rorypecktrust.org
25-year-old corporate / B2B site based in United Kingdom, served through cloudflare, with email running through google.
Brand presence51Needs work
Google Business Profile presence + rating
We couldn't find a Google Business Profile linked to this domain.
Yelp presence + rating + review count
We couldn't find a Yelp listing for this business. Local-business searches and recommendation engines lean on Yelp as a signal.
We couldn't find a Trustpilot listing. Many consumers check Trustpilot before buying — a missing listing reads as a missing reputation.
LinkedIn Company Page (presence + employee count + follower count)
We couldn't find a LinkedIn Company Page for this business. B2B prospects look for it before reaching out.
Apple Maps presence (Apple Business Connect)
We couldn't find an Apple Business Connect listing. Apple Maps visitors and Siri queries can't find you cleanly.
We couldn't find a Facebook Page linked from your site. Many consumers still check Facebook before booking or buying.
Instagram presence (link from site → IG profile)
We couldn't find an Instagram profile linked from your site. For local / consumer-facing brands, Instagram is the lead channel.
Wayback Machine site age & last snapshot
Your site has been online for years — public archives have a long history of it.
Your domain has been registered for years — long enough to clear fraud-detection signals.
6 additional standards didn't apply to this category
SEO60Solid
Schema.org structured data presence
Your homepage doesn't publish any Schema.org structured data. Search engines and AI tools fall back to guessing what your site is — and they guess wrong more often than not.
Your homepage doesn't have a visible H1 heading. Without it, search engines and screen readers have no anchor for what the page is about.
Schema.org type validity (parsed JSON-LD)
We didn't find any structured-data tags on your homepage.
No breadcrumb schema is published. Search engines can't show breadcrumb trails under your listings, and visitors lose the trail to important pages.
Title, meta description, OG, Twitter cards, canonical
Your homepage has the title, description, OG, Twitter, and canonical tags.
Internal link depth (clicks from homepage to deepest content)
Important pages are reachable in just a click or two from your homepage.
4 additional standards didn't apply to this category
Security62Solid
WordPress REST API user enumeration exposure
Your WordPress site exposes its user list through the REST API. Attackers can enumerate every account by username — the first half of any credential-stuffing attack is already done for them.
Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)
Some common admin or developer paths are reachable from the public internet.
Your site isn't sending any of the standard browser-protection headers.
There's no CAA record at your registrar saying which companies are allowed to issue certificates for you.
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Certificate key strength and signature algorithm
Your certificate uses outdated key strength or a SHA-1 signature. Reissue with a modern ACME-class cert.
Embedded SCT count (Certificate Transparency)
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
SSL certificate validity & expiration window
Your SSL certificate is valid and not close to expiring.
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
Certificate chain completeness
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Certificate validity-period brevity
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your TLS handshake completes quickly — under 300ms on a cold connection.
5 additional standards didn't apply to this category
AI-readiness62Solid
JSON-LD richness score for LLMs
We couldn't find any organization details in your page's structured data.
1 additional standard didn't apply to this category
Accessibility65Excellent
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
Every image on your homepage has alt text — screen readers can describe them.
ARIA labels presence and validity
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
3 additional standards didn't apply to this category
Performance66Excellent
Your server still serves over the older HTTP/2 protocol — not the newer, faster HTTP/3.
Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS)
Your homepage is mid-pack on mobile. Reasonable but Google's ranking signal rewards faster sites.
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
9 additional standards didn't apply to this category
Privacy68Excellent
Cookie banner presence + CMP detection
No cookie banner detected, but trackers are present. If you serve EU or California traffic, this is a compliance gap.
Terms of service page presence
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
Cookie scan — actual cookies set on first load
Your homepage sets only essential cookies before consent. Non-essential cookies fire after opt-in.
Your homepage loads a reasonable number of third-party services — clean privacy footprint.
1 additional standard didn't apply to this category
Email health75Excellent
No MTA-STS or TLS-RPT policy is published — incoming mail could be downgraded to plaintext.
Mailto: direct contact link present
We couldn't find a tap-to-email link anywhere on your site.
Lead magnet / signup incentive detected (free download, ebook, etc.)
We didn't find a lead magnet on your homepage — no free download, sample, or signup incentive. Visitors who aren't ready to buy have nothing to take with them.
DMARC is enforcing — spoofed mail from your domain gets quarantined or rejected.
SPF is set and lists your sending services as approved senders.
Branded domain email address (vs free Gmail/Yahoo)
You send email from your own domain, not a free Gmail/Yahoo address.
DMARC aggregate reporting enabled (rua=)
You're set up to receive daily DMARC reports of spoofing attempts.
Free-email exposure on contact page (gmail/yahoo/outlook visible)
Your published contact address is on your own domain, not a free inbox.
SPF lookup count (10-limit deliverability check)
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
Email forwarding service detected (improvmx, forwardemail, etc.)
Mail to this domain is being forwarded — you have working email reachability.
4 additional standards didn't apply to this category
View formal standards verdicts → Composite-spec rollups for press, regulators, and compliance auditors.
