ongboit.com — SEO + GEO Audit

CWV (Core Web Vitals) — Google's UX metrics: LCP (load), INP (responsiveness), CLS (visual stability). They feed ranking + the Technical score.

LCP — Largest Contentful Paint — when the largest element renders. Good <2.5s, Poor ≥4.0s. Driven mostly by server response time (TTFB).

INP / CLS — INP = Interaction-to-Next-Paint (target <200ms, replaced FID). CLS = layout shift (target <0.1).

GEO / AEO — Generative / Answer Engine Optimization — being citable by AI engines (ChatGPT, Perplexity, Gemini, AI Overviews), not just ranking in blue links.

llms.txt — An emerging 2026 manifest that tells LLMs which URLs to read. A broken/missing one costs AI-citation coverage.

AI crawler access — Whether bots like GPTBot / ClaudeBot / PerplexityBot are allowed in robots.txt. Blocking them removes you from AI answers.

Schema (structured data) — JSON-LD that labels your content (Article, FAQ, Organization, Person…). Helps both rich results and AI extraction.

Canonical — The <link rel="canonical"> tag declaring the preferred URL for a page — prevents duplicate-content dilution.

Striking distance — Keywords ranking on page 2 (positions 11-20) with real impressions — small wins can push them to page 1.

Crawl budget — How many pages a search engine will fetch per visit. Wasted on junk URLs = important pages crawled less often.

E-E-A-T — Experience, Expertise, Authoritativeness, Trustworthiness — Google's content-quality framework.

Evidence: https://ongboit.com homepage: <input type="search" name="s" placeholder="Tim bai viet..."> and <input type="email" placeholder="Email cua ban"> have no <label for>, no aria-label, no aria-labelledby. Screen readers announce only the role + placeholder (placeholder is not a reliab

Impact: Restores accessible name for 2 primary site interactions (search, newsletter signup) for SR/voice-control users; removes the largest single AA gap.

Evidence: https://ongboit.com/claude-code-la-gi/ : 4 <table>, 13 <th> cells, 0 carry scope="col"/"row", 0 <caption>. Header-to-data association is not programmatically conveyed.

Impact: Lets SR users understand which header governs each data cell in comparison tables; low reach but cheap fix (template-level).

Evidence: https://ongboit.com homepage: <button type="submit" ...>🔍</button> contains only an emoji glyph and no aria-label. SR may announce nothing or the literal emoji name.

Impact: Gives the search trigger a clear name (e.g. aria-label="Tim kiem"); pairs with M17 fix in the same search-form template.

Evidence: https://ongboit.com homepage: <input type="email" style="...outline: none;"> has no onfocus/border swap (unlike the search input which restores its border). Keyboard users get no visible focus state on the email field. Theme :focus-visible covers only .menu-toggle.

Impact: Restores keyboard-visible focus on a form control; partial-credit item from baseline M19.

Evidence: #64748b on #f8fafc = 4.55:1 and on #ffffff = 4.76:1 (AA normal-text threshold 4.5:1). Passes but with no headroom; any future bg lightening or smaller weight risks failure. Footer legal link itself is fine (#93c5fd 9.9:1).

Impact: Darken muted token to ~#475569 for safety margin and AAA-leaning readability; low priority since currently compliant.

Evidence: sameAs = 4 (FB/GitHub/TikTok/LinkedIn); no X/Reddit/YouTube/Wikidata

Impact: entity confidence + AI citation

Evidence: baseline H8

Impact: authority

Evidence: backlinks_summary -> 40204; ranked-kw avg referring_domains 1.0-1.3

Impact: Authority is the #1 lever for page-4-8 rankings

Evidence: curl https://ongboit.com/ -> gtag('consent','default',{"ad_personalization":"denied","ad_storage":"denied","ad_user_data":"denied","analytics_storage":"denied","functionality_storage":"denied","security_storage":"denied","personalization_storage":"denied","region":[32 EEA/EU ISO

