Every guide is mapped 1:1 to an active check key so you can move from warning to fix without guesswork.
When a label isn't programmatically associated with its input (via for/id or wrapping), screen readers don't announce what the field is for, and voice control users can't say "click email field." Form label errors are among the most commonly cited issues in accessibility audits, and they're straightforward to fix — just add matching for and id attributes.
Open guide22.1% of all images on website home pages lack alt text (WebAIM, 2024). Screen readers — used by JAWS (41% market share) and NVDA (38%) users — announce images without alt text as just "image," providing zero context. Missing alt text also means Google Image Search can't index your visuals. Over 5,100 web accessibility lawsuits were filed in 2025 alone (EcomBack), and missing alt text is one of the most commonly cited violations.
Open guide88.8% of screen reader users find headings and landmarks very or somewhat useful for navigation (WebAIM Survey #10, 2024). Without landmarks, navigating your site requires listening to every element sequentially — there's no way to jump to the main content, search bar, or footer. Semantic HTML5 elements (nav, main, aside, footer) automatically create landmarks.
Open guideThis check estimates whether interactive controls are large enough for touch users. Undersized targets increase accidental taps, form errors, and mobile frustration.
Open guideOver 60% of global ecommerce traffic comes from mobile devices (Alli AI). If text is too small to read comfortably (below 16px base) or lines are too cramped (below 1.4 line-height), mobile users either zoom — breaking your layout — or leave. Users with low vision, dyslexia, or age-related presbyopia are disproportionately affected.
Open guideKeyboard-only users and screen reader users must tab through every navigation link on every page load without a skip link. On a site with 50+ nav links, this means pressing Tab 50 times before reaching content. A skip link is one line of HTML and a few lines of CSS — it's the simplest accessibility win with the highest impact for keyboard users.
Open guideThe California Privacy Protection Agency fined Tractor Supply $1.35M in September 2025 — the largest CCPA fine to date — because their "Do Not Sell" link routed to a form that didn't actually stop data selling (CPPA Final Order). Disney paid $2.75M for similar non-compliance. CCPA fines are $2,663 per negligent violation and $7,988 per intentional violation (adjusted 2024 rates).
Open guideWhen a deleted or broken URL returns HTTP 200, search engines index it as a real page — polluting your index with dead content and wasting crawl budget. This is called a "soft 404" and Google specifically warns against it. Your 404 page should return a proper 404 status code while still showing a helpful message to users.
Open guideThe EDPB requires that cookie banners include an equally conspicuous "Reject All" button on the first layer — making rejection as easy as acceptance (EDPB Cookie Banner Taskforce Report, 2023). CNIL fined Google €150M specifically because acceptance required one click while rejection required five. Both French and Spanish authorities treat a missing reject button as a violation.
Open guideWithout analytics, every business decision about your website becomes a guess. You can't see which pages convert, where users drop off, which channels drive traffic, or whether changes improve performance. This is the foundation of data-driven optimization — if it's missing, you're flying blind.
Open guideThe FTC fined Avast $16.5M in 2024 specifically because their privacy policy claimed data was "pseudonymised and anonymised" while they actually shared granular, non-aggregated browsing data with subsidiary Jumpshot (FTC, 2024). Regulators now routinely audit whether privacy policy claims match runtime behaviour. Scavo checks this by comparing your declared tracking practices against what actually loads on your pages.
Open guideWhen attackers can see you're running WordPress 6.3 or Apache 2.4.51, they can check public CVE databases for known exploits specific to your exact version. Removing version disclosure is simple server hardening — it doesn't fix vulnerabilities, but it removes the signpost that tells attackers exactly where to look.
Open guide