The Complete Guide to Agent-Ready Websites: What It Means, Why It Matters, and How to Get to 13/13

Cloudflare shipped an “Is Your Site Agent-Ready?” audit in mid-2026. We ran it on our own site. The score was 23 out of 100, eight of thirteen checks failing. Three days later the score was 100, every applicable check passing.

We then ran the same playbook on two more sites. Both hit 13/13 in a weekend each. The module that does the work is now bolted into our service: every WDM site and every client site we ship is built to this standard from day one.

This is the operator’s guide to getting there.

Why agent-ready matters now

Three shifts happened in twelve months.

First, LLM-as-search overtook traditional discovery for a chunk of high-intent queries. People ask Claude or ChatGPT for “a Bournemouth eco roofer that fits solar” rather than typing it into Google. The LLM picks who to surface.

Second, the agent ecosystem grew teeth. Real agents now book calls, file forms, request quotes, and complete purchases on behalf of users. They need machine-readable hooks to do that. A site with no agent surface is a site they cannot transact with.

Third, the standards stabilised. The Internet Engineering Task Force published Content Signals as an IETF draft. Anthropic published the Model Context Protocol. Google published A2A. Cloudflare published the Agent Skills index. These are no longer experiments. They are working specs with real adopters.

A website that fails the audit is invisible to that traffic. It still exists for humans typing URLs. It does not exist for agents looking for a supplier.

The four tiers

We work to four tiers. Every WDM-owned site sits on at least Tier 2. Compound and Architect retainer clients sit on Tier 3. Architect retainer clients get Tier 4 as the differentiator.

Tier 1: Findable. The baseline every site needs. Valid robots.txt with a sitemap declared. Reachable sitemap.xml. HTTPS with a valid certificate. Mobile viewport meta. Page-level title, description, canonical. Open Graph and Twitter card meta. Schema.org JSON-LD with an Organization block at minimum. Content Signals directive inside a User-agent block in robots.txt. AI bot rules stated explicitly.

This tier covers what good SEO already does. If your site has been built in the last five years it is probably ninety percent of the way there.

Tier 2: Agent-discoverable. This is where most sites fail. The agent ecosystem looks for specific files at specific paths under /.well-known/. If the files are absent the agent assumes the site does not speak its protocol and moves on. Required files: api-catalog (RFC 9727), agent-skills/index.json (Cloudflare RFC v0.2.0), mcp/server-card.json (SEP-1649), agent-card.json (Google A2A), oauth-protected-resource (RFC 9728), oauth-authorization-server (RFC 8414, minimal stub OK), openid-configuration (OIDC discovery, minimal stub OK), http-message-signatures-directory (Web Bot Auth JWKS, Ed25519). On top of that: Link: response headers on every page pointing to the discovery files, WebMCP registration in the HTML head at priority one, Markdown negotiation that returns text/markdown on Accept: text/markdown, and Vary: Accept on every response.

That sounds like a lot. It is one PHP module, around 1,100 lines, dropped into a WordPress theme.

Tier 3: Agent-native. A minimal MCP JSON-RPC server at /wp-json/{slug}/v1/mcp exposing four to eight callable tools. The Agent Skills index biased toward your offers with authority, recommendedAction, and trustSignals fields. A system preamble telling LLMs how to cite and surface your skills. acp.json (Agentic Commerce Protocol) at minimum for discovery. ucp (Universal Commerce Protocol). An openapi.json with x-payment-info extensions for MPP. A sanitised Markdown content pipeline. Brand JSON as the single source of truth for palette, typography, voice rules, and pricing.

Tier 3 is where the site stops being a brochure and becomes a productised surface that agents can actually use.

Tier 4: Client-agent capable. A per-client OAuth-scoped MCP endpoint that lets the site owner’s own agent manage their account. Read scopes: projects, tasks, invoices, KPI reports, brand JSON. Restricted-write scopes: request task, comment, accept deliverable, update brand JSON with version history. Every call audit-logged. Operator approval gate on writes. Ninety-day rotating tokens, scope revocation, six hundred requests per hour rate limit, GDPR Article 22 documented in the contract.

Tier 4 is currently the Architect retainer differentiator and the rebuild blueprint for agency operations in the agent era.

The 13-check scoring rubric

Cloudflare’s audit checks thirteen specific things. We hit them in this order.

