Tier 1 — FOUNDATION (28 items)

Tier Explanation: Non-negotiable technical bedrock. Every page, server config, and CMS gets these implemented before any other tier is touched. Items are grouped into five sub-clusters so the audit reads as a framework, not a list.

---

Related Frameworks

This tier implements the following framework documents in the /Framework/ library. Consult them for canonical reference, audit rubrics, and detailed implementation patterns.

• framework-technicalseo.md — Crawlability, indexing, canonicalization, redirects, URL structure
• framework-schema.md — JSON-LD, @id graph pattern, Organization/Person/WebSite/BreadcrumbList
• framework-pageexperience.md — Core Web Vitals (LCP, INP, CLS), mobile usability, HTTPS
• framework-internallinking.md — Hub-and-spoke architecture, anchor text, crawl depth
• framework-mobileseo.md — Mobile-first indexing, mobile usability
• framework-security.md — Security headers, HSTS, broader security posture

---

A. Crawlability & Indexing (10)

1. TSO — Technical SEO Optimization

• Set WordPress permalinks to /%postname%/; in Next.js use file-based routing with consistent trailing-slash policy (pick one, stick to it sitewide)
• Add <link rel="canonical" href="https://yourdomain.com/exact-current-url/"> to every page <head>, self-referencing on canonical pages
• Add <meta name="robots" content="index, follow, max-image-preview:large, max-snippet:-1"> to indexable pages
• Force lowercase URLs in .htaccess or nginx.conf to prevent case-duplicate indexing
• Resolve www/non-www and http/https with a single 301 redirect (one hop only, no chains)
• 301-redirect or 410 all thin, duplicate, or orphan pages flagged in GSC
• Validation: Screaming Frog crawl shows zero duplicate canonicals, zero redirect chains, zero mixed-case URLs

2. ARC — Site Architecture Optimization

• Limit every page to a maximum of 3 clicks from homepage (use Sitebulb's Crawl Depth report to verify)
• Add breadcrumb navigation to every non-homepage template with BreadcrumbList JSON-LD
• Build a public /sitemap.html listing all top-level sections and key pages
• Implement hub-and-spoke topical clusters: pillar page links to 5–15 sub-pages, each sub-page links back
• Use descriptive anchor text on internal links (no "click here", no "read more" without context)
• Keep URL slugs under 60 characters, no stop words, hyphens only
• Validation: Crawl depth report shows zero pages beyond depth 3, breadcrumbs validate in Rich Results Test

3. MTO — Meta Tag Optimization

• Write unique <title> tag per page, 50–60 characters, primary keyword near the front
• Write unique <meta name="description"> per page, 140–160 characters, with active voice and CTA
• Add full Open Graph set: og:title, og:description, og:image (1200×630), og:type, og:url
• Add Twitter Card tags: twitter:card="summary_large_image", twitter:title, twitter:description, twitter:image
• Add <meta name="theme-color"> matching brand color for mobile browser chrome
• Add <meta http-equiv="Content-Language"> and <html lang="en"> for language signals
• Validation: Run every URL through metatags.io and OpenGraph.xyz, screenshots match expected previews

4. SDO — Structured Data Optimization

• Insert Organization and WebSite JSON-LD in <head> of every page (with SearchAction for sitelinks search)
• Add LocalBusiness schema with full NAP, hours, geo coordinates, and areaServed for any business with a physical address
• On article pages add Article + Author (Person) + datePublished + dateModified JSON-LD
• On service pages add Service schema with provider, areaServed, hasOfferCatalog
• On FAQ sections add FAQPage JSON-LD (only when content genuinely answers questions)
• Use absolute URLs in all @id values to enable cross-schema linking
• Validation: Every page passes Google Rich Results Test and Schema.org validator with zero errors

5. XSO — XML Sitemap Optimization

• Enable dynamic XML sitemap via Yoast, Rank Math, or framework plugin (Next.js: next-sitemap)
• Confirm <lastmod> updates on every content edit, not just on publish
• Split sitemaps when over 50,000 URLs or 50MB into a sitemap index
• Exclude noindex pages, redirects, and parameter URLs from the sitemap
• Add separate image sitemap and video sitemap when applicable
• Submit sitemap URL in Google Search Console and Bing Webmaster Tools
• Validation: Sitemap returns 200, validates as XML, and all listed URLs are indexable

6. RPO — Robots Protocol Optimization

• Create exact /robots.txt at root:

  User-agent: *
  Allow: /
  Disallow: /wp-admin/
  Disallow: /staging/
  Disallow: /*?*sessionid=

