HTTPS (HTTP over TLS) encrypts traffic between browsers and your server. In WordPress, both the home and site URLs should use https://.
Why it matters: Prevents credential/session theft, protects data integrity, improves SEO ranking signals, and is required for modern browser features (e.g., Service Workers, HTTP/2).
Good to know: Mixed HTTP/HTTPS configurations can break cookies, cause mixed-content warnings, and hurt crawlability. Use a valid certificate and HSTS for best practice.
Action (partial HTTPS or mixed content):
WordPress Address (URL) and Site Address (URL) use https://.http:// asset URLs (search & replace or use a plugin like Better Search Replace).X-Forwarded-Proto).Action (HTTP only):
https:// in Settings → General.max-age=31536000; includeSubDomains; preload).www if used).http:// to https://.http:// requests to https:// with a 301 redirect (for Apache this is usually in .htaccess, for Nginx in the server block).http:// URLs to your own domain (plugins like “Better Search Replace” help) and replace with https://. Reload key pages and check browser dev tools for mixed-content warnings.Strict-Transport-Security at the server/CDN level so browsers always use HTTPS.Note: Exact controls and file locations vary a lot by host. If you’re unsure where to put redirects or headers, open a ticket with your hosting provider and attach this report.
Cache: If you terminate HTTPS at a CDN or reverse proxy, Scope may be seeing the edge, not the origin. When debugging protocol or mixed-content issues, check both the cached front door (CDN) and the raw origin URL, and clear/purge caches after changing URLs or redirects.
", "links": [], "titleBadge": null, "meta": { "section": "security", "metric_id": "https" } }, "admin_hygiene": { "metric_key": "security.admin_hygiene", "title": "Admin Hygiene", "summary": { "html": "A set of quick checks to reduce common attack surfaces (e.g., default usernames, legacy features, indexing).
Why it matters: Attackers scan for easy wins—default admin usernames, exposed XML-RPC, or directory listings make brute-force and reconnaissance easier.
Action: Review and harden:
admin user; use a unique username.Action (high risk):
admin user.admin useradmin user and choose “Delete” → “Attribute all content to” your new admin before confirming./wp-admin/ at the firewall/proxy level.Note: The exact 2FA and rate-limit settings live inside whatever security plugin or WAF you use; this tile simply reminds you to turn them on and verify they’re enforced for all admin users.
XML-RPC is a legacy remote procedure call endpoint used by some publishing tools and the mobile app (older flows). It exposes methods for authentication and posting.
Why it matters: If you don’t need it, disabling reduces the attack surface and brute-force vectors. If needed, rate-limit and protect it behind security tooling.
Action: If not required, disable XML-RPC via a security plugin or server rule. If required (e.g., Jetpack legacy), enable rate-limiting and WAF rules for xmlrpc.php.
Action (actively exposed):
/xmlrpc.php)..htaccess or vhost:<Files xmlrpc.php> Require all denied</Files>location = /xmlrpc.php { deny all; }/xmlrpc.php by IP and enable bot/credential-stuffing protections.Note: Blocking at the server level affects all apps using XML-RPC. Make a quick list of known integrations before you disable it so you can test them afterward.
If a directory lacks an index file and web server listing is enabled, visitors may see the entire file list (e.g., wp-content/uploads).
Why it matters: Exposes file names, backup archives, and clues that assist attackers. Block listing at the server level or via rules (e.g., Options -Indexes in Apache).
Action: Disable indexing in web server config (Apache: Options -Indexes; Nginx: omit autoindex on) or place a blank index.html in public directories.
Action (publicly exposed):
uploads, backups) and remove sensitive files.index.html placeholders if server access is limited..htaccess, add:Options -Indexesautoindex onlocation blocks serving your site, either delete autoindex on; or explicitly set:autoindex off;index.html in exposed directories such as wp-content/uploads so the server serves that instead of a listing.Note: On managed or shared hosting, the indexing toggle is often exposed as a simple “directory listing” or “Indexes” checkbox in the control panel instead of raw config.
The ability to derive usernames (e.g., via ?author=1 redirects or error messages).
Why it matters: Knowing valid usernames halves the brute-force problem. Block enumeration to force attackers to guess both username and password.
Action: Add rewrite rules to block author archive enumeration, and configure your security plugin to mask usernames in errors and endpoints.
Action (enumeration detected):
?author= patterns (rewrite to 404) or map to display names only.?author= URLs?author=ID patterns to a safe URL or 404./wp-json/wp/v2/users to authenticated users, or to hide email/username fields from anonymous callers.Note: Blocking enumeration doesn’t remove the need for strong passwords and 2FA; it simply makes attacks more expensive by hiding valid usernames.
HTTP response headers that enforce browser-side security policies.
Why: They mitigate XSS, clickjacking, MIME sniffing, and protocol-downgrade risks by pushing guardrails into the browser.
