Foundation Stack

Lock down permalinks, canonicals, robots meta, lowercase URLs, and clean redirects so every page has one canonical, indexable address with no duplication.

• Set permalinks to a clean slug pattern with one trailing-slash policy sitewide
• Add a self-referencing canonical link to every indexable page head
• Add an index, follow robots meta with image-preview and snippet directives
• Force lowercase URLs in server config to prevent case-duplicate indexing
• Resolve www/non-www and http/https with single 301 redirects, no chains
• 301-redirect or 410 thin, duplicate, or orphan pages flagged in Search Console

Keep every page within three clicks of the homepage, add breadcrumbs and an HTML sitemap, and use hub-and-spoke topical clusters with descriptive anchors.

• Limit every page to a maximum of three clicks from the homepage
• Add breadcrumb navigation with BreadcrumbList JSON-LD on every non-homepage template
• Build a public HTML sitemap listing top-level sections and key pages
• Implement hub-and-spoke topical clusters with bidirectional pillar/sub-page links
• Use descriptive anchor text on internal links, never click here or read more alone
• Keep URL slugs under sixty characters with hyphens and no stop words

Write unique titles, descriptions, Open Graph, Twitter Card, theme color, and language meta tags per page so SERP previews and social shares render correctly.

• Write unique title tags 50 to 60 characters with primary keyword near the front
• Write unique meta descriptions 140 to 160 characters in active voice with a CTA
• Add full Open Graph set including og:title, description, image, type, and url
• Add Twitter Card tags including summary_large_image, title, description, and image
• Add a theme-color meta tag matching brand color for mobile browser chrome
• Add Content-Language meta and html lang attribute for language signals

Insert Organization, WebSite, LocalBusiness, Article, Service, and FAQ JSON-LD with absolute @id values so schema graphs validate and link cleanly across pages.

• Insert Organization and WebSite JSON-LD with SearchAction in the head of every page
• Add LocalBusiness schema with full NAP, hours, geo coordinates, and areaServed
• Add Article plus Author Person plus datePublished and dateModified on article pages
• Add Service schema with provider, areaServed, and hasOfferCatalog on service pages
• Add FAQPage JSON-LD only where content genuinely answers user questions
• Use absolute URLs in all @id values so schema graphs link cleanly across types

Generate a dynamic XML sitemap with accurate lastmod, exclude noindex URLs, split when oversized, and submit it through Search Console and Bing Webmaster Tools.

• Enable a dynamic XML sitemap via the active SEO plugin or framework module
• Confirm lastmod updates on every content edit, not only on first publish
• Split sitemaps when over 50,000 URLs or 50MB into a sitemap index file
• Exclude noindex pages, redirects, and parameter URLs from the sitemap
• Add separate image and video sitemaps where applicable
• Submit sitemap URLs in Google Search Console and Bing Webmaster Tools

Maintain an explicit robots.txt with bot-specific rules, sitemap declaration, no blocked CSS or JS, and tested syntax through Search Console.

• Create an exact robots.txt at root with allow, disallow, and sitemap directives
• Add explicit user-agent rules for GPTBot, ClaudeBot, and PerplexityBot per client preference
• Block known scraper bots only when the client requests it, not by default
• Never block CSS, JS, or image directories needed for rendering
• Test robots.txt in Google Search Console tester before deploying

Maintain a clean redirect map with 301s applied at server level, no chains, no JS-based redirects, and 410s used for permanently retired URLs.

• Add 301 redirects only via server config, never JavaScript or meta refresh
• Eliminate redirect chains so every redirect points directly to the final URL
• Fix every 404 in Search Console Coverage with a 301 to the most relevant live URL
• Use 302 only for true temporary redirects like A/B tests or seasonal pages
• Maintain a redirect map spreadsheet for every site migration or restructure

Build out Person and Organization schema with sameAs to authoritative profiles, link Wikidata and Knowledge Graph nodes, and claim Google Business Profile.

• Add Person JSON-LD for the business owner with sameAs to Wikidata, LinkedIn, and socials
• Reference your Wikidata Q-ID in author schema across all editorial content
• Add a knowsAbout array to Person schema listing topical expertise areas
• Build an author page per content contributor with bio, credentials, photo, and social links
• Cross-link Organization schema to founder Person schema via founder property
• Claim and complete Google Business Profile with verified ownership

Wire IndexNow API key submission into publish hooks so Bing and Yandex receive instant pings for new and updated URLs.

• Generate an IndexNow API key and place it at the matching .txt file at root
• Install IndexNow plugin or add a publish-hook API call in the CMS
• Submit every new and updated URL via POST on save or publish
• Use the urlList batch endpoint for bulk submissions during migrations
• Monitor submission logs to confirm 200 responses from Bing and Yandex

Publish llms.txt and llms-full.txt with site purpose, key URLs, and rules so AI crawlers can find context and citation-friendly markdown content.

