Buying a business without checking the website is like buying a delivery truck without opening the hood.
The profit and loss statement might look fine. But if the website, domain, analytics, email, Google Business Profile, forms, hosting, or search traffic are a mess, you may inherit a lead-generation problem on day one.
That risk is bigger than many buyers expect. Roland Berger says digital, tech, and IT due diligence now matters even for companies that are not pure digital businesses because many industrial products and services have at least a partially digital customer journey. DataReportal reports that 96.2% of internet users go online by mobile phone at least some of the time, and mobile accounts for 51.6% of global web traffic. If customers use the web to find, verify, compare, and contact the business, the website is part of the deal.
Use this checklist before you close, rebrand, or edit the site. It is for buyers, brokers, operators, consultants, and marketing teams that need to spot digital risk fast.
What Website Due Diligence Means
Website due diligence verifies the business’s digital assets before a sale or transition: domain ownership, hosting access, site software, analytics, search traffic, backlinks, forms, conversion paths, content rights, email routing, local listings, security, and post-close handoff.
The goal is not to make the website perfect before closing. The goal is to answer four questions:
- Does the business own and control the digital assets that drive leads?
- Is the website producing real traffic, calls, forms, bookings, sales, or trust?
- Are hidden risks likely to reduce revenue after the sale?
- What must be preserved, fixed, transferred, or rebuilt after closing?
Westlaw’s Practical Law domain due diligence checklist describes domain-name checks as a key issue for prospective buyers of web businesses. That is the starting point. For a real operating business, you also need to know whether the site is a lead source, a credibility layer, a local SEO asset, an ecommerce system, a booking engine, or all of the above.
The Quick Triage: 12 Checks Before You Spend Hours
Start here if you have limited time. These checks will not tell you everything, but they show whether the website deserves a deeper review.
| Check | What to Ask | Why It Matters |
|---|---|---|
| Domain ownership | Who owns the registrar account? | No control of the domain means no control of the main web address. |
| Hosting access | Who can access hosting, DNS, CMS, and backups? | Missing access can turn a simple handoff into a rebuild. |
| Analytics access | Can the seller show GA4, Search Console, call tracking, CRM, or booking data? | Screenshots are weak proof. Live account access is better. |
| Lead paths | Do forms, phone numbers, booking buttons, and quote requests work? | A site can look fine while silently losing inquiries. |
| Organic traffic | Which pages bring search traffic? | High-value URLs need protection during a rebrand or redesign. |
| Local visibility | Is Google Business Profile tied to the right owner and website? | Local service companies often depend on maps, reviews, and calls. |
| Email routing | Does the domain handle email, SPF, DKIM, DMARC, and aliases? | Domain changes can break sales inquiries and billing mail. |
| CMS condition | What platform runs the site? | Platform choice affects cost, security, edits, and exit options. |
| Security | Are there updates, malware alerts, admin accounts, and backups? | A compromised site can damage trust and rankings. |
| Content rights | Who owns copy, images, videos, logos, and downloads? | Stock licensing and agency contracts can create headaches. |
| Redirects | Are old URLs, domains, and campaign links redirected correctly? | Broken redirects can waste years of search equity. |
| Maintenance | Who updates the site, and what breaks if they stop? | Hidden dependencies often show up after the seller exits. |
If three or more answers are vague, slow down. The site may still be fixable, but you need a transition plan.
1. Domain, DNS, and Brand Control
The domain is the digital deed to the front door. Confirm ownership before you value the website as a business asset.
Ask for the registrar account name, renewal date, domain lock status, admin email, two-factor authentication owner, and a list of all related domains. Check whether the domain is owned by the business, the seller personally, a former employee, a marketing agency, a developer, or a holding company. If the domain is not owned by the selling entity, get the transfer terms in writing.
Use a public WHOIS lookup or registrar export to confirm the registration details. Name Experts explains that WHOIS is a public database containing information about domain owners and can help trace ownership before buying a domain. Privacy-protected WHOIS records are normal, but privacy protection is not registrar-level proof.
