[WordPress] 外掛分享: PressVitals Site Auditor

首頁外掛目錄 › PressVitals Site Auditor
WordPress 外掛 PressVitals Site Auditor 的封面圖片
全新外掛
安裝啟用
尚無評分
15 天前
最後更新
問題解決
WordPress 6.0+ PHP 7.4+ v1.2.6 上架:2026-07-01

外掛標籤

開發者團隊

⬇ 下載最新版 (v1.2.6) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「PressVitals Site Auditor」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

PressVitals Site Auditor is a headless-first diagnostic engine. It runs a
suite of read-only probes across performance, security, deliverability and
database health, assigns each a severity tier, rolls them up into a worst-of
verdict, and exposes the result where automation can actually consume it: a
token-gated REST report, a daily cron with email alerts, and a categorized admin
dashboard.
It is dependency-free — no WooCommerce, no page builder, no other plugin
required — and pluggable: every probe is registered through a filter, so the
22+ built-in probes are just the starting point. The architecture is designed
to scale to 48+ probes in production; register your own via
pvsa_registered_checks.
How is this different from the built-in Site Health?
WordPress core’s Tools → Site Health is excellent, but it is an on-demand,
admin-only tool: you open a screen, it runs its status tests, and the Debug tab
prints a static environment dump for support. PressVitals is built for a different
job — continuous, automated, machine-readable monitoring and auditing:

Headless / API-first. Core Site Health has no public report API. PressVitals
exposes a no-auth /ping liveness probe and a token-gated /report JSON
endpoint (HTTP 503 on a failing verdict) so an external uptime monitor,
status page, or CI pipeline can read site health without logging in.
Scheduled + alerting. Core never runs on a schedule and never tells you
when something breaks. PressVitals runs daily via WP-Cron and emails the admin
when the verdict is fail.
Severity tiers + worst-of verdict. Core labels results good/recommended/
critical. PressVitals assigns each probe a 1–5 severity tier and computes a
single rolled-up verdict suitable for a green/red status signal.
Probes core does not have. TLS certificate-expiry countdown (core only
checks that HTTPS works today), .env/secret-file web exposure, a web-root
stray-backup scanner, baseline security headers (HSTS / X-Frame-Options / …),
forced-HTTPS redirect, XML-RPC exposure, default-admin-username detection,
SPF + DMARC email-DNS records, homepage indexability, and database-bloat
(expired transients / revisions / spam) checks.
Pluggable + configurable. Core’s tests are fixed. PressVitals lets any plugin
or theme register probes via a filter and tune every threshold via filters.

Think of it as the layer on top of Site Health: the same read-only philosophy,
re-pointed at automation, alerting, and security/ops auditing.
Built-in probes
PressVitals ships 29 built-in probes, grouped by functional category:

Availability — database connectivity, homepage HTTPS reachability.
Security — .env not web-accessible (HTTP) and not exposed on disk,
web-root stray/backup file scan, TLS certificate expiry, baseline security
headers, forced HTTPS, XML-RPC exposure, no default admin user,
wp-config.php permissions, user-enumeration exposure, error-display off.
Errors — error-log size, recent PHP fatal errors.
Database — core tables present, non-core/orphaned tables, autoloaded-options
size, database bloat.
Files — free disk space, uploads-directory writability, recent backup.
Email — SPF + DMARC DNS records for the sending domain.
SEO — homepage is indexable (not noindex).
Performance — PHP memory limit, persistent object cache.
Environment — supported PHP version, WordPress core update available,
plugin updates pending.

Extend it with your own checks
Probes are not hardcoded — the engine collects them from a filter, so any plugin
or theme can register its own:
add_filter( 'pvsa_registered_checks', function ( array $checks ) {
$checks['my_queue_backlog'] = array(
'label' => 'Job queue backlog',
'group' => 'Performance',
'tier' => 2,
'callback' => function () {
$pending = my_count_pending_jobs();
return $pending > 1000
? array( 'status' => 'warn', 'detail' => "$pending jobs pending" )
: array( 'status' => 'pass', 'detail' => "$pending jobs pending" );
},
);
return $checks;
} );

A callback returns array( 'status' => 'pass'|'warn'|'fail', 'detail' => '…' ).
Developer filters

pvsa_registered_checks — register/override probes.
pvsa_setting_{key} — override a stored threshold at read time.
pvsa_alert_email — change the failure-alert recipient.
pvsa_http_timeout, pvsa_disk_free_min_bytes, pvsa_memory_min_bytes,
pvsa_fatal_lookback_hours, pvsa_fatal_scan_max_bytes — tune environment probes.
pvsa_ssl_warn_days, pvsa_ssl_fail_days — TLS expiry thresholds.
pvsa_backup_warn_days, pvsa_backup_fail_days — backup-recency thresholds.
pvsa_last_backup_timestamp — report your last successful backup time (UNIX) so
the backup probe works with any backup plugin, host, or off-site service.
pvsa_backup_plugins — list of backup-plugin basenames recognised by presence.
pvsa_max_expired_transients, pvsa_max_revisions, pvsa_max_spam_comments —
database-bloat thresholds.
pvsa_known_tables — full table names to treat as expected (silences the
non-core/orphaned-tables probe for legitimate plugin tables).
pvsa_orphan_tables_warn — non-core table count above which the probe warns.
pvsa_sending_domain — domain used for the SPF/DMARC lookup.

Compatibility
PressVitals has no plugin dependencies and runs on virtually any WordPress
install — single-site or multisite, with or without WooCommerce, page builders,
or a backup plugin. It calls only core WordPress APIs and guards every optional PHP
function (disk_free_space, stream_socket_client/OpenSSL, dns_get_record,
WP_Filesystem), degrading a probe to a neutral pass/skip when something isn’t
available rather than erroring. The backup probe is backup-agnostic: it reads
UpdraftPlus directly, recognises other common backup plugins, and lets any other
backup solution (including host-level backups) report in via
pvsa_last_backup_timestamp.
Development
Two local workflows are scaffolded (both Docker-based; neither ships in the
package):
Automated tests — wp-env (recommended): requires Docker + Node.js.
npm -g install @wordpress/env, then wp-env start and
wp-env run tests-cli –env-cwd=wp-content/plugins/pressvitals-site-auditor vendor/bin/phpunit.
Switch versions by editing core / phpVersion in .wp-env.json and running
wp-env start –update. Without Docker, run the suite the classic way:
composer install, bin/install-wp-tests.sh wordpress_test root '' localhost,
composer test. A GitHub Actions workflow runs PHPUnit across PHP
7.4 / 8.0 / 8.2 / 8.3.
Manual multi-version testing — docker-compose: docker compose up -d boots
three browsable installs at fixed WordPress x PHP combos (WP 6.7/PHP 8.3,
WP 6.4/PHP 8.1, WP 6.3/PHP 7.4) on ports 8083 / 8081 / 8074, each with the plugin
mounted. See docker-compose.yml for details.

延伸相關外掛

文章
Filter
Mastodon