", "evergreen": true }, "states": { "default": { "body_html": null }, "warn": { "body_html": null }, "bad": { "body_html": null } }, "how_to": { "evergreen_html": null, "state_overrides": { "default": null, "warn": null, "bad": null } }, "cache_note_html": null, "links": [], "titleBadge": null, "meta": { "section": "security", "metric_id": "headers" } }, "headers.csp": { "metric_key": "security.headers.csp", "title": "Content-Security-Policy (CSP)", "summary": { "html": "The Content-Security-Policy header controls which sources the browser may load for scripts, styles, images, etc., drastically reducing XSS and injection risk.
Content-Security-Policy: default-src 'self'; img-src 'self' data: https:; script-src 'self' cdn.example.com; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'self'Content-Security-Policy-Report-Only to collect violations before enforcing.unsafe-inline for scripts.report-to/report-uri to receive violation reports.You can instruct browsers to send JSON reports when violations occur by adding either report-to (modern) or report-uri (legacy) directives.
Content-Security-Policy: default-src 'self'; report-to csp-endpoint;Combine this with a server or endpoint that records CSP violation reports for debugging (e.g., /csp-report endpoint, Report URI, or self-hosted collector).
Action: Ship a Report-Only CSP with a minimal allowlist; fix violations; then enforce a tighter CSP (remove broad wildcards, replace inline JS with nonces/hashes).
Action (missing CSP):
default-src 'self' baseline, explicit script-src/style-src).unsafe-inline where possible; iterate using Report-Only first.Content-Security-Policy-Report-Only: default-src 'self'report-to or report-uri to collect violation reports.script-src, style-src, img-src, etc. for the domains you actually use. Where possible, replace inline scripts with nonce or hash-based allowances.Content-Security-Policy (dropping -Report-Only), then retest critical flows.Important: CSP is powerful and easy to misconfigure. Always test in staging or during a low-risk window, and keep a way to quickly roll back header changes if something critical breaks.
Cache: CSP headers are often set at the CDN or proxy layer. After changing CSP, purge any page and edge caches or you may keep seeing violations from an old policy. If origin and CDN send different headers, Scope will only reflect the layer it is actually hitting.
", "links": [], "titleBadge": null, "meta": { "section": "security", "metric_id": "headers.csp" } }, "headers.hsts": { "metric_key": "security.headers.hsts", "title": "Strict-Transport-Security (HSTS)", "summary": { "html": "HSTS tells browsers to always use HTTPS for your domain, preventing SSL-stripping/downgrade attacks after first visit.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadincludeSubDomains) is HTTPS-only.max-age (≥ 1 year) once stable.preload + submission adds your domain to browser preload lists.Action: Confirm site-wide HTTPS, then start with a smaller max-age (e.g., 10800) and ramp to 31536000; add includeSubDomains when ready.
Action (no HSTS on HTTPS site):
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.includeSubDomains) serves valid HTTPS and no mixed-content errors.max-age, for example:Strict-Transport-Security: max-age=10800max-age=31536000 (1 year) and add includeSubDomains when all subdomains are HTTPS-only.preload and submit the domain to the HSTS preload list.Warning: Long HSTS + preload is effectively irreversible in the short term. Do not enable it until you are certain you’ll never need to serve HTTP on that domain again.
Cache: HSTS is cached by browsers for its entire max-age, independent of your HTML/page cache. Once you ship a strict HSTS header and it is cached, users will keep enforcing it even if you roll back at the server. Treat changes carefully and don’t rely on cache clears to undo HSTS quickly.
X-Frame-Options controls whether your pages can be framed by other sites, mitigating clickjacking.
X-Frame-Options: SAMEORIGINDENY to forbid all framing, or SAMEORIGIN to allow your own origin.ALLOW-FROM is deprecated—prefer CSP frame-ancestors for multi-origin control.Action: Set X-Frame-Options: SAMEORIGIN (or CSP frame-ancestors 'self') except where embedding is explicitly required.
Action (missing): Add X-Frame-Options: SAMEORIGIN globally (or define a CSP frame-ancestors policy).
DENY. If you only frame your own pages, use SAMEORIGIN.X-Frame-Options: SAMEORIGINDENY) via your web server config or CDN rules.frame-ancestors instead, where you can specify multiple allowed origins.Note: Browser support has evolved toward CSP frame-ancestors; for new setups, prefer CSP plus a conservative fallback X-Frame-Options header.
Cache: If different cache layers or backends send different X-Frame-Options, users may see inconsistent framing behavior. Make sure the policy is set in a single place (origin or CDN) and then purge caches so all responses agree.
X-Content-Type-Options prevents MIME sniffing so browsers don’t treat files as a different type than declared, reducing certain injection risks.
