plugin-icon

PressVitals Site Auditor

מאת merolhack·
A headless-first diagnostic engine featuring 22+ proactive probes for performance, security, and DB health. Extensible via REST API and filters.
גרסה
1.2.6
עודכן לאחרונה
Jul 2, 2026
PressVitals Site Auditor

PressVitals Site Auditor is a headless-first diagnostic engine. It runs a suite of read-only probes across performance, security, deliverability and database health, assigns each a severity tier, rolls them up into a worst-of verdict, and exposes the result where automation can actually consume it: a token-gated REST report, a daily cron with email alerts, and a categorized admin dashboard.

It is dependency-free — no WooCommerce, no page builder, no other plugin required — and pluggable: every probe is registered through a filter, so the 22+ built-in probes are just the starting point. The architecture is designed to scale to 48+ probes in production; register your own via pvsa_registered_checks.

How is this different from the built-in Site Health?

WordPress core's Tools Site Health is excellent, but it is an on-demand, admin-only tool: you open a screen, it runs its status tests, and the Debug tab prints a static environment dump for support. PressVitals is built for a different job — continuous, automated, machine-readable monitoring and auditing:

  • Headless / API-first. Core Site Health has no public report API. PressVitals exposes a no-auth /ping liveness probe and a token-gated /report JSON endpoint (HTTP 503 on a failing verdict) so an external uptime monitor, status page, or CI pipeline can read site health without logging in.
  • Scheduled + alerting. Core never runs on a schedule and never tells you when something breaks. PressVitals runs daily via WP-Cron and emails the admin when the verdict is fail.
  • Severity tiers + worst-of verdict. Core labels results good/recommended/ critical. PressVitals assigns each probe a 1–5 severity tier and computes a single rolled-up verdict suitable for a green/red status signal.
  • Probes core does not have. TLS certificate-expiry countdown (core only checks that HTTPS works today), .env/secret-file web exposure, a web-root stray-backup scanner, baseline security headers (HSTS / X-Frame-Options / …), forced-HTTPS redirect, XML-RPC exposure, default-admin-username detection, SPF + DMARC email-DNS records, homepage indexability, and database-bloat (expired transients / revisions / spam) checks.
  • Pluggable + configurable. Core's tests are fixed. PressVitals lets any plugin or theme register probes via a filter and tune every threshold via filters.

Think of it as the layer on top of Site Health: the same read-only philosophy, re-pointed at automation, alerting, and security/ops auditing.

Built-in probes

PressVitals ships 29 built-in probes, grouped by functional category:

  • Availability — database connectivity, homepage HTTPS reachability.
  • Security.env not web-accessible (HTTP) and not exposed on disk, web-root stray/backup file scan, TLS certificate expiry, baseline security headers, forced HTTPS, XML-RPC exposure, no default admin user, wp-config.php permissions, user-enumeration exposure, error-display off.
  • Errors — error-log size, recent PHP fatal errors.
  • Database — core tables present, non-core/orphaned tables, autoloaded-options size, database bloat.
  • Files — free disk space, uploads-directory writability, recent backup.
  • Email — SPF + DMARC DNS records for the sending domain.
  • SEO — homepage is indexable (not noindex).
  • Performance — PHP memory limit, persistent object cache.
  • Environment — supported PHP version, WordPress core update available, plugin updates pending.

Extend it with your own checks

Probes are not hardcoded — the engine collects them from a filter, so any plugin or theme can register its own:

add_filter( 'pvsa_registered_checks', function ( array $checks ) { $checks['my_queue_backlog'] = array( 'label' => 'Job queue backlog', 'group' => 'Performance', 'tier' => 2, 'callback' => function () { $pending = my_count_pending_jobs(); return $pending > 1000 ? array( 'status' => 'warn', 'detail' => "$pending jobs pending" ) : array( 'status' => 'pass', 'detail' => "$pending jobs pending" ); }, ); return $checks; } );

A callback returns array( 'status' => 'pass'|'warn'|'fail', 'detail' => '…' ).

Developer filters

  • pvsa_registered_checks — register/override probes.
  • pvsa_setting_{key} — override a stored threshold at read time.
  • pvsa_alert_email — change the failure-alert recipient.
  • pvsa_http_timeout, pvsa_disk_free_min_bytes, pvsa_memory_min_bytes, pvsa_fatal_lookback_hours, pvsa_fatal_scan_max_bytes — tune environment probes.
  • pvsa_ssl_warn_days, pvsa_ssl_fail_days — TLS expiry thresholds.
  • pvsa_backup_warn_days, pvsa_backup_fail_days — backup-recency thresholds.
  • pvsa_last_backup_timestamp — report your last successful backup time (UNIX) so the backup probe works with any backup plugin, host, or off-site service.
  • pvsa_backup_plugins — list of backup-plugin basenames recognised by presence.
  • pvsa_max_expired_transients, pvsa_max_revisions, pvsa_max_spam_comments — database-bloat thresholds.
  • pvsa_known_tables — full table names to treat as expected (silences the non-core/orphaned-tables probe for legitimate plugin tables).
  • pvsa_orphan_tables_warn — non-core table count above which the probe warns.
  • pvsa_sending_domain — domain used for the SPF/DMARC lookup.

Compatibility

PressVitals has no plugin dependencies and runs on virtually any WordPress install — single-site or multisite, with or without WooCommerce, page builders, or a backup plugin. It calls only core WordPress APIs and guards every optional PHP function (disk_free_space, stream_socket_client/OpenSSL, dns_get_record, WP_Filesystem), degrading a probe to a neutral pass/skip when something isn't available rather than erroring. The backup probe is backup-agnostic: it reads UpdraftPlus directly, recognises other common backup plugins, and lets any other backup solution (including host-level backups) report in via pvsa_last_backup_timestamp.

Development

Two local workflows are scaffolded (both Docker-based; neither ships in the package):

Automated tests — wp-env (recommended): requires Docker + Node.js. npm -g install @wordpress/env, then wp-env start and wp-env run tests-cli –env-cwd=wp-content/plugins/pressvitals-site-auditor vendor/bin/phpunit. Switch versions by editing core / phpVersion in .wp-env.json and running wp-env start –update. Without Docker, run the suite the classic way: composer install, bin/install-wp-tests.sh wordpress_test root '' localhost, composer test. A GitHub Actions workflow runs PHPUnit across PHP 7.4 / 8.0 / 8.2 / 8.3.

Manual multi-version testing — docker-compose: docker compose up -d boots three browsable installs at fixed WordPress x PHP combos (WP 6.7/PHP 8.3, WP 6.4/PHP 8.1, WP 6.3/PHP 7.4) on ports 8083 / 8081 / 8074, each with the plugin mounted. See docker-compose.yml for details.

חינםבתוכניות בתשלום
בביצוע ההתקנה, אנחנו מקבלים את הסכמתך לתנאי השירות של WordPress.com ולתנאים של התוסף של הצד השלישי.
נבדקו עד
WordPress 7.0
תוסף זה זמין להורדה ולשימוש דרך שברשותך.