Check DNS too. DNS controls where the website, email, verification records, subdomains, and third-party tools point. Export A records, CNAMEs, MX records, TXT records, SPF, DKIM, DMARC, CDN settings, and redirects. Red flags include agency-owned domains, old employee admin emails, unknown DNS control, missing legacy domains, and no list of subdomains or campaign URLs.
2. Hosting, CMS, and Technical Stack
A website is not just a page on the internet. It has hosting, a content management system, plugins, themes, forms, tracking scripts, image storage, databases, backups, and deployment workflows.
Document the platform first. Is it WordPress, Shopify, Webflow, Wix, Squarespace, HubSpot CMS, custom code, Astro, React, Laravel, or something else? HTTP Archive’s 2025 Web Almanac CMS chapter notes that CMS choices and tooling affect performance, discoverability, and accessibility for end users. That means the platform is not just a developer preference. It affects business outcomes.
For WordPress, collect the theme name, plugin list, user list, update status, PHP version, database access, hosting plan, backups, license keys, page builder, custom code locations, and admin roles. For Shopify, Webflow, Wix, Squarespace, or HubSpot, collect the plan level, owner account, billing account, app list, collaborator permissions, redirects, and export limits.
For custom sites, ask for repository access, deployment instructions, environment variables, build commands, hosting provider, database details, API keys, and documentation. Do not skip backups. Confirm where backups live, how often they run, how long they are retained, and whether anyone has restored one successfully.
3. Traffic Quality and Analytics Proof
Traffic only matters if it is real, relevant, and connected to business outcomes. A buyer should not accept a screenshot of monthly visitors as proof of website value.
Ask for live access or a screen share of GA4, Google Search Console, call tracking, CRM, booking software, ecommerce analytics, ad accounts, and email marketing tools. Compare sessions, users, conversions, calls, form fills, quote requests, booked appointments, ecommerce revenue, and assisted conversions.
Segment traffic by channel. Organic search, direct, referral, paid search, email, social, maps, and AI referral traffic can all behave differently. A local contractor with 1,000 monthly visitors and 80 qualified calls may be healthier than a content-heavy site with 20,000 low-intent visits and few leads.
Check the top landing pages for the last 12 to 24 months. Also look for sudden bot-like spikes, post-redesign organic drops, paid traffic masking weak organic demand, branded-only traffic, outdated blog traffic, and conversion tracking that changed during the sale period.
BrightEdge’s migration guidance recommends documenting baseline metrics such as indexed pages, traffic by URL, CTR, page speed, and structured data before a site move. That same baseline helps in an acquisition because it tells you what should not be broken after closing.
4. SEO, Rankings, and Search Equity
Search equity is easy to damage and slow to rebuild. Before the site changes hands, map the pages, rankings, backlinks, local listings, and redirects that bring customers to the business.
Start with Google Search Console. Pull top queries, top pages, countries, devices, indexing issues, manual actions, crawl errors, page experience signals, sitemap status, and security issues. Search Console is not perfect, but it is first-party data from Google.
Then crawl the website. Export every indexable URL, title tag, meta description, heading, canonical tag, status code, internal link count, image size, structured data, and redirect. If that sounds technical, it is. That is why it belongs in due diligence. A site with 40 important service pages is a different asset from a five-page brochure site with no search footprint.
Look at backlinks carefully. A business may have years of links from suppliers, associations, chambers of commerce, news articles, partners, and community sponsorships. Those links can help the site rank and reinforce trust. A business may also have spam links, paid link schemes, expired-domain redirects, or agency-built links that create risk.
If a rebrand or domain move is planned, be careful. Google’s site move documentation recommends keeping redirects in place for as long as possible, generally at least one year. Google’s redirect documentation says permanent server-side redirects are recommended when a page URL changes. That means a buyer should not casually delete old URLs, move domains, or rebuild page structures without a redirect map.
Create a preservation list before close:
- Top organic landing pages.
- Top converting pages.
- Pages with high-quality backlinks.
- Local service pages.
- Product, booking, quote, or location URLs.
