/audits/$AUDIT_ID/report
Report structure
The report JSON includes:
overview— URL, pages scanned, issue counts, scoresallIssues— full list with severity, category, recommendation, pageUrlpages— each crawled URL with status, depth, per-page issuesseo,performance,security,wordpress— category scores and top issuesintelligence— technologies, plugins, crawl metrics, security risk summaryrecommendations— prioritized action items
Real-time progress (Socket.IO)
Optional for web or Node clients on the same origin as the app. No login required — only pass auditId:
const socket = io('http://localhost:8997', { transports: ['polling', 'websocket'] });
socket.emit('join-audit', { auditId: '...' });
socket.on('audit:progress', (data) => { /* percent, message */ });
socket.on('audit:completed', (data) => { /* reportId */ });
socket.on('audit:failed', (data) => { /* message */ });
Server-side integrations can rely on polling /status only.
Configuration
Key environment variables (see .env.example):
| Variable | Description |
|---|---|
MONGODB_URI | MongoDB connection string |
QUEUE_MODE | inline (local) or bullmq (Redis worker) |
CRAWL_MAX_PAGES | Max pages per audit (default 50) |
CRAWL_MAX_DEPTH | Link depth limit (default 3) |
LIGHTHOUSE_ENABLED | true for Chrome Lighthouse (slower) |
APP_URL | Public URL of the app (e.g. http://localhost:3000) |
Full markdown: docs/BACKEND_FLOW.md (data & analyzers), docs/CODEBASE_GUIDE.md, docs/API.md, docs/HOW_IT_WORKS.md.