X-Content-Type-Options: nosniffnosniff is the only valid/recommended value.Content-Type headers for HTML/CSS/JS.Action: Add X-Content-Type-Options: nosniff at server/CDN level.
Action (missing): Enforce nosniff globally; verify presence on HTML/CSS/JS responses.
X-Content-Type-Options: nosniffContent-Type values (e.g., text/html, text/css, application/javascript).Note: This header is low-risk; most modern stacks already expect and recommend nosniff.
Cache: Some CDNs or optimization plugins can strip or rewrite security headers, including X-Content-Type-Options. If Scope shows this header missing but you added it at the origin, check edge/cache rules and purge caches to ensure the header isn’t being dropped.
Referrer-Policy controls how much of the referring URL is shared when users navigate away from your pages or load subresources. It protects user privacy and reduces accidental data leakage through query strings.
Referrer-Policy: strict-origin-when-cross-originstrict-origin-when-cross-origin is a balanced default (secure and analytics-friendly).no-referrer provides maximal privacy but may impact analytics and referral tracking.unsafe-url (legacy default) is insecure—avoid it.Action: Set Referrer-Policy: strict-origin-when-cross-origin (or stricter) on HTML responses.
Action (missing/weak policy): Add a restrictive Referrer-Policy to prevent leaking sensitive URLs; validate that analytics still receive necessary referrer info.
Referrer-Policy: strict-origin-when-cross-origin balances privacy and analytics.Referrer-Policy value.Note: You can go stricter (like no-referrer) if privacy is more important than seeing referrer details in analytics.
Cache: Referrer-Policy is usually set at the edge. If analytics or referrer behavior doesn’t match what Scope reports, verify which layer (origin vs CDN) is actually sending the header and clear/page-rules caches after changing it.
", "links": [], "titleBadge": null, "meta": { "section": "security", "metric_id": "headers.referrer_policy" } }, "permissions": { "metric_key": "security.permissions", "title": "Filesystem Permissions", "summary": { "html": "Effective UNIX permissions on sensitive files and directories (e.g., wp-config.php, wp-content/uploads).
Why it matters: Overly permissive modes let other system users or processes read/alter configuration or upload shells. Follow least privilege.
", "evergreen": true }, "states": { "default": { "body_html": null }, "warn": { "body_html": null }, "bad": { "body_html": null } }, "how_to": { "evergreen_html": null, "state_overrides": { "default": null, "warn": null, "bad": null } }, "cache_note_html": null, "links": [], "titleBadge": null, "meta": { "section": "security", "metric_id": "permissions" } }, "permissions.wp_config_mode": { "metric_key": "security.permissions.wp_config_mode", "title": "wp-config.php Permissions", "summary": { "html": "Permission mask for wp-config.php (e.g., 0640).
Why it matters: Contains DB credentials and keys. Ensure it’s not world-readable. Common safe values: 0640 or 0600 depending on PHP handler.
Action: Tighten to 0640 or 0600 (owner read; group read where required). Ensure ownership matches PHP user.
Action (too permissive): Immediately set chmod 600 wp-config.php (or 640 if group-read is needed) and verify correct ownership.
wp-config.php permissionswp-config.php lives), run:chmod 640 wp-config.phpchmod 600 wp-config.phpWarning: Do not change ownership to root or a user that PHP cannot read; that can break the site. When in doubt, ask your host to apply a secure mode for you.
Permission mask for wp-content/uploads.
Why it matters: Too permissive can allow execution of malicious uploads or unintended reads. Typical safe pattern: directories 0755, files 0644, with server rules to block PHP execution.
Action: Normalize to dir 0755, files 0644; block PHP execution in uploads via .htaccess or Nginx location rules.
Action (insecure): Lock down file modes immediately; add php_flag engine off (Apache) or Nginx rules to prevent code execution in uploads.
find wp-content/uploads -type d -exec chmod 755 {} \\; find wp-content/uploads -type f -exec chmod 644 {} \\;.htaccess inside wp-content/uploads:<FilesMatch \"\\.php$\"> Deny from all</FilesMatch>location rule that denies executing PHP scripts under /wp-content/uploads.Note: Some managed hosts already enforce these rules; if your changes are being auto-reverted, check host documentation for their recommended approach.
A summary of pending updates for WordPress core, plugins, and themes.
Why it matters: Many compromises exploit known, patched vulnerabilities. Establish a cadence (e.g., weekly) and use staging for smoke tests.
Action: Schedule a maintenance window to apply pending updates in staging, verify key flows, then promote to production.
Action (overdue/critical): Update immediately starting with core and high-risk plugins. Back up first; test; then deploy to production.
Note: For high-traffic or revenue-critical sites, treat updates like mini-deployments: changelog review, staging tests, timed rollout, and ability to roll back.
Available updates to WordPress core.
Why it matters: Core releases often include security patches and compatibility improvements. Keep core current, especially on LTS branches.