• Create llms.txt at root with site purpose, key URLs, and crawler rules
• Create an expanded llms-full.txt with full markdown context for AI training and retrieval
• Reference both files from robots.txt via Sitemap-style declarations
• Format llms.txt per the emerging spec with H1 title, blockquote summary, and sectioned link lists
• Update on major content additions so AI crawlers retrieve fresh context

Enable Brotli, set proper cache-control on assets and HTML, add security headers, enable OCSP stapling, and hide server signatures at the edge.

• Enable Brotli compression at the edge with Gzip as fallback
• Set long immutable cache-control on hashed static assets
• Set short cache-control on HTML pages with edge max-age
• Add nosniff, frame, referrer policy, and permissions policy security headers
• Enable OCSP stapling for faster TLS handshakes
• Disable server signature and version disclosure

Route traffic through a CDN with origin shielding, edge HTML caching with cache-tag headers, proper Vary, purge webhooks, and image optimization at edge.

• Route all traffic through Cloudflare, Fastly, or Bunny CDN with origin shielding
• Replace image, CSS, and JS URLs with CDN-hosted URLs in theme settings
• Enable edge caching for HTML pages with cache-tag headers for selective purging
• Set proper Vary headers so personalization does not break cache
• Configure cache purge webhooks on publish and update events
• Enable Cloudflare Polish or equivalent for automatic image optimization

Enable HTTP/3 and QUIC at origin and CDN, advertise via Alt-Svc, fall back to HTTP/2 only, and run TLS 1.3 with no legacy cipher support.

• Confirm origin server negotiates HTTP/3 with proper Alt-Svc header
• Enable HTTP/3 in Cloudflare dashboard or nginx with QUIC listening
• Fall back gracefully to HTTP/2 and never serve HTTP/1.1 over TLS
• Enable 0-RTT resumption only on idempotent GET and HEAD requests
• Keep TLS 1.3 enabled and disable TLS 1.0 and 1.1 entirely

Use preconnect, dns-prefetch, and preload for above-the-fold resources, mark below-the-fold as low priority, and cap preconnects to avoid contention.

• Add preconnect link tags for every third-party origin used above the fold
• Add dns-prefetch fallback for non-critical origins
• Preload the LCP image with high fetchpriority
• Preload critical fonts with proper crossorigin attribute
• Use low fetchpriority on below-the-fold images and non-critical resources
• Limit total preconnects to four to six to avoid contention

Convert images to AVIF with WebP fallback, ship responsive picture sources, lazy-load below the fold, minify and tree-shake assets, and prune unused fonts.

• Convert all images to AVIF with WebP fallback and JPEG or PNG only as last resort
• Serve responsive images via picture element with srcset and sizes
• Add lazy loading to every image below the fold and eager above the fold
• Add async decoding to all images
• Minify CSS, JS, and HTML in the production build
• Tree-shake unused JS and CSS using DevTools Coverage tab
• Remove unused fonts and font weights

Hit Good thresholds for LCP, INP, and CLS using preload, long-task breaking, reserved space, content-visibility, and field data monitoring.

• Target LCP under 2.5 seconds via preload, hero optimization, and removing render blockers
• Target INP under 200 milliseconds by breaking long tasks and deferring non-critical JS
• Target CLS under 0.1 by reserving space for ads, embeds, and images
• Add content-visibility auto to below-the-fold sections
• Use will-change transform only on actively animating elements then remove
• Monitor field data via CrUX dashboard and PageSpeed Insights, not lab data alone

Inline critical above-the-fold CSS, async-load remaining CSS, swap fonts, defer non-critical JS, subset fonts, and self-host where possible.

• Inline above-the-fold critical CSS in a style block under 14KB
• Async-load remaining CSS via preload onload pattern
• Add font-display swap to every font-face rule to eliminate invisible text
• Subset fonts to Latin characters when full Unicode is not needed
• Move all non-critical JS to footer with the defer attribute
• Self-host fonts when possible to eliminate third-party origin handshake

Use defer for DOM-dependent scripts, async for independent ones, eliminate document.write, lazy-load embeds, and offload third-party JS with Partytown.

• Use defer on scripts that depend on the DOM and async on independent scripts
• Avoid document.write entirely because it blocks parsing
• Move all third-party tags to load after the window load event
• Use Partytown or web workers to offload third-party JS off the main thread
• Lazy-load embeds with click-to-load facade pattern
• Audit main thread time in DevTools Performance panel

Set viewport meta, readable type, large tap targets, accessible contrast, no horizontal scroll, and reduced-motion support across real-device viewports.

• Add the standard viewport meta tag to every page
• Set body font size minimum 16px with comfortable line height and width
• Make all tap targets at least 48 by 48 pixels with 8 pixel spacing
• Maintain at least 4.5 to 1 contrast for body text and 3 to 1 for large text
• Test on real devices including iPhone SE, mid-range Android, and iPad
• Eliminate horizontal scroll at viewport widths from 320 to 2560 pixels
• Add prefers-reduced-motion support to disable non-essential animations

Provide alt text, aria labels, semantic HTML5, single H1 with logical hierarchy, skip links, full keyboard support, and aria-live for dynamic content.