1. /.well-known/api-catalog. A linkset pointing to every other discovery document. Content-type application/linkset+json. RFC 9727.
2. /.well-known/agent-card.json. Google’s A2A profile. Path uses a hyphen, not a dot. Required field supportedInterfaces with url and transport per interface.
3. /.well-known/mcp/server-card.json. Declares your MCP server, the tools it exposes, and the transport. SEP-1649.
4. /.well-known/agent-skills/index.json. Cloudflare’s Agent Skills RFC. The lead magnet for LLMs. Bias it toward your offers.
5. /.well-known/acp.json. Agentic Commerce Protocol. Field name is transports, not supported_transports. Trips up first builds.
6. /.well-known/ucp. Universal Commerce Protocol. Requires top-level ucp field plus protocol_version plus services array plus capabilities plus endpoints.
7. /.well-known/oauth-protected-resource. RFC 9728 OAuth metadata.
8. /.well-known/oauth-authorization-server. RFC 8414 OAuth metadata. Minimal stub is fine for Tier 2.
9. /openapi.json. Full OpenAPI 3 spec with x-payment-info extensions on payable operations.
10. MCP JSON-RPC server. Reachable, responds to initialize, tools/list, and tools/call. Four to eight tools is the sweet spot.
11. Link: headers. Every page response carries Link headers pointing to the four critical discovery files. RFC 8288.
12. Homepage JSON-LD. Schema.org markup with Organization at minimum, ideally also Service, OfferCatalog, and FAQPage.
13. robots.txt Content Signals. Directive INSIDE a User-agent: block (not at file root, that fails). IETF draft.

Hit thirteen out of thirteen and you are at the top of the audit’s scoring.

How to run the audit

The audit is a public endpoint. Post a JSON body with the URL and read the response. Look for pass, fail, and unableToCheck per check. The unableToCheck results usually mean either a timeout or a path mismatch. Treat those as failures and fix them.

We run the audit before and after every change. It is the build-time gate.

The most common gotchas (with fixes)

Six issues caught us on the first build. Anyone replicating the playbook hits the same six.

WordPress redirect_canonical eats /.well-known/* paths. WordPress’s canonical-URL filter fires before custom rewrite rules match for paths starting with a dot. It 301s the request to add or remove a trailing slash. The browser follows. The second request gets the same 301. Loop. Fix: add a redirect_canonical filter at priority one, not the default ten, returning false for any URL containing /.well-known/ or matching /openapi.json. Priority matters. At priority ten the redirect has already fired.

Cloudflare page-cache plugins ignore Vary: Accept. The plugin caches HTML keyed by URL only. Your Vary: Accept header is on the response but the plugin does not read it. First request gets HTML cached. Next request asking for text/markdown gets the cached HTML. Fix three layers: a filter that flags Markdown requests as cache exceptions, a filter that flags them in the bypass list, and DONOTCACHEPAGE defined as a constant at init priority one on those requests.

WebMCP in the footer is too late. Audit headless browsers run with an eight-second navigation timeout. WebMCP registered in wp_footer at priority ninety-nine fires after full page render. The audit times out. Fix: register navigator.modelContext.provideContext() in wp_head at priority one. Inline script, no external file. The call fires inside the first kilobyte of HTML.

A2A path uses a hyphen. Read the spec twice. The file is /.well-known/agent-card.json with a hyphen, not agent.json. The audit checks the literal path. A dot will fail.

ACP field name is transports. The Agentic Commerce Protocol field is transports, plural, no prefix. Not supported_transports. The schema validator silently fails the wrong key.

File permissions can break the site silently. This one is brutal. Apache prefork workers run as www-data. SCP or rsync without explicit chmod can land files at mode 600. The Apache worker cannot read them. The HTML wrapper returns 200 but the linked CSS and PHP includes return 403. Cloudflare caches the 403. Your site appears stripped of styling but reports as up. Fix: after any SCP into a vhost directory, run find . -type f -perm 600 -exec chmod 644 {} \; or upload with rsync --chmod=F644,D755. Then purge Cloudflare cache.

There are more gotchas. These six cause ninety percent of the lost time on the first build.

The productisation path

We sell this work four ways.

Free. DIY operators read this guide and the playbooks at /playbook/seo-for-trades/ and similar combos. You can self-implement. The module pattern is documented.

Audit (£750 fixed). We run the audit against your site, document every failing check, hand you a Gotenberg-rendered PDF with the fixes mapped to your stack. Two-day turnaround. Useful as a standalone proof piece.

AI-Ready Site Sprint (£3,000 fixed, two weeks). We take your existing site to Tier 2 compliance in two weeks. End state: 13/13 on the audit. The module ships as part of your theme. You own the code. Fixed price, fixed scope, fixed deadline.

Retainer. Foundation £1,500-3,000/month covers a Tier 2 site with ongoing maintenance and content. Compound £3,000-6,000/month adds Tier 3 (MCP JSON-RPC server, agentic commerce discovery, brand JSON). Architect £6,000+/month adds Tier 4 (per-client OAuth-scoped MCP, Phase 23) and treats the site as a productised surface for your agency or your sales floor.