Impact: high

Evidence: curl https://ongboit.com/chinh-sach-bao-mat/ -> 'GDPR' x13, 'CCPA' x7, 'Decree 13' + 'Nghị định 13' + 'Personal Data Protection' (PDPD). Fields present: 'Data controller', 'Standard Contractual' (SCCs x2), 'legal basis'/'Cơ sở pháp lý', 'Data breach'/'vi phạm dữ liệu', 'DPO'/'Dat

Impact: high

Evidence: curl -sI https://ongboit.com/privacy -> HTTP/1.1 301 Moved Permanently; Location: https://ongboit.com/chinh-sach-bao-mat/. Baseline (2026-05-29) redirected to an unrelated blog post.

Impact: medium

Evidence: curl -sI https://ongboit.com/ -> Strict-Transport-Security: max-age=31536000; X-Frame-Options: SAMEORIGIN; X-Content-Type-Options: nosniff; Referrer-Policy: strict-origin-when-cross-origin; Permissions-Policy: camera=(), microphone=(), geolocation=(), browsing-topics=().

Impact: medium

Evidence: curl -sI https://ongboit.com/ shows no Content-Security-Policy, no Cross-Origin-Opener-Policy / Cross-Origin-Resource-Policy, and no X-XSS-Protection. HSTS = 'max-age=31536000' only (no includeSubDomains, no preload). 5/7 of the standard header set present; CSP is the highest-val

Impact: medium

Evidence: curl https://ongboit.com/chinh-sach-bao-mat/ -> rights-exercise contact is mailto:thenguyen.ai.automation@gmail.com (x4); 'thực hiện quyền' present but no dedicated DSAR web form, no privacy@/dpo@ branded alias, no 'Do Not Sell' opt-out form (CCPA expects a request mechanism). Po

Impact: medium

Evidence: curl https://ongboit.com/ footer -> chinh-sach-bao-mat (Privacy), dieu-khoan-su-dung (Terms), contact x6, cmplz-manage-consent x8 (Complianz manage-cookies revocation control). Terms page /dieu-khoan-su-dung/ returns HTTP 200.

Impact: low

Evidence: curl https://ongboit.com/ -> only gtag/js?id=GT-K8HP8DDM present; no googletagmanager.com/gtm, facebook.net, hotjar, clarity.ms, or doubleclick references on the homepage. Tag is gated behind the Consent Mode v2 default-denied block, so analytics/ads storage stays denied until op

Impact: medium

Evidence: DataForSEO ai_overview for claude code gia re/eval/llm; ongboit rank 39-87

Impact: AIO/ChatGPT/Perplexity citation

Evidence: baseline M24; no Reddit/community signals

Impact: AI citation

Evidence: grep for 'speakable' across raw HTML of homepage, /claude-code-la-gi/, and /n8n-pricing/ returns 0 hits. fetch_page.py structured_data also shows no speakable property on BlogPosting or WebPage types. Baseline noted speakable present on snippet #5 — this is not confirmed in today

Impact: Medium-high: speakable is the most direct AI-assistant signal. Its absence means AI voice assistants and AI crawlers cannot identify the most citable passages without inference.

Evidence: Organization @graph block keys: ['@type', '@id', 'name', 'sameAs', 'logo']. url=MISSING, description=MISSING, foundingDate=MISSING, contactPoint=MISSING, address=MISSING, founder=MISSING. These were listed as intended additions (founder was mentioned in baseline comparison notes)

Impact: Medium: url and description are E-E-A-T signals that help AI models build a complete entity graph. Without url, Google cannot confidently resolve the @id anchor to a canonical site.

Evidence: Organization sameAs=['https://www.facebook.com/ongboitvuitinh/', 'https://github.com/thenguyenvn90', 'https://www.tiktok.com/@ongbo.it', 'https://www.linkedin.com/in/minh-the-nguyen-6b995960']. Wikipedia, Wikidata, YouTube not present. Baseline noted these as 'strategic, still op

Impact: High for AI entity resolution: Wikipedia and Wikidata are the strongest cross-platform entity signals for LLMs. YouTube is a high-authority platform signal. Adding them would push sameAs score from 10 to 15.