- Old domains and URLs that redirect into the current site.
- Blog posts that bring qualified search visits.
- Pages used in ads, email campaigns, QR codes, print materials, or sales collateral.
5. Leads, Forms, Calls, and Sales Handoff
A website that cannot pass leads to the right person is not a lead-generation asset. It is a brochure with a hole in it.
Submit every form before close. Test contact forms, quote forms, booking forms, newsletter forms, gated downloads, ecommerce checkout, chat widgets, financing forms, warranty forms, dealer forms, and customer portals. Confirm where each submission goes, who receives it, what subject line appears, what fields are captured, whether the lead enters a CRM, and whether autoresponders work.
Call every website phone number from a mobile device. Check click-to-call links, header numbers, footer numbers, location pages, tracking numbers, Google Business Profile numbers, and old landing pages. If call tracking is used, verify ownership of the numbers. A tracking number owned by a vendor can become a real problem if the vendor relationship changes after closing.
For ecommerce or appointment-based businesses, place a test order or booking. Verify confirmation emails, taxes, shipping, calendar sync, payment gateway ownership, refund permissions, inventory sync, abandoned cart flows, and customer support notifications.
Verizon’s 2025 credential-stuffing research found that credential stuffing accounted for a median 19% of all authentication attempts in analyzed SSO provider logs, with small businesses at 12%. That matters for forms, portals, customer accounts, and admin systems because login security is part of revenue continuity.
6. Content Rights, Media, and Legal Exposure
Do not assume the business owns everything on its website. Copy, photos, videos, icons, fonts, PDFs, testimonials, case studies, maps, and downloads can have separate rights.
Ask who wrote the copy, who shot the photos, who owns the logo files, who licensed the stock images, who created videos, and who approved testimonials. If an agency built the site, review the contract for intellectual property terms. Some agencies transfer ownership after final payment. Others license certain assets or use commercial plugins tied to the agency account.
Check whether employee photos, customer names, project photos, before-and-after images, client logos, case studies, medical claims, financial claims, product claims, warranty language, and compliance statements are still accurate. A buyer can inherit reputation risk from old content that nobody has reviewed in years.
Look at downloadable files too. PDFs often contain old phone numbers, former addresses, discontinued services, expired pricing, outdated certifications, old legal names, and dead links. They can still rank in Google and circulate through sales conversations.
7. Security, Privacy, and Access Risk
Security due diligence does not need to turn into a full penetration test for every small business purchase, but basic checks are non-negotiable.
Review admin users, CMS users, hosting users, registrar users, analytics users, ad account users, CRM users, email users, and agency collaborators. Remove or transfer former employees, old vendors, unused admin accounts, and shared logins. Confirm two-factor authentication on high-risk accounts.
Check updates, malware warnings, SSL certificates, firewall settings, backup history, spam form submissions, unauthorized pages, and Search Console security alerts. IBM’s 2025 Cost of a Data Breach Report found the global average breach cost fell 9% year over year, but breach cost remains a major business risk. Small businesses may not face enterprise-scale breach costs, but they can still lose leads, email trust, payment access, customer confidence, and uptime.
Privacy matters too. Review cookie banners, analytics scripts, ad pixels, chat tools, newsletter opt-ins, privacy policy, terms, SMS consent, and contact-form disclosures.
8. Performance, Accessibility, and Mobile Experience
The website should work where customers actually use it. That means mobile, slow connections, older devices, and assistive technology.
Run the homepage, top service pages, top product pages, booking pages, and lead forms through PageSpeed Insights, Lighthouse, WebPageTest, or another performance tool. Check Largest Contentful Paint, Interaction to Next Paint, Cumulative Layout Shift, image sizes, unused JavaScript, third-party scripts, font loading, server response time, and mobile usability.
HTTP Archive’s 2025 performance chapter reported that 48% of mobile websites and 56% of desktop websites had good Core Web Vitals. That means many sites still have performance room to improve. For a buyer, performance issues are both risk and opportunity.