10 additional standards planned, scorer not yet implemented.
Does this look like a real business?51Needs work
Your listing on Google Maps and search
We couldn't find a Google Business Profile linked to this domain.
We couldn't find a Yelp listing for this business. Local-business searches and recommendation engines lean on Yelp as a signal.
We couldn't find a Trustpilot listing. Many consumers check Trustpilot before buying — a missing listing reads as a missing reputation.
We couldn't find a LinkedIn Company Page for this business. B2B prospects look for it before reaching out.
We couldn't find an Apple Business Connect listing. Apple Maps visitors and Siri queries can't find you cleanly.
A contact form people can actually find
We couldn't find a visible contact form on your homepage.
Whether anyone's written about you lately
No news mentions of this domain in the last 30 days.
How long your site has been online
Your site has been online for years — public archives have a long history of it.
How long your domain has existed
Your domain has been registered for years — long enough to clear fraud-detection signals.
2 additional standards didn't apply to this site
Can people find this site?61Solid
Hidden labels that explain your business to Google
Your homepage doesn't publish any Schema.org structured data. Search engines and AI tools fall back to guessing what your site is — and they guess wrong more often than not.
A clear headline on every page
Your homepage doesn't have a visible H1 heading. Without it, search engines and screen readers have no anchor for what the page is about.
Whether your behind-the-scenes labels are valid
We didn't find any structured-data tags on your homepage.
A trail showing where visitors are on your site
No breadcrumb schema is published. Search engines can't show breadcrumb trails under your listings, and visitors lose the trail to important pages.
How well your site feeds AI the right facts
We couldn't find any organization details in your page's structured data.
Whether you're letting AI assistants read your site
You aren't blocking any AI crawlers in your robots.txt.
How your site appears when shared or in search results
Your homepage has the title, description, OG, Twitter, and canonical tags.
How easy it is to reach your deepest pages
Important pages are reachable in just a click or two from your homepage.
5 additional standards didn't apply to this site
Is it safe to visit?62Solid
WordPress isn't leaking your usernames
Your WordPress site exposes its user list through the REST API. Attackers can enumerate every account by username — the first half of any credential-stuffing attack is already done for them.
Private files aren't open to the public
Some common admin or developer paths are reachable from the public internet.
Browser-level protections for visitors
Your site isn't sending any of the standard browser-protection headers.
Only your approved vendors can issue your padlock
There's no CAA record at your registrar saying which companies are allowed to issue certificates for you.
Visitors connect faster on the first click
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Strict mode for your padlock check
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Your padlock isn't using outdated keys
Your certificate uses outdated key strength or a SHA-1 signature. Reissue with a modern ACME-class cert.
Your certificate is publicly logged
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
Your padlock isn't about to expire
Your SSL certificate is valid and not close to expiring.
Old TLS versions are turned off
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
Your padlock loads cleanly on every device
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Your padlock renews on a healthy schedule
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your padlock comes from a reputable vendor
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your site finishes its handshake quickly
Your TLS handshake completes quickly — under 300ms on a cold connection.
5 additional standards didn't apply to this site
Can everyone use it?65Excellent
Your headings are in a sensible order
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
Your photos have written descriptions
Every image on your homepage has alt text — screen readers can describe them.
Your buttons and forms are labeled for screen readers
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
3 additional standards didn't apply to this site
Is it fast?66Excellent
Your site uses the newest connection style
Your server still serves over the older HTTP/2 protocol — not the newer, faster HTTP/3.
How fast your site loads on a phone
Your homepage is mid-pack on mobile. Reasonable but Google's ranking signal rewards faster sites.
Pages get squeezed before they're sent
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
9 additional standards didn't apply to this site
Does it respect visitor privacy?68Excellent
Cookie consent banner for European visitors
No cookie banner detected, but trackers are present. If you serve EU or California traffic, this is a compliance gap.
You have a terms of service page
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
What your site actually drops on visitors' phones
Your homepage sets only essential cookies before consent. Non-essential cookies fire after opt-in.
How many outside companies you let watch your visitors
Your homepage loads a reasonable number of third-party services — clean privacy footprint.
1 additional standard didn't apply to this site
Is email from this domain trustworthy?77Excellent
Keeps your email private in transit
No MTA-STS or TLS-RPT policy is published — incoming mail could be downgraded to plaintext.
A clickable email link on your site
We couldn't find a tap-to-email link anywhere on your site.
Stops scammers from emailing customers as you
DMARC is enforcing — spoofed mail from your domain gets quarantined or rejected.
Lists who's allowed to email as your business
SPF is set and lists your sending services as approved senders.
You email from your own domain, not Gmail
You send email from your own domain, not a free Gmail/Yahoo address.
You get reports when someone fakes your email
You're set up to receive daily DMARC reports of spoofing attempts.
Your email setup is under a hidden limit
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
Your email is being forwarded, not hosted
Mail to this domain is being forwarded — you have working email reachability.
3 additional standards didn't apply to this site