Action: Update to the latest minor release; review plugin/theme compatibility notes.
Action (outdated core): Backup, update core immediately, and re-run a security scan once live.
Available updates to installed plugins.
Why it matters: Third-party plugins are a leading source of vulnerabilities. Audit riskier plugins and keep them patched.
Action: Update all non-breaking plugins; stage-test feature-critical ones.
Action (security risk): Immediately update plugins with known vulnerabilities; consider temporary deactivation if patches aren’t available.
Note: Auto-updates are convenient but can break sites silently. Use them selectively and keep staging in the loop for larger stacks.
Available updates to installed themes.
Why it matters: Themes can ship PHP and JS with vulnerabilities. Update and remove unused themes.
Action: Update child/parent themes; remove unused themes to reduce surface.
Action (security/compat): Update active theme now; if blocked by customizations, port changes to a child theme and update base.
A breakdown of total, active, inactive, and must-use (MU) plugins.
Why it matters: Each plugin adds code paths and supply-chain risk. Fewer, well-maintained plugins mean lower attack surface and better performance.
Action: Trim unused plugins; consolidate overlapping functionality; keep only supported, frequently updated plugins.
Action (risky footprint): Deactivate/remove unused and unmaintained plugins immediately; replace with supported alternatives.
The list of installed plugins with version, author, status, and update availability.
Why it matters: Helps you spot outdated or risky plugins. Prefer reputable vendors with frequent updates and clear changelogs.
Action: Prioritize updates for security-sensitive plugins (forms, e-commerce, auth). Review changelogs before deploying.
Action (high-risk set): Remove abandoned plugins; patch critical ones first; enable a staging test cycle for the rest.
Plugins auto-loaded from wp-content/mu-plugins.
Why it matters: They always run and can’t be deactivated from the standard UI. Use for site-critical bootstrap code, not routine features.
Action: Review MU plugins; ensure they’re minimal, documented, and version controlled.
Action (misuse): Move non-essential MU plugins to standard plugins; keep MU for critical bootstrap only.
wp-content/mu-plugins/ directory to see exactly which files are loaded.Heuristic indicating plugins that haven’t seen updates in a long time (e.g., > 12 months).
Why it matters: Unmaintained code accumulates vulnerabilities. Vet or replace with maintained alternatives.
Action: Evaluate vendor activity and community reports; plan replacement if maintenance is uncertain.
Action (unmaintained): Replace immediately with a supported plugin; validate data migration paths.
Detection of more than one caching/optimization plugin.
Why it matters: Overlapping features cause conflicts, stale caches, and performance regressions. Consolidate to a single cache layer.
Action: Choose one primary page/object cache; disable others; clear all caches.
Action (conflicts likely): Immediately deactivate redundant cache plugins; keep a single, well-supported solution.
Cache: Multiple page/object/cache plugins plus a CDN can hide which layer is serving a response. When chasing odd behavior in other tiles (headers, HTTPS, SEO), temporarily disable extra cache plugins, clear all caches, and test through a single, known cache layer.
", "links": [], "titleBadge": null, "meta": { "section": "plugins", "metric_id": "duplicates.cache_plugins" } }, "licenses_missing": { "metric_key": "plugins.licenses_missing", "title": "License/Key Gaps", "summary": { "html": "Plugins that require licenses/keys but none detected.
Why it matters: Missing licenses can block updates and security patches. Ensure production has valid keys.
Action: Add/update license keys on production to restore updates.
Action (blocked updates): Enter valid licenses now to receive security patches; remove the plugin if a license cannot be procured.
Database vendor and version (MySQL or MariaDB).
Why it matters: Newer engines offer performance, stability, and features (e.g., improved InnoDB). Some WP plugins require minimum versions.
Action: Plan an upgrade to a currently supported LTS release; verify backups and staging compatibility (charset/collation) before migration.
Action (outdated/unsupported): Migrate to a supported version ASAP; take full backups, test restores, and schedule a maintenance window.
mysql --version, confirm the current MySQL/MariaDB version.wp db export, or your backup tool).PHP bytecode cache (and optional JIT) that keeps compiled scripts in memory.
Why it matters: Dramatically reduces CPU and improves response times under load.
Action: Enable OPcache with sensible defaults; ensure adequate memory (opcache.memory_consumption) and set revalidate_freq for your deploy process.
Action (disabled/misconfigured): Turn on OPcache; size memory (e.g., 128–256MB for typical sites), and confirm it survives restarts.
php.ini, .user.ini, or hosting UI).opcache.enable=1 and opcache.enable_cli=1 (if you use CLI tools) are set.opcache.memory_consumption to a reasonable size (e.g., 128–256M for typical WordPress sites).opcache.max_accelerated_files high enough for your codebase (e.g., 10000+).phpinfo() or your host’s tools.Cache: OPcache is separate from page/CDN caches. If you change PHP code or configuration and don’t see it reflected, you may need to flush OPcache and clear any full-page caches so Scope (and users) see the updated behavior.