Evidence: Person sameAs includes both 'https://www.linkedin.com/in/minh-the-nguyen-6b995960' and 'https://linkedin.com/in/minh-the-nguyen-6b995960' (missing www prefix). These resolve to the same URL but signal inconsistency.

Impact: Low: not a validation error, but clean sameAs arrays send stronger entity signals. Remove the www-less variant.

Evidence: Person block keys: ['@type', '@id', 'name', 'url', 'image', 'sameAs', 'worksFor', 'jobTitle', 'knowsAbout']. description=MISSING. A bio string like 'DevOps Engineer and AI Vibe Coder helping Vietnamese developers automate with Claude Code and n8n' would complete the E-E-A-T perso

Impact: Low-medium: description strengthens author entity for AI citation decisions, especially for 'who wrote this?' queries.

Evidence: BlogPosting keys on both sampled articles: ['@type', 'headline', 'keywords', 'datePublished', 'dateModified', 'articleSection', 'author', 'publisher', 'description', 'name', '@id', 'isPartOf', 'image', 'inLanguage', 'mainEntityOfPage']. wordCount=MISSING.

Impact: Low: wordCount is a recommended (not required) property. Signals content depth to AI models that use schema to assess comprehensiveness before citation.

Evidence: FAQPage confirmed on /claude-code-la-gi/ (9 questions) and /n8n-pricing/ (7 questions) as separate JSON-LD blocks outside the main @graph. Syntactically valid. mainEntity uses Question/@type and Answer/@type correctly.

Impact: No rich result eligibility for non-authority sites, but schema provides strong Q&A semantic structure for AI crawlers (GPTBot, ClaudeBot, PerplexityBot). Retain. Do NOT remove.

Evidence: The Organization @id is 'https://ongboit.com/#organization' which is an internal anchor, not the canonical site URL. Without a url property ('https://ongboit.com/'), Google's Knowledge Graph and AI models cannot cleanly link the Organization entity to the domain.

Impact: Medium: url is a recommended property for Organization and strongly expected by Google's structured data documentation for Knowledge Panel eligibility.

Evidence: curl -X POST https://ongboit.com/xmlrpc.php with system.listMethods payload returns HTTP 200 and lists 80 methods including pingback.ping, pingback.extensions.getPingbacks, wp.newPost, wp.editPost, wp.deletePost, wp.uploadFile, wp.deleteFile, wp.getUsers, metaWeblog.newPost, blog

Impact: critical — active attack vector, pingback abuse and credential stuffing risk; also Google flags xmlrpc brute-force as a security signal

Evidence: curl -sI https://ongboit.com/ — no Content-Security-Policy header in response. Confirmed across 4 separate header fetches. wp-login.php has CSP frame-ancestors 'self' only. Homepage and article pages: no CSP. Risk: XSS attacks can inject arbitrary scripts. Also affects AI crawler

Impact: high — XSS attack surface, browser security warnings in future Chrome versions, negative trust signal

Evidence: curl -sI https://ongboit.com/ returns: Strict-Transport-Security: max-age=31536000 — no includeSubDomains, no preload. grep 'includeSubDomains' count=0. Best practice: max-age=31536000; includeSubDomains. Without includeSubDomains, subdomains (e.g., www.ongboit.com, any future su

Impact: medium — subdomain downgrade attack vector; also fails HSTS preload list eligibility

Evidence: Extracted from live HTML: <meta name="description" content="Mình là Thế, DevOps Engineer. Mình dùng Claude Code và n8n hằng ngày cho vibe coding và SEO + GEO content automation."/> — echo -n [...] | wc -c = 128 characters. Google typically displays 150-160 chars; truncation at 12

Impact: low — reduced CTR from search results, Google may rewrite with its own snippet