Accessibility is similar. Run automated checks, but do not stop there. Test keyboard navigation, form labels, color contrast, headings, alt text, focus states, modal behavior, error messages, and menu usability. HTTP Archive’s 2025 accessibility chapter reported CMS accessibility scores and showed that accessibility performance varies across platforms. A perfect automated score is not required to close a deal, but obvious access barriers should be documented and priced into post-close work.
9. Local SEO, Reviews, and Listings
For local service businesses, the website and Google Business Profile work together. Check both.
Verify Google Business Profile ownership, primary category, service categories, service areas, hours, website URL, appointment URL, phone number, messaging settings, products, services, photos, reviews, Q&A, and manager access. Confirm that the profile is transferring with the business and that the seller will not retain owner access after closing.
Audit the name, address, phone number, and website across major directories, industry listings, social profiles, map apps, chamber pages, supplier directories, franchise pages, and review sites. Inconsistent data can confuse customers and weaken local trust.
Reviews are an asset, but only if they belong to the real business and location. Look for sudden review spikes, repeated wording, owner responses, unresolved complaints, review gating, fake location issues, and old brand names. Also check whether review-request links, QR codes, email automations, and SMS automations still point to the right profile.
10. Post-Close Transition Plan
The handoff should be planned before the closing date. Waiting until after the wire clears creates unnecessary risk.
Build a digital transition checklist with owners, dates, and fallback contacts. Include domain transfer, DNS freeze window, hosting access, CMS admin change, two-factor reset, billing updates, analytics access, Search Console verification, Google Business Profile owner transfer, ad account access, CRM access, email admin access, call tracking ownership, license keys, backup export, repository access, and vendor introductions.
Do not redesign the site immediately just because new ownership wants a fresh look. First preserve what works. Google’s migration guidance treats URL changes as a site move that needs careful planning, redirects, verification, and monitoring. A safer 90-day plan is simple: freeze risky changes, secure access, measure baselines, fix broken forms and security issues, protect high-value URLs, improve conversion paths, then plan any redesign with a redirect map and launch QA checklist.
Website Due Diligence Questions to Send the Seller
Copy this section into your request list.
- Which domains are included in the sale, and who owns each registrar account?
- Where is DNS managed?
- What hosting provider, CMS, theme, plugins, apps, and integrations are used?
- Who currently maintains the website?
- Are there active support contracts, hosting contracts, agency contracts, or license renewals?
- Can you provide live access to GA4, Search Console, call tracking, CRM, ad accounts, and booking tools?
- Which pages generate the most leads, calls, bookings, sales, or quote requests?
- Which old domains, landing pages, redirects, or microsites are part of the business?
- Who owns the website copy, photos, videos, logos, PDFs, testimonials, and design files?
- Which legal, privacy, accessibility, security, malware, or platform issues should we know about?
- Which admin users, vendors, agencies, and former employees currently have access?
- What changes would you avoid making during the first 90 days after close?
Sellers often know which pages, forms, or local profiles are important.
What to Do With the Findings
Website due diligence should turn into decisions, not a dusty PDF.
Classify every finding into one of four buckets: deal risk, closing condition, post-close fix, or future opportunity. A domain owned by a former vendor may be a closing condition. A broken contact form may need fixing before ownership transfer. Slow page speed may be a post-close project. A strong blog with no lead capture may be a future growth opportunity.
If the site drives revenue, bring in a developer and SEO specialist. A focused audit can identify key risks: ownership, access, analytics, top URLs, lead paths, local listings, security, and migration exposure.
Your goal is simple. Know what you’re buying, protect what works, and avoid breaking assets during the handoff.
If you’re buying, selling, or taking over a business website and want a second set of eyes on digital risk, start here. We’ll help you find the issues that matter.
Richard Kastl
Founder & Lead EngineerRichard Kastl has spent 14 years engineering websites that generate revenue. He combines expertise in web development, SEO, digital marketing, and conversion optimization to build sites that make the phone ring. His work has helped generate over $30M in pipeline for clients ranging from industrial manufacturers to SaaS companies.
