The WordPress + WooCommerce Audit covers the headline WordPress problems: outdated core, plugin pileup, legacy jQuery, render-blocking scripts, cart-fragments. That list catches roughly 70 percent of what's wrong with a typical WordPress install. The other 30 percent lives one layer deeper. This post is about eight checks the audit now runs underneath the obvious ones, why each matters, and what to do when the audit flags one.
1. XML-RPC endpoint exposure
The audit probes /xmlrpc.php and flags a warning when it returns 2xx. XML-RPC is the legacy remote-calling interface WordPress shipped with in 2005. It's still enabled by default. Almost nobody uses it in 2026 except Jetpack, a handful of mobile apps, and attackers who use it as a brute-force vector that doesn't log to the standard login throttle.
Fix: if you don't use Jetpack or a remote WordPress client, block xmlrpc.php entirely via an .htaccess deny rule or a plugin like Disable XML-RPC. If you do use Jetpack, at minimum install a brute-force protection plugin that covers XML-RPC. Wordfence does this by default.
2. REST API user enumeration
The audit probes /wp-json/wp/v2/users and flags a warning when it returns a user list with IDs. This is how attackers discover valid login names to target. WordPress ships with this endpoint public by default, which is a decision that made sense in 2016 and has aged badly.
Fix: install Stop User Enumeration, iThemes Security, or Wordfence to lock the users endpoint down to authenticated requests. Or write a filter: rest_authentication_errors that denies access to unauthenticated requests for that specific route.
3. wp-emoji scripts on the front-end
Detection: the audit checks for wp-emoji-release.min.js and the _wpemojiSettings inline script. Both are enabled by default. Both fire on every page load. Both are totally unused on most sites because browsers handle emoji natively now.
Fix: drop this into functions.php or your mu-plugin:
remove_action('wp_head', 'print_emoji_detection_script', 7);
remove_action('wp_print_styles', 'print_emoji_styles');
Typical impact: one fewer request per page, about 10 KB saved. On a site with millions of monthly pageviews, that bandwidth adds up.
4. jQuery Migrate loading
WordPress dropped jQuery Migrate from core in version 5.5 (August 2020). If your audit flags jquery-migrate.js as loading, a plugin is forcing it because the plugin uses a deprecated jQuery API that Migrate patches.
Fix: the right move is to update the plugin forcing Migrate. If the plugin is abandoned, replace it. If replacing it is infeasible, at least audit which plugin is forcing it (use Query Monitor for this), so you know the blast radius of a jQuery 4 upgrade when it ships.
5. Heartbeat API throttling
WordPress's Heartbeat API polls admin-ajax.php every 15 to 60 seconds from every open admin page (and from some front-end pages for logged-in users). On a shared host with a slow PHP runtime, this is one of the top TTFB contributors behind cart-fragments.
Fix: install Heartbeat Control. Configure it to disable Heartbeat on the front-end entirely, throttle it to 60 seconds in the admin dashboard, and leave it at default (15 seconds) in the post editor where autosave actually needs it.
6. Block library CSS on non-Gutenberg pages
Detection: the audit looks for /wp-includes/css/dist/block-library/style.min.css. WordPress loads this CSS file on every page, even pages that don't use any Gutenberg blocks. The file is around 40 KB and blocks first paint.
Fix: if your site is pure classic-editor, dequeue block-library CSS entirely. If you use some Gutenberg blocks but not on every page, use a plugin like Asset CleanUp or Perfmatters to dequeue the stylesheet on pages that don't need it. Theme-level option: add remove_action('wp_enqueue_scripts', 'wp_enqueue_global_styles'); in functions.php if your theme doesn't rely on global styles.
7. WooCommerce payment gateway detection
Detection: the audit scans rendered HTML for seven payment-gateway fingerprints (Stripe, PayPal, Square, Klarna, Afterpay, Razorpay, Amazon Pay). The warning fires when no gateway is detected on a site that otherwise has WooCommerce installed.
Why this matters: a WooCommerce store with no payment gateway is a demo or a broken store. Neither of those should be live to Google.
Fix: set up at least one production-ready gateway. Stripe is the most common default. Confirm the gateway is actually enabled (WooCommerce → Settings → Payments → Stripe) and that test mode is off.
8. Product review schema (aggregateRating)
Detection: the audit checks for Product.aggregateRating in JSON-LD. If a product page ships Product schema without aggregateRating, it's missing the single highest-impact rich-result eligibility signal Google Merchant supports.
Fix: enable reviews on your products (WooCommerce → Settings → Products → Reviews). Make sure your theme or a schema plugin (Rank Math, Yoast, or WooCommerce Product Structured Data) actually writes aggregateRating into the JSON-LD. Verify with Google's Rich Results Test.
How to run the audit
Paste your WordPress URL into the WordPress + WooCommerce Audit. The tool runs the original nine checks plus these eight additional ones in a single pass, probes the public WordPress attack surface (xmlrpc.php, users endpoint, wp-login), and emits a WordPress-native fix prompt that names the exact WP Admin paths and functions.php snippets for every finding.
Related reading
- WordPress + WooCommerce Audit, the tool that runs these checks
- WP Lightweight Themes, the theme-choice layer that multiplies everything else
- Site Migration Capture, when the right fix is to move off WordPress
Fact-check notes and sources
- WordPress Core release notes for the 5.5 jQuery Migrate change.
- WordPress REST API Handbook on the users endpoint and rest_authentication_errors filter.
- Google web.dev on Core Web Vitals and the block-library CSS impact on LCP.
- Google Merchant Center structured data documentation for aggregateRating eligibility.
This post is informational, not WordPress-consulting or legal advice. WordPress, WooCommerce, and all plugin and theme names referenced are trademarks of their respective owners, used under nominative fair use. No affiliation is implied.
