Title: PressVitals Site Auditor
Author: merolhack
Published: <strong>July 2, 2026</strong>
Last modified: July 2, 2026

---

Search plugins

![](https://ps.w.org/pressvitals-site-auditor/assets/banner-772x250.png?rev=3594207)

![](https://ps.w.org/pressvitals-site-auditor/assets/icon-256x256.png?rev=3594207)

# PressVitals Site Auditor

 By [merolhack](https://profiles.wordpress.org/merolhack/)

[Download](https://downloads.wordpress.org/plugin/pressvitals-site-auditor.1.2.6.zip)

 * [Details](https://wordpress.org/plugins/pressvitals-site-auditor/#description)
 * [Reviews](https://wordpress.org/plugins/pressvitals-site-auditor/#reviews)
 *  [Installation](https://wordpress.org/plugins/pressvitals-site-auditor/#installation)
 * [Development](https://wordpress.org/plugins/pressvitals-site-auditor/#developers)

 [Support](https://wordpress.org/support/plugin/pressvitals-site-auditor/)

## Description

PressVitals Site Auditor is a **headless-first** diagnostic engine. It runs a
 suite
of read-only probes across performance, security, deliverability and database health,
assigns each a severity tier, rolls them up into a worst-of verdict, and exposes
the result where automation can actually consume it: a token-gated REST report, 
a daily cron with email alerts, and a categorized admin dashboard.

It is **dependency-free** — no WooCommerce, no page builder, no other plugin
 required—
and **pluggable**: every probe is registered through a filter, so the **22+ built-
in probes** are just the starting point. The architecture is designed to scale to**
48+ probes** in production; register your own via pvsa_registered_checks.

#### How is this different from the built-in Site Health?

WordPress core’s **Tools  Site Health** is excellent, but it is an _on-demand,
 
admin-only
 tool: you open a screen, it runs its status tests, and the Debug tab

prints a static environment dump for support. PressVitals is built for a different
job — **continuous, automated, machine-readable monitoring and auditing**:

 * **Headless / API-first.** Core Site Health has no public report API. PressVitals
   
   exposes a no-auth `/ping` liveness probe and a token-gated `/report` JSON endpoint(
   HTTP **503** on a failing verdict) so an external uptime monitor, status page,
   or CI pipeline can read site health without logging in.
 * **Scheduled + alerting.** Core never runs on a schedule and never tells you
    
   when something breaks. PressVitals runs daily via WP-Cron and **emails the admin
   when the verdict is _fail_.
 * **Severity tiers + worst-of verdict.** Core labels results good/recommended/
   
   critical. PressVitals assigns each probe a 1–5 severity tier and computes a single
   rolled-up verdict suitable for a green/red status signal.
 * **Probes core does not have.** TLS _certificate-expiry countdown_ (core only
   
   checks that HTTPS works today), `.env`/secret-file web exposure, a web-root stray-
   backup scanner, baseline security headers (HSTS / X-Frame-Options / …), forced-
   HTTPS redirect, XML-RPC exposure, default-`admin`-username detection, SPF + DMARC
   email-DNS records, homepage indexability, and database-bloat (expired transients/
   revisions / spam) checks.
 * **Pluggable + configurable.** Core’s tests are fixed. PressVitals lets any plugin
   
   or theme register probes via a filter and tune every threshold via filters.

Think of it as the layer _on top of_ Site Health: the same read-only philosophy,

re-pointed at automation, alerting, and security/ops auditing.

#### Built-in probes

PressVitals ships **29 built-in probes**, grouped by functional category:

 * **Availability** — database connectivity, homepage HTTPS reachability.
 * **Security** — `.env` not web-accessible (HTTP) and not exposed on disk,
    web-
   root stray/backup file scan, TLS certificate expiry, baseline security headers,
   forced HTTPS, XML-RPC exposure, no default `admin` user, wp-config.php permissions,
   user-enumeration exposure, error-display off.
 * **Errors** — error-log size, recent PHP fatal errors.
 * **Database** — core tables present, non-core/orphaned tables, autoloaded-options
   
   size, database bloat.
 * **Files** — free disk space, uploads-directory writability, recent backup.
 * **Email** — SPF + DMARC DNS records for the sending domain.
 * **SEO** — homepage is indexable (not noindex).
 * **Performance** — PHP memory limit, persistent object cache.
 * **Environment** — supported PHP version, WordPress core update available,
    plugin
   updates pending.

#### Extend it with your own checks

Probes are not hardcoded — the engine collects them from a filter, so any plugin

or theme can register its own:

    ```
    add_filter( 'pvsa_registered_checks', function ( array $checks ) {
        $checks['my_queue_backlog'] = array(
            'label'    => 'Job queue backlog',
            'group'    => 'Performance',
            'tier'     => 2,
            'callback' => function () {
                $pending = my_count_pending_jobs();
                return $pending > 1000
                    ? array( 'status' => 'warn', 'detail' => "$pending jobs pending" )
                    : array( 'status' => 'pass', 'detail' => "$pending jobs pending" );
            },
        );
        return $checks;
    } );
    ```

A callback returns `array( 'status' => 'pass'|'warn'|'fail', 'detail' => '…' )`.