", "links": [], "titleBadge": null, "meta": { "section": "server", "metric_id": "opcache" } }, "object_cache": { "metric_key": "server.object_cache", "title": "Object Cache", "summary": { "html": "Persistent cache layer (Redis/Memcached) for WordPress objects and queries.
Why it matters: Reduces database load and speeds up dynamic pages and admin.
Action: Enable a persistent object cache (Redis or Memcached) and verify connection health and eviction policy.
Action (none/unstable): Install and configure Redis/Memcached; monitor hit ratio and memory pressure; fix timeouts.
Cache: A persistent object cache can keep options and transients around after you change settings. If a tile still reports old values, clear the object cache (Redis/Memcached) and re-run the report, especially after big config or plugin changes.
", "links": [], "titleBadge": null, "meta": { "section": "server", "metric_id": "object_cache" } }, "php_version": { "metric_key": "server.php_version", "title": "PHP Version", "summary": { "html": "The PHP runtime version executing WordPress.
Why it matters: Supported versions get security fixes and run faster. Upgrading often yields major performance gains.
Action: Plan upgrade to a currently supported PHP (e.g., 8.1+). Test in staging for deprecated features before rollout.
Action (EOL PHP): Upgrade PHP immediately via hosting panel or ops; fix deprecated API usage in staging, then go live.
phpinfo(), or your hosting panel.The database server version (MySQL or MariaDB).
Why it matters: Newer engines bring better performance and features (e.g., improved InnoDB). Ensure compatibility with your host.
Action: Schedule DB engine upgrade to a supported LTS; verify charset/collation and backups beforehand.
Action (outdated DB): Migrate to a supported version; run backups and test restore, then perform in a maintenance window.
SELECT VERSION();.The HTTP server stack (Apache, Nginx, LiteSpeed, etc.).
Why it matters: Determines available modules, rewrite rules, and tuning knobs. Align caching/compression with the stack.
Action: Ensure TLS/HTTP/2 or 3 is enabled; align rewrite and caching modules with your chosen stack; remove unused modules.
Action (misconfig/legacy): Update server packages; standardize a modern stack (e.g., Nginx/LiteSpeed with HTTP/2/3) and reapply hardened configs.
Cache: Stack detection can be skewed by a CDN masking the true origin (for example, seeing “cloudflare” instead of Apache/Nginx). If results look off, hit the origin host directly or bypass the CDN, then re-run the report to get an accurate view of the underlying server and cache stack.
", "links": [], "titleBadge": null, "meta": { "section": "server", "metric_id": "server_software" } }, "memory_limit": { "metric_key": "server.memory_limit", "title": "PHP Memory Limit", "summary": { "html": "Max memory the PHP process can consume.
Why it matters: Too low can cause fatals under load; too high masks memory leaks. Typical WordPress sites run comfortably at 256–512MB.
Action: Raise to at least 256M in php.ini/.user.ini or host UI; profile heavy plugins.
Action (too low/fatals likely): Increase to 256M–512M immediately; audit error logs for OOM and optimize offending plugins.
memory_limit via Scope or phpinfo().memory_limit in php.ini, .user.ini, or the hosting UI (e.g., 256M–512M).Max allowed size for a single uploaded file (upload_max_filesize).
Why it matters: Impacts media/library workflows. Keep aligned with CDN and post limits.
Action: Align upload_max_filesize with editorial needs (e.g., 64–128MB for media-heavy sites) and ensure post_max_size ≥ this value.
Action (too low): Raise both upload_max_filesize and post_max_size to meet workflow; verify server/client timeouts.
upload_max_filesize to a value that fits your editorial workload (for example, 64M or 128M).post_max_size is at least as large as upload_max_filesize.Max size of POST request payload (post_max_size).
Why it matters: Must be ≥ upload limit to allow larger uploads/forms. Coordinate with server-level limits.
Action: Set post_max_size ≥ upload_max_filesize (e.g., 128MB) and ensure reverse proxy/client limits match.
Action (blocking uploads): Increase post_max_size and web server/proxy client_max_body_size (Nginx)/LimitRequestBody (Apache).
post_max_size to be equal to or larger than upload_max_filesize.client_max_body_size on Nginx, LimitRequestBody on Apache).Max seconds a PHP script may run.
Why it matters: Long imports/updates may need higher thresholds; excessively high values risk resource lockups.
Action: For import-heavy workflows, raise to ~120s and optimize slow queries; otherwise keep conservative (30–60s).
Action (too low/timeout errors): Temporarily raise to 120–300s for batch tasks; fix root-cause slowness and revert to a safer default.
max_execution_time.phpinfo().Max number of input variables PHP will accept in a single request.