Evidence: WebFetch analysis of homepage HTML: 'Multiple images present without explicit width/height attributes — Logo image, Article featured images'. WordPress wp-img-auto-sizes CSS present (WP 6.7 auto-sizes feature) but contain-intrinsic-size fallback (3000px 1500px) is a rough estimat

Impact: medium — CLS is a Core Web Vital and a Google ranking factor; layout shifts harm UX and scores

Evidence: robots.txt line: 'Sitemap: https://ongboit.com/llms.txt' — llms.txt is a plain-text AI model context file, not an XML sitemap. The Sitemap: directive in robots.txt is expected to point to XML sitemaps. Search engine crawlers (Googlebot, Bingbot) that parse Sitemap: directives wil

Impact: low — may cause crawl errors in GSC for invalid sitemap; no ranking impact but creates noise

Evidence: curl -sv https://ongboit.com/ head section: preconnect to fonts.googleapis.com and fonts.gstatic.com present (good). dns-prefetch for googletagmanager.com and pagead2.googlesyndication.com present. No <link rel=preload> for hero image, critical CSS, or web fonts. Google Fonts loa

Impact: low-medium — incremental LCP improvement; not a ranking blocker but affects CWV scores

Evidence: curl -sI https://ongboit.com/ returns: Server: Apache/2.4.66 (Debian) — full version and OS disclosed. Also X-Powered-By absent (good — PHP version not exposed in main headers, though present on xmlrpc.php: X-Powered-By: PHP/8.3.30). Apache version disclosure enables targeted exp

Impact: low — informational; reduces targeted attack surface

Evidence: Homepage, /n8n-pricing/, /advisor-strategy-claude-code/ all render 'follow, index' instead of standard 'index, follow'. /claude-code-la-gi/ correctly shows 'index, follow'. Rank Math PRO inconsistently applies order depending on post type or template. Google treats both as valid,

Impact: low

Evidence: All 4 pages returned zero hreflang attributes. Site is 100% Vietnamese-language content targeting Vietnamese readers. Without hreflang vi and x-default, Google may not correctly associate the site with vi locale in international results. HTML lang='vi' is set at <html> level (obs

Impact: medium

Evidence: Heading sequence begins: H1 > H3 (TL;DR) > H2 > H2 ... The TL;DR summary block uses an H3 with no parent H2, violating document outline semantics. WCAG 1.3.1 (Info and Relationships) requires heading levels to reflect document structure. This also degrades crawlability: the TL;DR

Impact: medium

Evidence: Homepage H1 is 'Hành Trình Zero → Hero với AI Coding và Automation' — narrative/brand-voice framing with no mention of 'Claude Code', 'AI coding assistant', 'self-hosting', or the primary keyword clusters the site targets. Title tag also omits a topical keyword, relying entirely

Impact: medium

Evidence: Homepage title includes '| Ông Bố IT' brand suffix. All 3 blog post titles omit brand: 'Claude Code Là Gì? Giải Thích Đơn Giản + So Sánh 2026' (53 chars), 'n8n Pricing 2026: Cloud $24-$50/Tháng + 3 Pattern Tiết Kiệm' (59 chars), 'Advisor Strategy Claude Code: Dùng Opus Rẻ Hơn 73%

Impact: low

Evidence: All 3 article pages have BreadcrumbList in JSON-LD (confirmed by schema_types extraction), but zero breadcrumb-class HTML elements were found in any page DOM. Google's breadcrumb rich result requires consistent JSON-LD + visible HTML breadcrumb for reliable eligibility. Schema-on

Impact: medium

Evidence: Homepage meta description is 117 characters: 'Mình là Thế, DevOps Engineer. Mình dùng Claude Code và n8n hằng ngày cho vibe coding và SEO + GEO content automation.' Optimal range for Vietnamese SERP is 140-155 chars (Google typically displays ~155-160 chars in desktop SERP snippe

