The Site Health tool was introduced in WordPress 5.2. It’s designed to give you, the site owner, some valuable information about your site and server performance. It’s also useful in the event you have to contact the support team for your theme or a plugin you’re using.
Where to find it?
There’s a Site Health Status widget on the Dashboard tab (since WordPress 5.4), while the complete tool can be found under Tools > Site Health.
Note that this tool requires the WordPress Heartbeat API. If you are using the Heartbeat Control plugin, or similar, to disable heartbeat totally for your site’s backend, the Site Health tool won’t work:
Overview
The messages on the Status tab are divided into 2 types – security and performance.
Security
- Do you have inactive themes installed?
- Do you have inactive plugins installed?
- Are you running the latest PHP version?
- Is your site using HTTPS?
- Can your site communicate securely with other services?
- Can your site communicate with WordPress.org (required for updates)
- Are debugging log files available for public viewing?
Performance
- Is your site running the latest version of WordPress?
- Are recommended PHP modules available?
- Is your database’s SQL version up to date?
- Is your database using the UTF8MB4 character set?
- Are scheduled events working on your site?
- Can your site make HTTP requests to other servers?
- Can your site complete loopbacks?
- Is the REST API working on your site?
Info tab
The Info tab gives you a useful summary of your server and WordPress environment. This can be helpful if you need to contact the support department of a plugin or theme and they need some technical information about your site. There’s a handy button to copy all the info so you an easily paste it into a support ticket.
What to look out for
You don’t necessarily need to pass every single check to have a healthy site, but there are a few things worth taking action on.
PHP version
PHP is the programming language that WordPress is built with, so it’s absolutely fundamental to the infrastructure of your site. Just like software, PHP gets updates. The improvements are better for security and for the overall speed and performance of your site. So you want the best version possible.
If you’re already using version 7 or later, you’re doing pretty well. But if you’re still running 5.6, this is upgrade is going to be more impactful and I recommend doing it as soon as possible.
Be aware that all your plugins need to be compatible with the version of PHP you want to use. Before you upgrade it would be a good idea to update all your plugins, and even check with their developers if they are compatible with the latest version of PHP.
Most hosts provide a selection tool for PHP version in their hosting control panel. If anything goes wrong, you can always switch back. Some managed hosts may have a preview tool.
For example, WP Engine has a tool that lets you preview how your site will look on a given version of PHP. This is only visible to you, the site admin, so even if something doesn’t work, it won’t affect your site visitors.
Inactive themes/plugins
Even if they aren’t actually active, plugins and themes still contain PHP code which is just sitting on your server, and therefore can still be exploited.
So if you do have inactive themes/plugins you should keep them updated, just as you would active plugins, or simply delete them to be safe.
I recommend keeping one default theme, just in case you need to switch to it if your site has an issue in the future.
Scheduled events
These are automatic tasks that plugins and WordPress itself needs to run on particular schedules. For example WordPress checks for plugin updates and core updates every 12 hours. Cron is the mechanism that enables this to happen.
Your site will still function even if scheduled events fail, but some features of some plugins won’t work, along with some native WordPress functionality such as scheduling posts to publish in the future.
Loopbacks
If your site can’t make requests to itself, it could prevent some plugin features from working and it will also prevent scheduled events from working properly since it’s used to start wp-cron. Preventing loopbacks could be a security measure from a plugin or your host.
Custom secti
ons
Plugins can extend the site health section to add information relevant to their own needs. For example, in the screenshot below, MonsterInsights is adding its own checks:
You’ll have to review these on a case by case to see how critical they really are. This section is open to abuse by plugin authors.
Note that certain “issues” may be temporary. For example, once in a while I get a message like this:
However, if I refresh the page, it usually goes away.
Additional reading: Claire Brotherton has an excellent look at this in her extensive post: The WordPress Site Health Check: Help or Hindrance?