The Website Trust Audit is a passive screening tool. It reads publicly observable signals about a domain and grades it 0–100. This guide explains every signal, why it matters, how it's weighted and what to do when you fail one. It also covers what the audit can and can't tell you, so you can use the result with confidence rather than as a magic verdict.
Use the trust audit for due diligence, vendor screening, competitor analysis and fraud investigation. It answers one question well: does this website have the structural markers of a legitimate operation, or does it have the markers of a scam, throwaway site, or undisclosed front? It is not a guarantee. A site can score well and still be malicious; a site can score poorly and be perfectly legitimate (new businesses, privacy-conscious individuals, sites in restrictive jurisdictions). The grade is a screening tool that focuses your attention.
| Category | Max points | What it measures |
|---|---|---|
| Domain | 18 | Age, WHOIS presence, registrar identifiable |
| Reputation | 18 | Safe Browsing, backlink spam score |
| Authority | 15 | Referring domains, total backlinks, domain rank |
| Identity | 12 | Email, phone, Organization schema, social profiles |
| Behaviour | 10 | robots.txt, crawler policy, AI crawler policy |
| On-Page | 10 | About, Contact, Privacy, Terms links |
| Technology | 7 | Detected stack and recognised platform |
| TLD risk | 10 | Top-level-domain abuse risk rating |
New domains are routinely abused. Scam sites typically live for weeks to months before being abandoned. A domain registered over a year ago has invested time, hosting fees and ongoing maintenance — substantial friction that scammers usually avoid.
Established domains rank better and accumulate reputational weight. Domain ownership transfers do not reset the registration date in WHOIS, so acquiring an established domain in your niche is a legitimate shortcut.
A published WHOIS record is a transparency signal. Privacy proxies are common and legal (post-GDPR many registrars hide registrant details by default for EU TLDs), so a hidden WHOIS is not a red flag in itself — but a completely empty WHOIS combined with other weak signals is.
A named registrar (GoDaddy, Namecheap, Cloudflare, Google Domains, OVH, IONOS) adds accountability. Obscure shell registrars used heavily by abusers (think .tk free registrars) are a fraud signal.
If Google's Safe Browsing flags a domain as malware, phishing, social engineering or unwanted software, modern browsers (Chrome, Firefox, Safari) show full-page warnings before users can proceed. This is the single most weight-bearing signal in the entire audit because the consequence to real visitors is direct and immediate.
GOOGLE_SAFE_BROWSING_KEY is configured in your site's environment, this check is skipped (no penalty, no credit).DataForSEO's spam score (0–100) reflects how toxic a site's backlink profile looks. Sites linked predominantly from low-quality directories, comment spam, link farms and PBNs score 60+. Sites with healthy editorial backlinks score under 20.
Inbound links from any other domain are a foundational authority signal. A site with zero referring domains is either brand new, intentionally private, or a freshly stood-up scam.
Real businesses accumulate references quickly — partner mentions, supplier listings, customer case studies, press coverage, industry directories. Ten referring domains is a low bar that healthy sites cross within months.
DataForSEO's domain_rank correlates with overall search visibility. Above 20 indicates real organic reach. Established brand sites run 50–80; major publishers run 700+ (BBC scores 692, for context).
A publicly displayed contact email is a basic identity signal. Use a domain-matched address (info@yourdomain.com) rather than gmail. Scammers usually avoid leaving contact trails.
A real phone number is harder to fake than an email and adds accountability. For YMYL ("your money or your life") sites — health, finance, legal — this matters most.
JSON-LD Organization schema (or LocalBusiness, NewsMediaOrganization) helps search engines and AI engines identify your business. Required fields: name, url, logo; recommended: contactPoint, sameAs for social profiles. Our AI Schema Generator produces this automatically.
Linking from your footer to real social accounts (Facebook, X/Twitter, LinkedIn, Instagram, YouTube) provides cross-verification. Each profile is itself a discoverable identity record.
A basic robots.txt at /robots.txt is a hygiene signal. Even an allow-all file (User-agent: * Allow: /) demonstrates someone considered crawler policy.
Sites that hide entirely from all search engines (User-agent: * Disallow: /) are unusual. Legitimate reasons exist (staging sites, paywalled content) but they're rare on consumer-facing domains.
Allowing GPTBot, ClaudeBot and PerplexityBot helps your visibility in modern AI search. Blocking them is a deliberate choice — sometimes the right one (e.g. for content licensors) but typically a cost in 2026 visibility terms.
Four checks — About link, Contact link, Privacy policy link, Terms link — worth 3, 3, 2, 2 points respectively. These are basic operational pages that legitimate businesses provide and most scam sites omit. Their presence on the homepage is what's measured, not the depth of content behind each link.
If DataForSEO's crawler can identify any technologies on your site (HSTS, HTTP/3, a CDN, a framework, an analytics tag), it has been crawled and fingerprinted. Empty detection often means freshly stood-up or aggressively cloaked sites.
WordPress, Shopify, Wix, Squarespace, Drupal, Magento, Joomla, Webflow, Ghost, Contentful — mainstream platforms have established trust patterns and known security baselines. Custom-built sites can compensate with stronger identity and authority signals.
The top-level domain itself carries reputational weight. Free or near-free TLDs (.tk, .ml, .ga, .cf, .gq) and high-volume cheap TLDs (.top, .xyz, .click) are heavily overrepresented in scam traffic. Premium-priced TLDs (.com, .org, .net, country-code TLDs) see disproportionately less abuse because the per-domain registration cost filters out throwaway operators.
| Risk level | Example TLDs | Points awarded |
|---|---|---|
| Low | .com .org .net .co.uk .de .fr .ai .io | 10 |
| Medium | .info .biz .site .store .pro | 3 |
| High | .online .work .stream .buzz .icu | 0 |
| Very high | .tk .ml .ga .cf .gq .top .xyz | 0 |
| Score | Grade | Verdict |
|---|---|---|
| 80–100 | A | Trustworthy — strong across the board |
| 60–79 | B | Generally trustworthy — solid foundations with gaps |
| 40–59 | C | Mixed signals — verify before transacting |
| 20–39 | D | Use caution — significant trust deficits |
| 0–19 | F | High risk — multiple red flags |
The trust audit can't read intent. It can't tell you whether a site sells genuine goods, whether reviews are real, whether the team behind it is who they claim to be. It identifies structural markers of legitimacy. For deeper verification — Companies House checks, KYC, identity verification, supplier audits — use specialised tools alongside this one.
Passive screening tool — score 0 to 100 across 22 signals. £1.99 per audit.
Open Trust Audit →