Impact: low

Evidence: Homepage: 12/12 images with non-empty alt. /claude-code-la-gi/: 26/26. /n8n-pricing/: 21/21. /advisor-strategy-claude-code/: 19/19. Zero empty alt attributes and zero missing alt attributes across 78 total images. This is a genuine strength — above-average for WordPress sites in

Impact: none

Evidence: DataForSEO domain_rank_overview VN count=8, best rank_group=12; 'claude code' (33,100/mo) only #69

Impact: Top-10 for 2-3 mid-volume kw -> 10-20x current 92 ETV

Evidence: ai_overview in serp_item_types for claude code gia re/eval/llm; ongboit rank 39-87

Impact: AIO citation eligibility

Evidence: crawl-summary slow_ttfb=288; baseline TTFB 657ms

Impact: LCP headroom + crawl budget; field LCP already FAST so impact moderate

Evidence: crawl-summary large_html=279

Impact: transfer size

Evidence: Homepage, /n8n-pricing/, /advisor-strategy-claude-code/ all render 'follow, index' instead of standard 'index, follow'. /claude-code-la-gi/ correctly shows 'index, follow'. Rank Math PRO inconsistently applies order depending on post type or template. Google treats both as valid,

Impact: low

Evidence: All 4 pages returned zero hreflang attributes. Site is 100% Vietnamese-language content targeting Vietnamese readers. Without hreflang vi and x-default, Google may not correctly associate the site with vi locale in international results. HTML lang='vi' is set at <html> level (obs

Impact: medium

Evidence: Heading sequence begins: H1 > H3 (TL;DR) > H2 > H2 ... The TL;DR summary block uses an H3 with no parent H2, violating document outline semantics. WCAG 1.3.1 (Info and Relationships) requires heading levels to reflect document structure. This also degrades crawlability: the TL;DR

Impact: medium

Evidence: Homepage H1 is 'Hành Trình Zero → Hero với AI Coding và Automation' — narrative/brand-voice framing with no mention of 'Claude Code', 'AI coding assistant', 'self-hosting', or the primary keyword clusters the site targets. Title tag also omits a topical keyword, relying entirely

Impact: medium

Evidence: Homepage title includes '| Ông Bố IT' brand suffix. All 3 blog post titles omit brand: 'Claude Code Là Gì? Giải Thích Đơn Giản + So Sánh 2026' (53 chars), 'n8n Pricing 2026: Cloud $24-$50/Tháng + 3 Pattern Tiết Kiệm' (59 chars), 'Advisor Strategy Claude Code: Dùng Opus Rẻ Hơn 73%

Impact: low

Evidence: All 3 article pages have BreadcrumbList in JSON-LD (confirmed by schema_types extraction), but zero breadcrumb-class HTML elements were found in any page DOM. Google's breadcrumb rich result requires consistent JSON-LD + visible HTML breadcrumb for reliable eligibility. Schema-on

Impact: medium

Evidence: Homepage meta description is 117 characters: 'Mình là Thế, DevOps Engineer. Mình dùng Claude Code và n8n hằng ngày cho vibe coding và SEO + GEO content automation.' Optimal range for Vietnamese SERP is 140-155 chars (Google typically displays ~155-160 chars in desktop SERP snippe

Impact: low

Evidence: Homepage: 12/12 images with non-empty alt. /claude-code-la-gi/: 26/26. /n8n-pricing/: 21/21. /advisor-strategy-claude-code/: 19/19. Zero empty alt attributes and zero missing alt attributes across 78 total images. This is a genuine strength — above-average for WordPress sites in

Impact: none

Evidence: crawl-summary slow_ttfb=288; baseline TTFB 657ms

Impact: LCP headroom + crawl budget; field LCP already FAST so impact moderate

Evidence: crawl-summary large_html=279

Impact: transfer size

Evidence: curl -X POST https://ongboit.com/xmlrpc.php with system.listMethods payload returns HTTP 200 and lists 80 methods including pingback.ping, pingback.extensions.getPingbacks, wp.newPost, wp.editPost, wp.deletePost, wp.uploadFile, wp.deleteFile, wp.getUsers, metaWeblog.newPost, blog

