Questions about SiteReview, answered.

SiteReview is a WordPress plugin that produces a comprehensive site audit report covering eight functional areas: WordPress Status, Performance, Site Security, Mobile Friendliness, Accessibility, Hosting, Domain & DNS, and SEO. It runs from inside the WordPress admin, scans the homepage plus up to five additional pages, and generates a self-contained static HTML report that the agency can email to a client or download as a single file.

No. SiteReview is an audit tool — it surfaces what free APIs report and what installed security plugins report. It includes a Site Security section (HTTP headers, Mozilla Observatory grade, Sucuri SiteCheck, plugin self-reports), but it is not a replacement for Wordfence or Sucuri’s active monitoring. Think of it as a point-in-time site assessment, not a firewall.

Core version, PHP version, database charset, active and inactive plugin counts, theme inventory, plugins out of date relative to wordpress.org, themes out of date. Drawn from the live WordPress install — no external API calls.

Core Web Vitals threshold meters (LCP, INP, CLS) for every audited page, on both mobile and desktop, sourced from Google PageSpeed Insights. Lighthouse score strips for Performance, Accessibility, Best Practices, and SEO from the homepage mobile call. Per-page page weight, blocking resources, and image-optimization findings.

HTTP security headers grid (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) for every audited page, Mozilla Observatory v2 grade and findings, Sucuri SiteCheck malware screen, and the security plugin’s self-reported posture if Wordfence, Solid Security, Defender, or Sucuri Plugin is installed.

Viewport configuration, tap target sizing, font legibility, layout shift, mobile Lighthouse usability checks. Catches the issues desktop testing always misses — small touch targets, intrusive overlays, missing viewport meta.

WCAG 2.2 AA findings from axe-core, which is bundled with the plugin. The accessibility audit runs client-side: a hidden iframe loads each audited page, axe-core injects, results stream back. Severity-categorized findings with deterministic remediation copy in free, AI-tailored guidance in Pro.

Infrastructure stack: CDN detection, host name, geographic country, ASN. Built from a bundled MaxMind GeoLite2 Country database (with attribution) — no third-party API call required, no rate limit. Tells the client where their site actually lives.

Domain registrar, registration date, expiration date, name servers, MX records, SPF/DKIM/DMARC email-auth trio, CAA records. Drawn from RDAP (via rdap.org bootstrap) and Google DoH for DNS queries.

On-page coverage bars across the scan scope for titles, meta descriptions, canonical tags, Open Graph tags, Twitter Card tags, schema.org markup, robots.txt configuration, and XML sitemap discovery. Not a full SEO audit — the foundation findings every client needs to see.

Both tiers gather most of the same measurements and produce the same eight sections. Pro adds five things: AI-authored narrative (executive summary, recommendations, per-section intros), deep theme analysis (version-gap on recognized themes, AI source review on unrecognized), inline editing of the report from the WP admin, white-label branding on the deliverable, and token rotation. Free is genuinely useful on its own — the upgrade is for agencies producing client-ready deliverables.

No. Pro narrative is presented as the agency’s own analysis. No “AI-generated” banner, no model attribution, no disclaimer. The narrative is written in a voice spec designed to remove obvious AI fingerprints (no em dashes, no hedging triplets, no “it’s worth noting”).

The free tier makes zero calls to SteadyPress servers. It queries public APIs directly: Google PageSpeed Insights, Mozilla Observatory, Sucuri SiteCheck, RDAP, Google DoH. Geolocation is done locally via the bundled MaxMind database. The Pro tier sends a small set of data (anonymized measurement summaries, theme source for unrecognized themes) to the SteadyPress API for AI narrative generation, authenticated via HMAC.

A credit is consumed each time SiteReview Pro generates a completed report on a domain. Pro Single comes with 1 credit, Pro Agency with 10, Pro Enterprise with 50. Credits never expire. Re-running an audit on the same domain within 30 days does not consume an additional credit (the “fix-and-verify” grace window). The plugin itself can be installed on unlimited sites — credits gate report generation, not domain activation.

Not in v1. Network activation is blocked at the plugin level. If you network-activate, the plugin throws an admin notice and deactivates itself. Each install audits the site it’s installed on.

Pro licenses are one-time purchases — they don’t expire. Your credits never expire either. If you ever do uninstall the plugin, the static HTML report files in /wp-content/uploads/sitereview/reports/ stay where they are (you can opt into cleanup-on-uninstall in Settings). The clean public URL stops resolving when the plugin is deactivated, but the direct uploads URL keeps working. We recommend sharing the direct uploads URL with clients if there’s any chance you’ll uninstall.

In Pro Settings, upload a logo (PNG or SVG, stored as a WordPress media attachment), set your agency name, an optional tagline, a primary color (hex), and an accent color. These replace the SteadyPress mark, eyebrow, footer credit, primary color, and accent color in the rendered report and the single-file HTML download. The WordPress admin chrome stays SteadyPress-branded — white-label is for the deliverable.

In the report viewer (Pro tier), click “Rotate URL.” A new public URL token is generated and the static HTML is re-written to the new location. The old URL stops working immediately. Use it to revoke external access after sending, or if a URL has been forwarded too widely.

Yes — both tiers. The “Delete Report” action removes the static HTML file from disk, deletes the database row, and cancels any pending background jobs for that scan. The free tier’s revocation path for a leaked URL is Delete (since free doesn’t have token rotation).

No. The static HTML includes <meta name="robots" content="noindex,nofollow">, plus an X-Robots-Tag header where the server supports it. The report token URL is intentionally not search-discoverable — reports can contain security findings.

Depends on page count and external API queue depth. A homepage-only scan is typically 1–3 minutes. A full scan (homepage + 5 pages) takes 5–15 minutes, with PageSpeed Insights as the slowest sub-step (PSI runs as per-page sub-jobs). Sections run in parallel where possible; you can leave the WP admin tab and the scan continues.

Both are SteadyPress plugins, sold separately. SteadyScore answers “are my plugins trustworthy?” — per-plugin scoring, ongoing monitoring, useful on a long-running install. SiteReview answers “is my site in good shape?” — a comprehensive point-in-time audit producing a client deliverable. Different question, different shape, different usage pattern.