Why it matters: Large menus or settings forms can exceed defaults; raise carefully if needed.
Action: Increase to 3000–5000 if menu/settings save fails; prefer structural simplification over large single forms.
Action (saves failing): Raise max_input_vars (e.g., 5000+), split forms, and remove unused menu items.
max_input_vars.Approximate free disk on the filesystem that hosts your WordPress path (via PHP disk_free_space()).
Why it matters: Low space breaks uploads, updates, and backups.
Note on shared/virtual hosting: This value reflects the filesystem’s free space, not your account quota. On shared or containerized hosts, your panel (cPanel/Plesk) quota can be much smaller.
How to verify: Check your hosting panel’s disk/quota metrics and inode usage. If the panel shows lower free space, trust the panel.
Action: Free space by clearing caches/backups and pruning logs. Verify your account quota in the hosting panel; if nearing quota, purchase more storage or offload media to object storage.
Action (critical): Immediately free space (rotate logs, purge caches, offload media), then expand storage or reduce quota usage. Verify inode usage if errors persist.
Total capacity of the volume hosting uploads/content.
Why it matters: Helps capacity planning for media-heavy sites.
Action: Plan capacity upgrades and/or offload media to a CDN/object storage.
Action (undersized): Increase volume size or offload media immediately to maintain operations.
Total size of options loaded on every request (autoload = yes).
Why it matters: Large autoload bloat slows every page. Audit and de-autoload non-critical entries.
Action: Identify large autoloaded options; de-autoload non-critical plugin settings; consider persistent object cache.
Action (bloat): Remove orphaned/unused autoload rows, refactor offending plugins, and enable object caching.
wp_options rows where autoload='yes' and size is large.autoload='no' after confirming it is safe.Count of recent PHP errors in the server's error log.
Why it matters: A rising error rate signals bugs, deprecations, or resource issues. Fix at source; don’t suppress.
Action: Triage recurring warnings/notices; fix deprecations; keep WP_DEBUG_LOG enabled (display off) in production.
Action (frequent errors): Investigate stack traces, roll back the last change if needed, and hotfix critical errors before proceeding.
WordPress's pseudo-cron job status: overdue counts and time to next event.
Why it matters: Overdue tasks indicate traffic/loopback problems. Consider real cron + DISABLE_WP_CRON for busy sites.
Action: Ensure wp-cron.php can run (no auth blocks); reduce overdue jobs; consider real cron for reliability.
Action (stalled): Switch to system cron that hits wp-cron.php, fix loopback failures, and clear stuck jobs.
wp cron event list) to see overdue tasks.DISABLE_WP_CRON is true, ensure a real system cron is calling wp-cron.php on a schedule (e.g., every 5–10 mins).WordPress uses its own configured time zone for scheduling posts, cron jobs, and how dates are shown in the admin. The underlying PHP/server time zone can be different.
When these disagree, you may see confusing timestamps (\"off by a few hours\"), missed or late cron events, and reports that don't line up with reality.
Ideally, WordPress should be set to a named city time zone (for example, America/Chicago) under Settings → General, and your server's PHP date.timezone should match. If this card is flagged, ask your host or devops to align the PHP time zone with WordPress, or adjust the WordPress setting if the server time zone is your source of truth.
WordPress uses server-side libraries (Imagick and/or GD) to resize and process images. If neither is available, thumbnail generation and media edits can fail. WebP/AVIF support reduces file size and improves page performance.
Note: AVIF/HEIC support depends on how ImageMagick/GD was compiled on your host.
Whether a known caching layer/plugin is active.
Why it matters: Static caching drastically reduces TTFB and CPU usage. Use exactly one page caching layer to avoid conflicts.
Tip: If your CDN does full-page caching, configure the plugin to handle purges rather than double-caching.
Action: Enable a single, reputable page cache (e.g., server cache, LiteSpeed, or a plugin) and purge on deploys.
Action (no caching): Install and configure page caching immediately; verify headers and cache hit ratios.
Cache: This check only tells you that some cache layer is likely present, not whether it is correctly purging. If you see stale or contradictory results in other tiles, treat this as a hint to review page cache, CDN rules, and invalidation hooks.
", "links": [], "titleBadge": "Inferred Signal", "meta": { "section": "performance", "metric_id": "cache_detected" } }, "compression": { "metric_key": "performance.compression", "title": "HTTP Compression", "summary": { "html": "Gzip/Brotli compression of responses.
Why it matters: Shrinks payloads and speeds transfer. Brotli generally compresses better (for HTTPS). Ensure it’s enabled for text assets.
Action: Enable gzip/Brotli for HTML/CSS/JS; confirm via response headers (content-encoding).