• Add descriptive alt text to every meaningful image and empty alt for decoratives
• Add aria-label to icon-only buttons and links
• Use exactly one H1 per page with logical H2 to H6 hierarchy and no skipped levels
• Place a skip-to-content link as the first focusable element on every page
• Ensure full keyboard navigability with visible focus indicators
• Use semantic HTML5 elements like nav, main, article, aside, and footer
• Add aria-live regions for dynamic content like form errors and cart updates

Set explicit width and height, use aspect-ratio CSS, reserve space for backgrounds, ads, and iframes, and audit CLS contributors.

• Set explicit width and height attributes on every image and video element
• Use the aspect-ratio CSS property on responsive images to reserve space
• Set min-height on background image containers so layout does not shift
• Reserve fixed dimensions or placeholders for ads, embeds, and iframes
• Use picture element with art-directed sources for different aspect ratios
• Audit CLS contributors in PageSpeed Insights Avoid large layout shifts report

Generate a complete favicon set, manifest, theme color, and Apple touch icon so the brand renders crisply across browsers, mobile, and PWAs.

• Generate full icon set including ico, apple-touch-icon, and 192 and 512 PNGs
• Add complete link tags in head for icons and manifest
• Create a webmanifest with name, short_name, icons, theme_color, and background_color
• Add a theme-color meta tag matching the brand for mobile browser chrome
• Use an SVG favicon for crisp rendering at all sizes when supported

Build branded 404, 500, and 503 pages with helpful navigation, return correct status codes, monitor soft-404s, and log inbound 404s for redirects.

• Create a custom 404 page with search, top categories, recent posts, and contact link
• Return proper HTTP status codes including 404 for not found and 410 for gone
• Create custom 500 and 503 pages with brand styling and contact info
• Monitor Search Console Coverage report weekly for soft-404s and crawl errors
• Set up server alerts for spikes in 4xx and 5xx responses
• Log all 404s to identify broken inbound links worth redirecting

Enforce HTTPS with HSTS preload, CSP, WAF rules, automatic CMS updates, strong admin auth with 2FA, and weekly malware scanning.

• Enforce HTTPS sitewide with HSTS header including preload directives
• Submit the domain to the HSTS preload list at hstspreload.org
• Add a Content Security Policy header tailored to actual third-party sources
• Enable automatic CMS, plugin, and theme security updates with rollback capability
• Implement WAF rules via Cloudflare or Sucuri to block SQLi, XSS, and bot signatures
• Force strong admin passwords plus 2FA on all CMS accounts
• Disable XML-RPC in WordPress unless actively used
• Run weekly malware scans with Wordfence, Sucuri, or MalCare

Run a consent banner that blocks scripts pre-consent, categorize cookies, ship privacy and accessibility statements, and implement Consent Mode v2.

• Install a consent banner that blocks all non-essential scripts until consent
• Categorize cookies as strictly necessary, performance, functional, or marketing
• Add a comprehensive privacy policy covering data, purpose, retention, third parties, and rights
• Add a Your Privacy Choices link in the footer for U.S. state privacy laws
• Implement Google Consent Mode v2 for ad and analytics consent signals
• Add an accessibility statement page covering WCAG conformance level
• Add terms of service and a DMCA contact for U.S. compliance

Use SSR or SSG for content pages, ship noscript fallbacks, verify rendered HTML matches View Source, and avoid hash-based routing.

• Use server-side rendering or static generation and never rely on pure client rendering
• Implement dynamic rendering or pre-rendering for bot user agents on SPAs as fallback
• Add noscript fallback for critical content and navigation
• Verify rendered HTML contains all SEO content via View Source
• Test every template in Google Mobile-Friendly Test and URL Inspection Live Test
• Avoid hash-based routing and use clean paths only

Ship a webmanifest, register a service worker for offline fallback and asset caching, add an install prompt, and audit cache versioning.

• Create a manifest with name, short_name, start_url, display, theme_color, and icons
• Register a service worker for an offline fallback page and asset caching
• Use Workbox or framework PWA plugin to manage cache strategies
• Add an install prompt button after the beforeinstallprompt event fires
• Test offline mode in Chrome DevTools Application panel
• Keep service worker scope and cache version controlled to avoid stale content

Enable detailed access logs, run monthly log analysis, identify under-crawled and over-crawled URLs, and monitor crawl budget across bot families.

• Enable server access logs with full request data including status, user-agent, and time
• Block low-value bots in robots.txt and at WAF level per client preference
• Run monthly log analysis with Screaming Frog Log File Analyzer or Botify
• Identify pages Googlebot crawls but rarely as candidates for internal link reinforcement
• Identify pages Googlebot crawls excessively but ranking poorly for noindex or consolidation
• Monitor crawl budget allocation between Googlebot, Bingbot, and AI crawlers