In this quick post, we're going to talk about site health, monitoring, and updates. This is often an easily overlooked function, which can lead to complications, or even worse, downtime. Does your current web host provider supply a list of recommendations or a notice of required updates?

Pantheon’s Example:

If your provider doesn't give you a list of updates/notifications, you may need to run periodic manual checks. However, setting your site for automatic updates might cause some issues as well. Let's say, for example, you update to the latest version of WP and your theme (which may have been created years ago on an older version of WP) isn't compatible with the most recent update: it could potentially break your site, in which case you better have a backup and be able to quickly restore and debug the code.

On the flip-side, let's say you've configured to update manually (which I would highly recommend) and updates need to be made. So, now what? Run the updates on a LIVE site? I'd suggest updating elsewhere. Depending on your server environment, you may have a STAGE or a DEV environment where you can apply the updates and QA where needed. If, after the update, everything looks normal, push updates to the LIVE site and re-run your QA check. 

Here's Pantheon's workflow (which works best for larger sites):

Check out more on Pantheon's workflow. 

This all sounds great, but who has time to monitor core and plug-in updates? Other sites might not have a multi-environment capability. If your site is hosted on Bluehost and on a very basic service plan which provides no monitoring, no notifications, and you don’t want to pay for a ManageWP subscription (which by the way is very inexpensive), you have some options. There are a variety of plugins that can do much of this monitoring and notify you about what you'll still want to do manually.

My Top 3 Plugins

1. Sucuri Security – Auditing, Malware Scanner and Security Hardening

Cost – Basic: Free & Pro: Starting at $199/year

"The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. It offers its users a set of security features for their website, each designed to have a positive effect on their security posture."

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)

My notes:

This is probably one of the best plugins for this type of monitoring, however, it requires advanced knowledge of WP core. Also, be prepared for a barrage of notifications/recommendations. Perhaps use a suitable addition if you’re not hosting on a less expensive platform.

2. Wordfence Security – Firewall & Malware Scan

Cost –  Basic: Free & Advanced: Starting at $99/year

"Wordfence includes an endpoint firewall and malware scanner that was built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available."

  • WordPress Firewall
  • WordPress Security Scanner
  • Login Security
  • Wordfence Central
  • Security Tools

My notes:

I've experienced slower site speeds using this plugin, but only when logged in. Otherwise, this is a great plugin. If you have multiple users contributing to the site, this plugin’s audit trail is a must (in fact, our clients love it).

3. Jetpack by

Cost –  Basic: Free & Personal plans: Starting at $3.50/month

"Jetpack is your site’s security detail, guarding you against brute-force attacks and unauthorized logins. Basic protection is always free, while premium plans add expanded backup and automated fixes. Jetpack’s full suite of site security tools include:"

  • Brute-force attack protection, spam filtering, and downtime monitoring.
  • Backups of your entire site, either once daily or in real-time.
  • Secure login, with optional two-factor authentication.
  • Malware scanning, code scanning, and automated threat resolution.
  • A record of every change on your site to simplify troubleshooting.
  • Fast, priority support from WordPress experts.

My notes:

I’m undecided on this plugin, neither here or there. Yes, its’ many functions bundled into one all-encompassing app are great, however, there's a tremendous amount of ‘bloat’ (functions/features) that you may or may not end up using. We’ve typically only used a few of Jetpacks features, the rest of which sit unused, slowing down site speed (even when disabling unused features).

Monitoring Services

Beyond plugins, there are a couple of “all-encompassing” external monitor services. If your site is down for any reason, these services will notify you of the potential issues. Here are my two favorites:

1. Uptime Robot (free for up to 50 sites)

We’ve been using this service for several years, and it’s been extremely reliable. In most cases, we’re notified of downtime before any notice from the hosting company.

  • It asks for your websites headers and gets status codes like "200-ok", "404-not found”,  etc., every five minutes (or more depending on the monitor's settings)
  • If the status code doesn't indicate a problem, we are good
  • If the status code is ~400+ and 500+, then the site is not loading
  • To make sure the site is down, Uptime Robot makes several more checks in the next thirty seconds
  • If the site is still down, it sends an alert.

2. ManageWP

"Manage multiple WordPress websites from one dashboard. Schedule backups, migrate WordPress website, automate updates, monitor website traffic, and SEO."

My notes:

ManageWP also has monitoring services, as well as daily automated backups, etc. Costs are also relatively low for this monitoring service. I have been using it for the past several years, and highly recommend it. I’m not going to go through all of the features, instead, I’ll just list off a few of the functions we use for report automation. 

1. Plugin update notifications and one-click updates - BUT, be careful. I’d suggest doing this online on your DEV or STAGING instance. If your server doesn’t have dev instances, I’d recommend doing so cautiously (remembering to QA after each update), either by updating one at a time, or using the ‘Safe Update’ feature.

2. Automated backups with restore. Various WP specific hosting platforms, like WPEngine, Pantheon and Kinsta already have automated backups. The only time we typically use this is if we are jumping into a client site that doesn’t already have backups running, or we’re unsure of where they’re being stored. There are also dozens of plugins that might do this, however, it can take some time to set up and integrate, not to mention the trust/reliability of the plugin.

3. Automated white label reporting. Yes, this is another key feature with ManageWP. If you’re a smaller agency or even a marketer that would like to provide reporting back to your executive team, you can create and customize white-label reports that give you a high-level status of your site’s health.

Bottom line - you should always be monitoring your site’s health, whether it's a core or plug-in update. How often and when is totally up to you, but keep in mind that not updating can put your site at risk for security breaches or downtime.

Using another one of my analogies (ha!), you go to the dentist regularly for routine checkups, cleaning and whitening, so why doesn't your website (well, minus the whitening)? In this ever-changing world of cores, modules, and plugins, routine (if not daily) monitoring and updates should be a requirement.


Join the conversation