Action (disabled): Turn on compression in web server/CDN; verify effective compression for all text assets.
content-encoding: gzip or br appears in your response headers via browser dev tools.Cache: Compression can be handled by either the origin or CDN. If Scope shows compression disabled but GTmetrix/WebPageTest disagree, you may be looking at different cache layers. Confirm where gzip/Brotli is actually enabled and purge caches after toggling it.
", "links": [], "titleBadge": null, "meta": { "section": "performance", "metric_id": "compression" } }, "db_hygiene": { "metric_key": "performance.db_hygiene", "title": "Database Hygiene", "summary": { "html": "Signals around transients, revisions, and autoload size.
Why it matters: Excess transients and revisions bloat tables and slow queries. Clean up regularly; use persistent object caching where appropriate.
Action: Prune expired transients, cap revisions, and move non-critical options off autoload.
Action (heavy bloat): Purge transients with SQL, enable object cache (Redis/Memcached), and refactor plugins creating excessive options.
wp transient delete-expired.WP_POST_REVISIONS and prune old revisions.Total size of your database (data + indexes).
Why it matters: Larger DBs need indexing, query tuning, and proper backups. Monitor growth by table.
Action: Add indexes to slow tables, archive old data, and ensure nightly backups.
Action (very large/slow): Optimize and partition heavy tables; add read replicas if needed; ensure reliable offsite backups.
OPTIMIZE TABLE or host-provided optimization tools on bloated tables.Count of cached key/value pairs stored in wp_options.
Why it matters: Excess transients indicate plugin misuse or failing external APIs. Prune expired and consider a proper object cache.
Action: Clear expired transients; fix plugins that rewrite transients too frequently; add object cache.
Action (excessive): Bulk-delete orphaned transients; audit offending plugins and migrate to persistent object cache.
wp transient delete --all (with care) to clear expired and orphaned transients.wp_options.wp_options.A simple indicator (low/medium/high) derived from transient counts.
Why it matters: High bloat hurts admin performance and option autoload times.
Action: Reduce plugins creating transients; prune regularly with a scheduled task.
Action (high): Immediate cleanup of transients via SQL/CLI; re-architect caching behavior in plugins.
Total count of stored revisions.
Why it matters: Excess revisions consume space. Set sane limits via WP_POST_REVISIONS and prune old revisions.
Action: Set WP_POST_REVISIONS to a reasonable cap (e.g., 10) and prune older revisions.
Action (bloat): Run a revision cleanup tool; cap going forward; verify DB size reductions.
WP_POST_REVISIONS in wp-config.php to a sane limit.Whether the WP Heartbeat API is disabled or throttled.
Why it matters: Heartbeat keeps admin features in sync but can generate high PHP load on busy dashboards. Throttle instead of disabling if you rely on autosave.
Action: Throttle Heartbeat (e.g., 60s+) on admin screens; keep enabled for autosave if editors rely on it.
Action (disabled with issues): Re-enable but throttled; ensure autosave and locks work; monitor server load.
Time-to-first-byte for a local HTTP request to the site (server-to-itself).
Why it matters: A quick proxy for backend responsiveness—slow values hint at PHP/DB work, external calls, or blocking.
Action: Profile the slow path (plugins, queries, remote APIs); enable OPcache and a persistent object cache; verify no network DNS/proxy delays.
Action (consistently high): Capture callgrind/XHProf traces, optimize heavy queries, and reduce remote blocking calls; consider scaling resources.
Cache: Loopback checks usually bypass the public page cache, so TTFB here can be slower than what real visitors see behind a CDN or page cache. Use it to spot backend bottlenecks, not to judge fully cached front-end performance.
", "links": [], "titleBadge": null, "meta": { "section": "performance", "metric_id": "loopback_ttfb" } }, "cache_plugins": { "metric_key": "performance.cache_plugins", "title": "Caching Plugins", "summary": { "html": "Detected caching plugins and whether they are active.
Why it matters: Exactly one page-caching layer should be active. Multiple layers often conflict and can slow the site.
Action: Consolidate to a single page cache (server, CDN, or plugin) and ensure proper purge/invalidation on deploys.
Action (conflicting/missing): Remove duplicate layers and enable one well-supported cache; verify cache headers and hit ratios.
Whether WordPress is set to discourage search engines (blog_public).
Why it matters: Accidentally blocking indexing on production tanks discoverability. Ensure indexing is allowed unless intentionally private.
Action: If the site is public, uncheck Discourage search engines in Settings → Reading.
Action (blocked indexing): Disable the discourage setting; remove any noindex directives; resubmit sitemaps in Search Console.
noindex meta tags in your SEO plugin settings for key pages.Cache: Robots rules and meta tags can be cached aggressively. After changing noindex/index settings or robots.txt, purge caches (and any CDN) before relying on this tile, and remember that search engines may also cache older directives.
A file that suggests crawl rules to search bots.
Why it matters: Can guide or inadvertently block crawling. Keep it minimal; don’t rely on it for sensitive content.