  Sitemap: https://yourdomain.com/sitemap.xml

• Add explicit User-agent: GPTBot, User-agent: ClaudeBot, User-agent: PerplexityBot rules (allow or disallow per client preference)
• Block known scraper bots (SemrushBot, AhrefsBot) only if the client requests it — not by default
• Never block CSS, JS, or image directories — Google needs them to render
• Test in Google Search Console robots.txt tester before deploying
• Validation: yourdomain.com/robots.txt returns 200 plain text, GSC tester shows zero blocked critical resources

7. RDO — Redirect Optimization

• Add 301 redirects only via server config (.htaccess, nginx, Cloudflare Rules) — never JS or meta refresh
• Eliminate redirect chains — every redirect points directly to the final URL
• Fix every 404 in GSC Coverage report with a 301 to the most relevant live URL, or return 410 if intentionally gone
• Use 302 only for true temporary redirects (A/B tests, seasonal pages)
• Maintain a redirect map spreadsheet for every site migration or restructure
• Validation: Screaming Frog shows zero chains, zero 302s on permanent moves, zero 4xx in sitemap

8. EEA — E-E-A-T Entity Optimization

• Add Person JSON-LD for the business owner with sameAs linking to Wikidata, LinkedIn, GitHub, social profiles
• Reference your Wikidata Q-ID in author schema across all editorial content
• Add knowsAbout array to Person schema listing topical expertise areas
• Build out an author page per content contributor with bio, credentials, photo, and social links
• Cross-link Organization schema to founder Person schema via founder property
• Claim and complete Google Business Profile with verified ownership
• Validation: Person schema validates, Wikidata entry resolves, knowledge panel candidate eligibility confirmed

9. INO — IndexNow Optimization

• Generate IndexNow API key, place at /{key}.txt at root
• Install IndexNow plugin (WordPress) or add publish-hook API call (Next.js, custom CMS)
• Submit every new and updated URL via POST on save/publish
• Use the urlList batch endpoint for bulk submissions during migrations
• Monitor submission logs to confirm 200 responses from Bing/Yandex
• Validation: Test submission returns HTTP 200, URL appears in Bing index within 24 hours

10. LMO — llms.txt Optimization

• Create /llms.txt at root with site purpose, key URLs, and crawler rules
• Create expanded /llms-full.txt with full markdown context for AI training and retrieval
• Reference both files from robots.txt via Sitemap: style declarations
• Format llms.txt per the emerging spec: H1 title, blockquote summary, sectioned link lists
• Update on major content additions so AI crawlers retrieve fresh context
• Validation: Both files return 200 plain text, llms.txt validates against current spec

---

B. Performance (8)

11. CTO — Core Technical Optimization

• Enable Brotli compression at the edge, Gzip as fallback (brotli on; brotli_types text/css application/javascript)
• Set Cache-Control: public, max-age=31536000, immutable on all hashed static assets
• Set Cache-Control: public, max-age=3600, s-maxage=86400 on HTML pages
• Add security headers: X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=()
• Enable OCSP stapling for faster TLS handshake
• Disable server signature/version disclosure (server_tokens off in nginx)
• Validation: securityheaders.com returns A+ grade, GTmetrix shows compression active

12. CDN — Content Delivery Network Configuration

• Route all traffic through Cloudflare, Fastly, or Bunny CDN with origin shielding enabled
• Replace all image, CSS, and JS URLs with CDN-hosted URLs in theme settings
• Enable edge caching for HTML pages with Cache-Tag headers for selective purging
• Set proper Vary headers (Vary: Accept-Encoding, Accept) so personalization doesn't break cache
• Configure cache purge webhook on publish/update events
• Enable Cloudflare Polish (or equivalent) for automatic image optimization at edge
• Validation: cf-cache-status: HIT on second request, edge response time under 50ms

13. HTO — HTTP/3 and QUIC Optimization

• Confirm origin server negotiates HTTP/3 with Alt-Svc: h3=":443" header
• Enable HTTP/3 in Cloudflare dashboard or nginx (listen 443 quic reuseport)
• Fall back gracefully to HTTP/2, never serve HTTP/1.1 over TLS
• Enable 0-RTT resumption only on idempotent requests (GET, HEAD)
• Keep TLS 1.3 enabled, disable TLS 1.0 and 1.1 entirely
• Validation: http3check.net confirms H3, SSL Labs returns A+ with TLS 1.3 only

14. DPO — DNS Preconnect Optimization

• Add <link rel="preconnect" href="https://fonts.googleapis.com" crossorigin> for every third-party origin used above the fold
• Add <link rel="dns-prefetch" href="https://example.com"> as fallback for non-critical origins
• Preload LCP image: <link rel="preload" as="image" href="hero.webp" fetchpriority="high">
• Preload critical fonts: <link rel="preload" href="font.woff2" as="font" type="font/woff2" crossorigin>
• Use fetchpriority="low" on below-the-fold images and non-critical resources
• Limit total preconnects to 4–6 to avoid contention
• Validation: WebPageTest waterfall shows DNS/TLS handshakes complete before resource fetch