#### Developer filters

 * `pvsa_registered_checks` — register/override probes.
 * `pvsa_setting_{key}` — override a stored threshold at read time.
 * `pvsa_alert_email` — change the failure-alert recipient.
 * `pvsa_http_timeout`, `pvsa_disk_free_min_bytes`, `pvsa_memory_min_bytes`,
    pvsa_fatal_lookback_hours,`
   pvsa_fatal_scan_max_bytes` — tune environment probes.
 * `pvsa_ssl_warn_days`, `pvsa_ssl_fail_days` — TLS expiry thresholds.
 * `pvsa_backup_warn_days`, `pvsa_backup_fail_days` — backup-recency thresholds.
 * `pvsa_last_backup_timestamp` — report your last successful backup time (UNIX)
   so
    the backup probe works with _any_ backup plugin, host, or off-site service.
 * `pvsa_backup_plugins` — list of backup-plugin basenames recognised by presence.
 * `pvsa_max_expired_transients`, `pvsa_max_revisions`, `pvsa_max_spam_comments`—
   
   database-bloat thresholds.
 * `pvsa_known_tables` — full table names to treat as expected (silences the
    non-
   core/orphaned-tables probe for legitimate plugin tables).
 * `pvsa_orphan_tables_warn` — non-core table count above which the probe warns.
 * `pvsa_sending_domain` — domain used for the SPF/DMARC lookup.

#### Compatibility

PressVitals has **no plugin dependencies** and runs on virtually any WordPress
 
install — single-site or multisite, **with or without** WooCommerce, page builders,
or a backup plugin. It calls only core WordPress APIs and guards every optional 
PHP function (`disk_free_space`, `stream_socket_client`/OpenSSL, `dns_get_record`,
WP_Filesystem), degrading a probe to a neutral _pass/skip_ when something isn’t 
available rather than erroring. The backup probe is backup-agnostic: it reads UpdraftPlus
directly, recognises other common backup plugins, and lets any other backup solution(
including host-level backups) report in via pvsa_last_backup_timestamp.

### Development

Two local workflows are scaffolded (both Docker-based; neither ships in the
 package):

**Automated tests — wp-env (recommended):** requires Docker + Node.js.
 npm -g install@
wordpress/env, then `wp-env start` and wp-env run tests-cli –env-cwd=wp-content/
plugins/pressvitals-site-auditor vendor/bin/phpunit. Switch versions by editing `
core` / `phpVersion` in `.wp-env.json` and running wp-env start –update. Without
Docker, run the suite the classic way: composer install, `bin/install-wp-tests.sh
wordpress_test root '' localhost`, composer test. A GitHub Actions workflow runs
PHPUnit across PHP 7.4 / 8.0 / 8.2 / 8.3.

**Manual multi-version testing — docker-compose:** `docker compose up -d` boots

three browsable installs at fixed WordPress x PHP combos (WP 6.7/PHP 8.3, WP 6.4/
PHP 8.1, WP 6.3/PHP 7.4) on ports 8083 / 8081 / 8074, each with the plugin mounted.
See `docker-compose.yml` for details.

## Installation

 1. Upload the `pressvitals-site-auditor` folder to `/wp-content/plugins/`, or install
    
    it from the Plugins screen.
 2. Activate the plugin through the **Plugins** menu in WordPress.
 3. Go to **Tools  PressVitals Site Auditor** to view the report and configure
     thresholds.
 4. (Optional) Copy the probe URL shown on that page into your external uptime or
     
    CI monitor.

## FAQ

### Does it replace the built-in Site Health?

No — it complements it. Site Health is the on-demand, admin-facing status screen;

PressVitals adds headless REST reporting, scheduled monitoring with email alerts,
severity tiers, and security/ops audit probes that core does not run.

### Does it require WooCommerce or any other plugin?

No. It runs on any standard WordPress install with no dependencies.

### Is the report endpoint safe to expose?

/report requires either a logged-in administrator or a secret token compared
 with`
hash_equals()`. Rotate the token any time from the settings page. `/ping` returns
only a tiny liveness payload with no sensitive data.

### Does it write to my database or files?

The probes are read-only. The plugin stores only its own options (settings, last

report, token) and reads log files solely from standard WordPress locations.

### Is it tested?

Yes. It ships with a PHPUnit suite built on the WordPress core test framework
 (`
WP_UnitTestCase`) covering the check registry, the worst-of verdict aggregation,
defensive execution of a throwing/malformed check, the settings filters, the backup-
recency filter, and the REST routes (public `/ping`, token-gated `/report`, and 
the 503-on-fail behaviour). Tests run in CI and locally via `composer test` (see`
bin/install-wp-tests.sh`); they are excluded from the distributed package and never
run on a live site. Activation performs only a lightweight requirements gate (PHP
version + engine load), not the test suite.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“PressVitals Site Auditor” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ merolhack ](https://profiles.wordpress.org/merolhack/)

[Translate “PressVitals Site Auditor” into your language.](https://translate.wordpress.org/projects/wp-plugins/pressvitals-site-auditor)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/pressvitals-site-auditor/),
check out the [SVN repository](https://plugins.svn.wordpress.org/pressvitals-site-auditor/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/pressvitals-site-auditor/)
by [RSS](https://plugins.trac.wordpress.org/log/pressvitals-site-auditor/?limit=100&mode=stop_on_copy&format=rss).

## Meta

 *  Version **1.2.6**
 *  Last updated **8 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.0 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [monitoring](https://wordpress.org/plugins/tags/monitoring/)[rest-api](https://wordpress.org/plugins/tags/rest-api/)
   [security](https://wordpress.org/plugins/tags/security/)[site health](https://wordpress.org/plugins/tags/site-health/)
   [uptime](https://wordpress.org/plugins/tags/uptime/)
 *  [Advanced View](https://wordpress.org/plugins/pressvitals-site-auditor/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/pressvitals-site-auditor/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/pressvitals-site-auditor/reviews/)

## Contributors

 *   [ merolhack ](https://profiles.wordpress.org/merolhack/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/pressvitals-site-auditor/)