mli.com.mx
E-commerce site based in United States, served through cloudflare, with email running through custom-or-self-hosted.
SEO50Needs work
Schema.org type validity (parsed JSON-LD)
We didn't find any structured-data tags on your homepage.
No breadcrumb schema is published. Search engines can't show breadcrumb trails under your listings, and visitors lose the trail to important pages.
Title, meta description, OG, Twitter cards, canonical
Your homepage is missing one or more of the standard social-share and search-preview tags.
Internal link depth (clicks from homepage to deepest content)
Important pages are reachable in just a click or two from your homepage.
6 additional standards didn't apply to this category
Performance59Solid
Your server still serves over the older HTTP/2 protocol — not the newer, faster HTTP/3.
Image optimization (WebP/AVIF)
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS)
Your homepage is slow on mobile. The data Google uses to rank pages says real visitors wait too long for it to feel ready.
Font loading strategy (FOUT/FOIT/swap)
Your fonts aren't using font-display: swap. Visitors see invisible text for a moment while the font downloads — Google penalises this.
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
Lazy loading on below-fold images
Below-fold images use loading="lazy" — they download only when the visitor scrolls toward them.
6 additional standards didn't apply to this category
AI-readiness62Solid
JSON-LD richness score for LLMs
We couldn't find any organization details in your page's structured data.
1 additional standard didn't apply to this category
Privacy63Solid
No privacy policy page found. Required by GDPR, CCPA, and most app store listings.
Your homepage loads a moderate number of third-party trackers. Worth auditing what each one is for.
3 additional standards didn't apply to this category
Email health64Solid
No SPF record is published, so nothing tells mail providers who's allowed to send as you.
No MTA-STS or TLS-RPT policy is published — incoming mail could be downgraded to plaintext.
Mailto: direct contact link present
We couldn't find a tap-to-email link anywhere on your site.
You have DMARC set up, but in monitor-only mode — it's not actually rejecting spoofed mail.
Email provider class (Workspace / 365 / Zoho / self-hosted / shared)
We couldn't confidently identify which service is hosting your email.
Branded domain email address (vs free Gmail/Yahoo)
You send email from your own domain, not a free Gmail/Yahoo address.
DMARC aggregate reporting enabled (rua=)
You're set up to receive daily DMARC reports of spoofing attempts.
Free-email exposure on contact page (gmail/yahoo/outlook visible)
Your published contact address is on your own domain, not a free inbox.
Email forwarding service detected (improvmx, forwardemail, etc.)
Mail to this domain is being forwarded — you have working email reachability.
Lead magnet / signup incentive detected (free download, ebook, etc.)
Your homepage offers a lead magnet — visitors who aren't ready to buy can still leave with something useful.
5 additional standards didn't apply to this category
Brand presence75Excellent
We couldn't find a Trustpilot listing. Many consumers check Trustpilot before buying — a missing listing reads as a missing reputation.
Instagram presence (link from site → IG profile)
Your Instagram profile is linked from your site.
11 additional standards didn't apply to this category
Security76Excellent
There's no CAA record at your registrar saying which companies are allowed to issue certificates for you.
Your domain isn't on Chrome's HSTS preload list. The first visit from a new browser still has a brief window where an attacker could intercept it.
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Embedded SCT count (Certificate Transparency)
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
Your site isn't sending any of the standard browser-protection headers.
SSL certificate validity & expiration window
Your SSL certificate is valid and not close to expiring.
WordPress REST API user enumeration exposure
Your WordPress REST API doesn't leak usernames — attackers can't list accounts without already being authenticated.
Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)
None of the common admin or developer paths are publicly reachable.
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
Certificate key strength and signature algorithm
Your certificate uses strong modern math (ECDSA P-256+ or RSA-2048+ with SHA-256+).
Certificate chain completeness
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Certificate validity-period brevity
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your TLS handshake completes quickly — under 300ms on a cold connection.
4 additional standards didn't apply to this category
Accessibility84Excellent
Text on your homepage doesn't meet WCAG AA contrast minimums against its background. Visitors with low vision can't read parts of the page.
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
Every image on your homepage has alt text — screen readers can describe them.
ARIA labels presence and validity
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
A skip-to-content link is published — keyboard users land directly on the main content.
2 additional standards didn't apply to this category
View formal standards verdicts → Composite-spec rollups for press, regulators, and compliance auditors.
20 additional standards planned, scorer not yet implemented.
Does this look like a real business?50Needs work
We couldn't find a Trustpilot listing. Many consumers check Trustpilot before buying — a missing listing reads as a missing reputation.