15. WPO — Web Performance Optimization

• Convert all images to AVIF with WebP fallback, JPEG/PNG as last resort
• Serve responsive images via <picture> element with srcset and sizes
• Add loading="lazy" to every image below the fold (above-the-fold images use loading="eager")
• Add decoding="async" to all images
• Minify CSS, JS, and HTML in production build (Terser, cssnano, html-minifier)
• Tree-shake unused JS/CSS — audit with Coverage tab in Chrome DevTools
• Remove unused fonts and font weights
• Validation: PageSpeed Insights "Properly size images" and "Efficient image formats" both pass

16. CWV — Core Web Vitals Optimization

• Target LCP under 2.5s — preload LCP element, optimize hero image, eliminate render-blocking
• Target INP under 200ms — break up long tasks, debounce input handlers, defer non-critical JS
• Target CLS under 0.1 — reserve space for ads/embeds, set image dimensions, avoid late-loading content
• Add content-visibility: auto to below-the-fold sections
• Use will-change: transform only on actively animating elements (remove after animation)
• Monitor field data via CrUX dashboard and PageSpeed Insights, not just lab data
• Validation: All three metrics in "Good" bucket for 75th percentile in CrUX over 28-day window

17. CRP — Critical Rendering Path Optimization

• Inline above-the-fold critical CSS in <style> inside <head> (target under 14KB)
• Async-load remaining CSS: <link rel="preload" href="full.css" as="style" onload="this.rel='stylesheet'">
• Add font-display: swap to every @font-face rule to eliminate invisible text
• Subset fonts to Latin characters only when full Unicode isn't needed
• Move all non-critical JS to footer with defer attribute
• Self-host fonts when possible to eliminate third-party origin handshake
• Validation: Lighthouse "Eliminate render-blocking resources" passes, FCP under 1.8s

18. RNO — Render Optimization

• Use defer on scripts that depend on DOM, async on independent scripts (analytics, ads)
• Avoid document.write() entirely — it blocks parsing
• Move all third-party tags (chat widgets, analytics, pixels) to load after window.load event
• Use Partytown or web workers to offload third-party JS off main thread
• Lazy-load embeds (YouTube, maps, social) with click-to-load facade pattern
• Audit main thread time in DevTools Performance panel — target under 2s on Slow 4G
• Validation: Lighthouse "Reduce JavaScript execution time" under 2 seconds, no long tasks over 50ms

---

C. Experience & Access (5)

19. UXO — User Experience Optimization

• Add <meta name="viewport" content="width=device-width, initial-scale=1"> to every page
• Set body font size minimum 16px, line-height 1.5–1.6, max line length 75 characters
• Make all tap targets minimum 48×48px with 8px+ spacing between them
• Maintain minimum 4.5:1 contrast ratio for body text, 3:1 for large text
• Test on real devices: iPhone SE (smallest common viewport), Android mid-range, iPad
• Eliminate horizontal scroll at all viewport widths from 320px to 2560px
• Add prefers-reduced-motion media query to disable non-essential animations
• Validation: Google Mobile-Friendly Test passes, manual touch test on real device confirms usability

20. ACO — Accessibility Optimization

• Add descriptive alt text to every meaningful image; use alt="" for decorative images only
• Add aria-label to icon-only buttons and links
• Use exactly one <h1> per page with logical H2–H6 hierarchy (no skipped levels)
• Place skip-to-content link as first focusable element on every page
• Ensure full keyboard navigability — Tab order matches visual order, focus indicators visible
• Use semantic HTML5: <nav>, <main>, <article>, <aside>, <footer> — not <div> everywhere
• Add aria-live regions for dynamic content (form errors, cart updates, search results)
• Validation: axe DevTools shows zero violations, manual keyboard-only navigation completes all key flows

21. IDO — Image Dimensions Optimization

• Set explicit width and height attributes on every <img> and <video> element
• Use aspect-ratio CSS property on responsive images to reserve space before load
• For background images, set min-height on container so layout doesn't shift on load
• For ads, embeds, and iframes, reserve fixed dimensions or use placeholder containers
• Use <picture> with art-directed sources for different aspect ratios per breakpoint
• Audit CLS contributors in PageSpeed Insights "Avoid large layout shifts" report
• Validation: CLS score under 0.1 in field data, zero images flagged in Lighthouse layout-shift audit

22. FIO — Favicon and Icon Optimization

• Generate full icon set: favicon.ico (32×32), apple-touch-icon.png (180×180), icon-192.png, icon-512.png
• Add complete <link> tag set in <head>:

  <link rel="icon" type="image/x-icon" href="/favicon.ico">
  <link rel="icon" type="image/png" sizes="32x32" href="/icon-32.png">
  <link rel="apple-touch-icon" href="/apple-touch-icon.png">
  <link rel="manifest" href="/site.webmanifest">

• Create site.webmanifest with name, short_name, icons array, theme_color, background_color
• Add <meta name="theme-color"> matching brand for mobile browser chrome
• Use SVG favicon for crisp rendering at all sizes when supported
• Validation: realfavicongenerator.net checker passes all platforms, icons display in browser tabs/bookmarks

23. EPO — Error Page Optimization

• Create custom 404 page with helpful navigation: search bar, top categories, recent posts, contact link
• Return proper HTTP status codes — 404 for not found, 410 for permanently gone, never soft-404
• Create custom 500/503 pages with brand styling and contact info
• Monitor GSC Coverage report weekly for soft-404s and crawl errors
• Set up Cloudflare/server alerts for spikes in 4xx and 5xx responses
• Log all 404s to identify broken inbound links worth redirecting
• Validation: 404 pages return HTTP 404 (not 200), GSC shows zero soft-404 errors

---

D. Security & Compliance (2)

24. SSO — Site Security Optimization

• Enforce HTTPS sitewide with HSTS header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
• Submit domain to HSTS preload list at hstspreload.org
• Add Content Security Policy header tailored to actual third-party sources
• Enable automatic CMS, plugin, and theme security updates with rollback capability
• Implement WAF rules via Cloudflare or Sucuri (block SQLi, XSS, known bot signatures)
• Force strong admin passwords + 2FA on all CMS accounts
• Disable XML-RPC in WordPress unless actively used
• Run weekly malware scan (Wordfence, Sucuri, MalCare)
• Validation: SSL Labs A+, securityheaders.com A+, zero vulnerabilities in WPScan or equivalent

25. GCO — GDPR and Compliance Optimization

• Install consent banner that blocks all non-essential scripts until consent (Cookiebot, Termly, Iubenda)
• Categorize cookies: strictly necessary, performance, functional, marketing — load only consented categories
• Add comprehensive privacy policy with footer link covering data collected, purpose, retention, third parties, rights
• Add "Your Privacy Choices" link in footer for U.S. state privacy laws (CA, CO, CT, VA, UT, TX, OR, MT)
• Implement Google Consent Mode v2 for ad and analytics consent signals
• Add accessibility statement page covering WCAG conformance level
• Add terms of service and DMCA contact for U.S. compliance
• Validation: Cookie scanner shows zero scripts firing pre-consent, privacy policy reviewed by qualified counsel

---

E. Modern Web (3)

26. JSO — JavaScript SEO

• Use server-side rendering (Next.js SSR/SSG, Astro, Nuxt) — never rely on pure client-side rendering for content pages
• For SPAs, implement dynamic rendering or pre-rendering for bot user agents as fallback
• Add <noscript> fallback for critical content and navigation
• Verify rendered HTML contains all SEO-critical content (title, headings, body copy, links) via View Source
• Test every template in Google Mobile-Friendly Test and URL Inspection's "Live Test"
• Avoid hash-based routing (/#/page) — use clean paths only
• Validation: Rendered HTML in GSC URL Inspection matches View Source, all content visible to bot

27. PWO — PWA Optimization

• Create /manifest.json (or /site.webmanifest) with name, short_name, start_url, display, theme_color, icons
• Register service worker for offline fallback page and asset caching
• Use Workbox or framework PWA plugin to manage cache strategies (cache-first, network-first, stale-while-revalidate)
• Add install prompt button that appears after beforeinstallprompt event
• Test offline mode in Chrome DevTools Application panel
• Keep service worker scope and cache version controlled to avoid stale-content issues
• Validation: Lighthouse PWA audit passes, app installs from browser on Android and desktop

28. LFO — Log File Optimization

• Enable server access logs in nginx/Apache with full request data (status, user-agent, response time)
• Block low-value bots in robots.txt and at WAF level (SemrushBot, MJ12bot, DotBot per client preference)
• Run monthly log analysis with Screaming Frog Log File Analyzer or Botify
• Identify pages Googlebot crawls but rarely — candidates for internal link reinforcement
• Identify pages Googlebot crawls excessively but rank poorly — candidates for noindex or consolidation
• Monitor crawl budget allocation between Googlebot, Bingbot, and AI crawlers
• Validation: Log analysis report shows Googlebot reaching all priority URLs within 30-day window

---

Summary

• Total items: 28
• Sub-clusters: 5 (Crawlability & Indexing, Performance, Experience & Access, Security & Compliance, Modern Web)
• Format: Each item includes 5–7 implementation steps plus a validation criterion
• Position in stack: Foundation tier — all subsequent tiers (T2 Search Visibility, T3 AI Domination, etc.) depend on this layer being implemented first