Audit captured 2026-06-09

Strong reputation, slow site.
A 15-second mobile load is undercutting the trust your 430 reviews earn.

joskoservices.com runs two offices (Apopka HQ + Oldsmar/Tampa Bay), holds a verified 4.5★ across 430 Google reviews, and is built on WordPress + Yoast. Overall audit health is 65/100 (grade D) — and the drag is not SEO (SEO Basics scores 85): it's a 15-second mobile LCP plus 8 missing security headers. The homepage also has no H1 and no LocalBusiness schema, so easy ranking signal is left on the table.

Lighthouse Performance (mobile)
51Needs work
Largest Contentful Paint
15.5 sPoor — Good = <2.5s
Schema status
PartialNo LocalBusiness type
Off-site authority
4.5★ / 430Google Business Profile (DataForSEO, verified)

Domain: joskoservices.com · Business: General contractor · HVAC, Plumbing, Electrical, Roofing · Apopka + Oldsmar, FL · Service area: Central FL — Apopka (407) + Oldsmar / Tampa Bay

Scope: This audit covers your homepage only. Service pages, blog posts, and location pages were not crawled in this pass and may have additional findings. Recommended next step if you engage: a full per-page sweep.
65
Overall SEO Health
Needs work — meaningful gaps
SEO Basics
85
Content Quality
82
Mobile UX
90
Page Speed / CWV
51
Security
5
Local SEO
60
Social Presence
100
Accessibility
76
01 · TL;DR

Read this if nothing else.

Solid SEO, content, and reputation — held back by a 15-second mobile load and missing security headers. Most fixes are straightforward.

HTTPS enabled

Verified strength — keep it.

User enumeration blocked

Verified strength — keep it.

!

Add Strict-Transport-Security (HSTS) header

Flagged in the live security/SEO scan.

!

Add Content-Security-Policy with script-src restrictions

Flagged in the live security/SEO scan.

02 · Top must-do this week

Fix these first.

Priority order. In this sequence.

Ordered by the live scan's severity.

#ActionWhy it mattersEffort
1Add Strict-Transport-Security (HSTS) header Flagged by the live scan as a top fix.15 min–2 hr
2Add Content-Security-Policy with script-src restrictions Flagged by the live scan as a top fix.15 min–2 hr
3Restrict access to wp-login.php (rename / IP-restrict / 2FA) Flagged by the live scan as a top fix.15 min–2 hr
4Block XML-RPC (xmlrpc.php returns 200/405) Flagged by the live scan as a top fix.15 min–2 hr
5Delete or block readme.html (exposes WP version) Flagged by the live scan as a top fix.15 min–2 hr
03 · Technical SEO

What the live HTML actually says.

Live HTML pulled from joskoservices.com on 2026-06-09. Server: Apache · PHP/8.1.34 · WordPress + Yoast. Below: what we observed in the rendered DOM.

Stack detected

ServerApache
BackendPHP/8.1.34
CMSWordPress
SSL validTrue
Sitemapyes
robots.txt200
01 CRIT

No H1 tag on the homepage

H1 is Google's strongest single on-page topical signal; the homepage emits none.

evidence: grep '<h1' on fetched HTML → 0 matches

Fix: Add one descriptive H1 to the hero.
02 WARN

Meta description is short

~127 chars. Google rewrites weak descriptions ~70% of the time.

evidence: <meta name=description> captured live

Fix: Rewrite to 150-160 chars with a differentiator + phone.
03 WARN

103 script tags on the homepage

Unusually high — page-builder, analytics, chat, and ad scripts compound load time.

evidence: count('<script') on live HTML = 103

Fix: Defer/async non-critical; remove unused widgets.
04 WARN

No LocalBusiness schema

Detected JSON-LD: BreadcrumbList, EntryPoint, GeoCoordinates, ImageObject, ListItem, OpeningHoursSpecification, PostalAddress, ReadAction. No LocalBusiness / industry subtype, so reviews/NAP don't connect to the site.

evidence: JSON-LD @type scan of live HTML

Fix: Add LocalBusiness (+ industry subtype) with sameAs + aggregateRating.
05 CRIT

Missing security headers

Security category scored 5/100. Missing: HSTS, Content-Security-Policy.

evidence: response header scan

Fix: Add HSTS + a script-src CSP. Add Strict-Transport-Security (HSTS) header; Add Content-Security-Policy with script-src restrictions; Restrict access to wp-login.php (rename / IP-restrict / 2FA)
04 · Performance / Core Web Vitals

Performance, measured.

Lighthouse mobile lab data, captured 2026-06-09. Google's Good zone: LCP <2.5s, FCP <1.8s, CLS <0.1, TBT <200ms.

51
Lighthouse Score
15.5 s
LCP
0
CLS

Lighthouse performance 51/100, LCP 15.5 s

Server responds in 5.24s; 81+ external scripts load before the page is interactive. Only 27% of images are responsive.

05 · Structured data (Schema.org)

What Google can read about you.

Detected JSON-LD types on the homepage: BreadcrumbList, EntryPoint, GeoCoordinates, ImageObject, ListItem, OpeningHoursSpecification, PostalAddress, ReadAction, SearchAction, WebPage, WebSite.

Missing LocalBusiness schema — Google can't surface hours/phone/reviews; no link to the Business Profile from the site.

07 · Local SEO

How your business appears in local search.

Google Business Profile: 4.5★ / 430 (Google Business Profile (DataForSEO, verified)).

Missing LocalBusiness schema — Google can't surface hours/phone/reviews; no link to the Business Profile from the site. Verified Google rating 4.5★ / 430 across 430 reviews (DataForSEO). No on-site LocalBusiness schema links these reviews to the site via sameAs/aggregateRating.

08 · Prioritized roadmap

The order to do this work in.

Ranked by impact divided by effort. Estimates assume a competent WordPress developer.

#ActionEffortImpact
1Add Strict-Transport-Security (HSTS) header15 min–2 hrHigh
2Add Content-Security-Policy with script-src restrictions15 min–2 hrHigh
3Restrict access to wp-login.php (rename / IP-restrict / 2FA)15 min–2 hrHigh
4Block XML-RPC (xmlrpc.php returns 200/405)15 min–2 hrHigh
5Delete or block readme.html (exposes WP version)15 min–2 hrHigh