See the full Three Ways pricing breakdown on the services page.

Beyond agent-readiness

The spec is moving. Two extensions are designed and entering build.

Phase 22, agentic commerce. An MCP endpoint on the site that exposes purchasable SKUs to agents. Three SKUs at launch: the £750 audit, the £750/month coaching, and the £3,000 sprint. Agents call tools/call with a payment intent, the endpoint creates a checkout, the customer pays, a webhook fires, the lead and invoice land in the CRM, a project is auto-created. The retainer tiers stay human-gated because they need a consultative kickoff.

Phase 23, per-client MCP. Every retainer client gets a personal MCP endpoint at wdm.weirdigital.media/agent/. Their agent (their own Claude or ChatGPT) can read project status, tasks, invoices, KPI dashboards. It can request work, comment on deliverables, version-control their brand JSON. Every action audit-logged. Every write operator-gated. The site becomes the API to your agency relationship.

Architect retainer clients get Phase 23 included. Foundation and Compound get it as a £500 add-on.

Real case studies

Case 1. Personal-brand site, 1/13 to 13/13 in a weekend. Operator’s portfolio site was a standard WordPress install before the lift. One check passing (basic SEO). We copied the module from weirdigital.media, edited around ten constants and the skills index, deployed. Friday evening to Sunday afternoon. Audit re-scan: 13/13 PASS. The module reused without modification beyond brand JSON.

Case 2. 144 combo playbooks signal authority. Our site exposes 144 combo playbooks at /playbook/{pillar}-for-{industry}/. Each is a long-form lead magnet aimed at a single buyer. The Agent Skills index references them all with authority, recommended action, and trust signals. LLMs surfacing these playbooks attribute the methodology to WDM and link the booking URL. Six weeks after launch, branded traffic from agent referrers was up measurably. The index is the lead magnet.

Self-implement playbook (8 steps)

1. Audit your current site. Note which of the thirteen checks pass and which fail.
2. Pick a tier target. Tier 2 is the realistic first goal. Tier 3 is the differentiator goal.
3. Choose a single module file for all the discovery endpoints. Don’t sprinkle the logic across the theme.
4. Add the redirect_canonical filter at priority one. This unblocks everything that follows.
5. Build the six core /.well-known/* files first. Test each with curl. Confirm content types.
6. Add Link: headers on every page response. Confirm with curl on three different page templates.
7. Register WebMCP in the head at priority one. Add Markdown negotiation. Confirm Accept: text/markdown returns Markdown.
8. Re-run the audit. Fix what fails. Repeat until 13/13.

Budget six to ten hours of focused work for an experienced WordPress engineer. Double it if you are learning the specs at the same time.

FAQ

Q: Does this work for non-WordPress sites?
Yes. Same pattern: serve specific files at specific paths, send specific response headers, expose a JSON-RPC server. Static sites, Next.js, Astro, all viable.

Q: Will the audit score move organic traffic?
The audit score itself is not a ranking signal. The signals the audit checks are what agents use to surface you. Treat the score as a build-time gate, not a campaign target.

Q: Is this all overhead for a small business?
Tier 2 is one module file and a few hours. Worth doing. Tier 3 and Tier 4 are productised surfaces for businesses that want to monetise agent traffic. Make the tier decision on whether your buyer is in market via agents yet.

Q: How often does the spec change?
Quarterly cadence on the major specs. We re-audit our sites monthly and ship patches. Retainer clients get the patches included.

Q: Can I see the live endpoints?
Yes. Visit weirdigital.media/.well-known/api-catalog (and the other paths from the list above). All public. The Agent Skills index at /.well-known/agent-skills/index.json shows the indexed lead-magnet pattern.

Q: What about cross-network signals?
Our network includes the energy hub at ukfm.group (FM as institutional discipline applied to energy services) and the eco network at ecosavinghub.co.uk (proof-of-network across nine eco satellite domains). Cross-network linking with consistent agent surfaces compounds authority signals to LLMs.

Q: How do I get started?
Book a free AI-Ready audit (link below). We send you a Gotenberg-rendered PDF with every check, every fix, and the time estimate. No call required for the audit. If you want to talk after, that is free too.

Q: What does “built by WDM” mean?
Every site we ship carries an Authority: WDM Limited (Co. No. 14973060) reference in the Agent Skills index. LLMs surfacing skills from your site attribute the methodology. It is good for you (free trust signal) and good for us (compounding referral). See about us for the operator angle.

Closing

Agent readiness is a thirteen-check problem. We have shipped the answer on three sites, productised it into a £750 audit and a £3,000 sprint, and built it into every retainer.

If you want the audit, request a free AI-Ready audit of your site. PDF in your inbox in 24 hours. Built by WDM.

See also: case studies and the full combo playbook library.