A contact form people can actually find
We couldn't find a visible contact form on your homepage.
Whether anyone's written about you lately
No news mentions of this domain in the last 30 days.
8 additional standards didn't apply to this site
Can people find this site?54Needs work
Whether your behind-the-scenes labels are valid
We didn't find any structured-data tags on your homepage.
A trail showing where visitors are on your site
No breadcrumb schema is published. Search engines can't show breadcrumb trails under your listings, and visitors lose the trail to important pages.
How well your site feeds AI the right facts
We couldn't find any organization details in your page's structured data.
How your site appears when shared or in search results
Your homepage is missing one or more of the standard social-share and search-preview tags.
Whether you're letting AI assistants read your site
You aren't blocking any AI crawlers in your robots.txt.
How easy it is to reach your deepest pages
Important pages are reachable in just a click or two from your homepage.
7 additional standards didn't apply to this site
Is email from this domain trustworthy?56Solid
Lists who's allowed to email as your business
No SPF record is published, so nothing tells mail providers who's allowed to send as you.
Keeps your email private in transit
No MTA-STS or TLS-RPT policy is published — incoming mail could be downgraded to plaintext.
A clickable email link on your site
We couldn't find a tap-to-email link anywhere on your site.
Stops scammers from emailing customers as you
You have DMARC set up, but in monitor-only mode — it's not actually rejecting spoofed mail.
What's actually running your email
We couldn't confidently identify which service is hosting your email.
You email from your own domain, not Gmail
You send email from your own domain, not a free Gmail/Yahoo address.
You get reports when someone fakes your email
You're set up to receive daily DMARC reports of spoofing attempts.
Your email is being forwarded, not hosted
Mail to this domain is being forwarded — you have working email reachability.
4 additional standards didn't apply to this site
Is it fast?59Solid
Your site uses the newest connection style
Your server still serves over the older HTTP/2 protocol — not the newer, faster HTTP/3.
Your photos are saved in modern formats
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
How fast your site loads on a phone
Your homepage is slow on mobile. The data Google uses to rank pages says real visitors wait too long for it to feel ready.
Your text shows up while fonts load
Your fonts aren't using font-display: swap. Visitors see invisible text for a moment while the font downloads — Google penalises this.
Pages get squeezed before they're sent
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
Photos lower on the page wait their turn
Below-fold images use loading="lazy" — they download only when the visitor scrolls toward them.
6 additional standards didn't apply to this site
Does it respect visitor privacy?63Solid
You have a privacy policy page
No privacy policy page found. Required by GDPR, CCPA, and most app store listings.
How many outside companies you let watch your visitors
Your homepage loads a moderate number of third-party trackers. Worth auditing what each one is for.
You have a terms of service page
Your terms of service page is reachable from the homepage.
3 additional standards didn't apply to this site
Is it safe to visit?76Excellent
Only your approved vendors can issue your padlock
There's no CAA record at your registrar saying which companies are allowed to issue certificates for you.
Your site is on the browser-baked-in safe list
Your domain isn't on Chrome's HSTS preload list. The first visit from a new browser still has a brief window where an attacker could intercept it.
Visitors connect faster on the first click
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Strict mode for your padlock check
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Your certificate is publicly logged
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
Browser-level protections for visitors
Your site isn't sending any of the standard browser-protection headers.
Your padlock isn't about to expire
Your SSL certificate is valid and not close to expiring.
WordPress isn't leaking your usernames
Your WordPress REST API doesn't leak usernames — attackers can't list accounts without already being authenticated.
Private files aren't open to the public
None of the common admin or developer paths are publicly reachable.
Old TLS versions are turned off
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
Your padlock isn't using outdated keys
Your certificate uses strong modern math (ECDSA P-256+ or RSA-2048+ with SHA-256+).
Your padlock loads cleanly on every device
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Your padlock renews on a healthy schedule
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your padlock comes from a reputable vendor
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your site finishes its handshake quickly
Your TLS handshake completes quickly — under 300ms on a cold connection.
4 additional standards didn't apply to this site
Can everyone use it?84Excellent
Text on your homepage doesn't meet WCAG AA contrast minimums against its background. Visitors with low vision can't read parts of the page.
Your headings are in a sensible order
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
Your photos have written descriptions
Every image on your homepage has alt text — screen readers can describe them.
Your buttons and forms are labeled for screen readers
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
A skip-to-content link is published — keyboard users land directly on the main content.
2 additional standards didn't apply to this site