Impact: critical — active attack vector, pingback abuse and credential stuffing risk; also Google flags xmlrpc brute-force as a security signal

Evidence: curl -sI https://ongboit.com/ — no Content-Security-Policy header in response. Confirmed across 4 separate header fetches. wp-login.php has CSP frame-ancestors 'self' only. Homepage and article pages: no CSP. Risk: XSS attacks can inject arbitrary scripts. Also affects AI crawler

Impact: high — XSS attack surface, browser security warnings in future Chrome versions, negative trust signal

Evidence: curl -sI https://ongboit.com/ returns: Strict-Transport-Security: max-age=31536000 — no includeSubDomains, no preload. grep 'includeSubDomains' count=0. Best practice: max-age=31536000; includeSubDomains. Without includeSubDomains, subdomains (e.g., www.ongboit.com, any future su

Impact: medium — subdomain downgrade attack vector; also fails HSTS preload list eligibility

Evidence: Extracted from live HTML: <meta name="description" content="Mình là Thế, DevOps Engineer. Mình dùng Claude Code và n8n hằng ngày cho vibe coding và SEO + GEO content automation."/> — echo -n [...] | wc -c = 128 characters. Google typically displays 150-160 chars; truncation at 12

Impact: low — reduced CTR from search results, Google may rewrite with its own snippet

Evidence: WebFetch analysis of homepage HTML: 'Multiple images present without explicit width/height attributes — Logo image, Article featured images'. WordPress wp-img-auto-sizes CSS present (WP 6.7 auto-sizes feature) but contain-intrinsic-size fallback (3000px 1500px) is a rough estimat

Impact: medium — CLS is a Core Web Vital and a Google ranking factor; layout shifts harm UX and scores

Evidence: robots.txt line: 'Sitemap: https://ongboit.com/llms.txt' — llms.txt is a plain-text AI model context file, not an XML sitemap. The Sitemap: directive in robots.txt is expected to point to XML sitemaps. Search engine crawlers (Googlebot, Bingbot) that parse Sitemap: directives wil

Impact: low — may cause crawl errors in GSC for invalid sitemap; no ranking impact but creates noise

Evidence: curl -sv https://ongboit.com/ head section: preconnect to fonts.googleapis.com and fonts.gstatic.com present (good). dns-prefetch for googletagmanager.com and pagead2.googlesyndication.com present. No <link rel=preload> for hero image, critical CSS, or web fonts. Google Fonts loa

Impact: low-medium — incremental LCP improvement; not a ranking blocker but affects CWV scores

Evidence: curl -sI https://ongboit.com/ returns: Server: Apache/2.4.66 (Debian) — full version and OS disclosed. Also X-Powered-By absent (good — PHP version not exposed in main headers, though present on xmlrpc.php: X-Powered-By: PHP/8.3.30). Apache version disclosure enables targeted exp

Impact: low — informational; reduces targeted attack surface

Evidence: DataForSEO domain_rank_overview VN count=8, best rank_group=12; 'claude code' (33,100/mo) only #69

Impact: Top-10 for 2-3 mid-volume kw -> 10-20x current 92 ETV

Evidence: ai_overview in serp_item_types for claude code gia re/eval/llm; ongboit rank 39-87

Impact: AIO citation eligibility

Evidence: crawl-summary indexable_not_in_sitemap=11

Impact: discovery

Evidence: robots.txt 'Sitemap: https://ongboit.com/llms.txt'; llms.txt is text/plain not XML

Impact: avoids GSC sitemap parse errors

Evidence: crawl-summary http_url_in_sitemap=1

Impact: minor

Evidence: geo-accessibility contrast math

Impact: readability margin

Evidence: geo-accessibility M19 partial

Impact: keyboard-nav visibility