Action: Ensure robots.txt isn’t blocking key paths; reference sitemap URL.
Action (overblocking/missing): Add a minimal robots.txt and remove broad Disallow lines that block content.
/robots.txt in a browser to see the current contents.Disallow: / directives on production unless the site is intentionally private.Sitemap: line pointing to your primary sitemap URL.Cache: Some hosts/CDNs serve a generated /robots.txt that can be cached separately from WordPress. If you’ve edited robots rules and Scope still shows the old version, bypass the CDN or clear caches and fetch robots.txt directly from the origin.
An XML index of site URLs for search engines.
Why it matters: A well-formed sitemap accelerates discovery of new content. Ensure it’s reachable and up to date.
Action: Enable and expose a sitemap (core or SEO plugin); link to it in robots.txt.
Action (missing/broken): Fix sitemap generation; ensure HTTP 200 and correct URLs; submit in Search Console.
robots.txt.Cache: XML sitemaps may be cached by SEO plugins, page caches, and CDNs. After enabling or changing sitemaps, clear plugin/page/CDN caches and then re-run the report to confirm the new sitemap is what search engines will see.
", "links": [], "titleBadge": null, "meta": { "section": "seo", "metric_id": "sitemap_present" } }, "home_title_present": { "metric_key": "seo.home_title_present", "title": "Homepage Title", "summary": { "html": "Presence of a document <title> on the homepage.
Why it matters: Essential for SEO and SERP snippets. Ensure unique, descriptive titles.
Action: Define a unique, concise homepage <title> via theme/SEO plugin.
Action (missing): Implement a <title> tag immediately; verify it renders server-side.
Presence of a meta description on the homepage.
Why it matters: Improves click-through from SERPs. Keep to ~150–160 chars and unique per page.
Action: Add a concise, compelling description via SEO plugin; avoid duplication.
Action (missing): Your homepage doesn't define a <meta name=\"description\">. Without one, search engines may pull arbitrary text from the page instead. Add a description via your SEO plugin now.
<meta name=\"description\" ...> tag appears in page source.Whether home_url and site_url align (scheme/host).
Why it matters: Mismatches cause duplicate content, session issues, and confusing redirects. Standardize to a single canonical host.
Action: Align home_url and site_url to a single canonical host (www vs non-www) and scheme.
Action (mismatch): Fix URLs in Settings → General, update redirects, and clear caches to prevent duplication and login issues.
www) and HTTPS everywhere.The URL pattern used for posts (e.g., /%postname%/).
Why it matters: Human-readable permalinks improve UX and SEO. Avoid query-string-only structures in production.
Action: Switch to a readable structure like /%postname%/ in Settings → Permalinks.
Action (default query IDs): Change to a human-readable structure and flush rewrites; update internal links if needed.
/%postname%/.flush_rewrite_rules() or WP-CLI).Whether the homepage shows a static page or latest posts.
Why it matters: Affects site architecture and internal linking. Choose based on content strategy.
Action: Ensure the chosen homepage type aligns with SEO strategy and internal linking.
Action: Reconfigure home display to match business goals; adjust menus and redirects accordingly.
Whether WP_DEBUG is enabled.
Why it matters: Don’t expose debug output on production. Use WP_DEBUG_LOG to log privately when needed.
Action: Turn off WP_DEBUG_DISPLAY in production; keep WP_DEBUG_LOG on if investigating issues.
Action (debug visible): Disable debug display immediately; move to file logging; remove error output from public pages.
wp-config.php in a safe editor.WP_DEBUG is true only if you route errors to logs, not the browser.WP_DEBUG_DISPLAY to false and WP_DEBUG_LOG to true to log privately.display_errors is disabled at the PHP level for production.DISABLE_WP_CRON toggles WordPress’s internal cron triggers.
Why it matters: On high-traffic sites, disable WP-Cron and run a real system cron hitting wp-cron.php for reliability.
Action: If disabled, ensure a system cron calls wp-cron.php regularly; otherwise enable WP-Cron.
Action (jobs failing): Re-enable WP-Cron or set up a reliable system cron; verify scheduled tasks run.
wp-config.php for DISABLE_WP_CRON.true, configure a real system cron (via hosting panel or crontab) to call wp-cron.php every few minutes.DISABLE_WP_CRON as false so normal traffic triggers events.The theme currently rendering your site.
Why it matters: Theme quality drives performance and security posture. Keep child/parent themes updated.
Action: Update theme and dependencies; remove unused parent/child themes.
Action (outdated/vulnerable): Patch or switch themes; apply a child theme for customizations to enable safe updates.
Version of the active theme.
Why it matters: Track against changelogs and security notices; update regularly.
Action: Update to the latest compatible version and test templates.
Action (behind/known issues): Update urgently; if blocked by custom code, migrate overrides to a child theme.
Snapshot of WP_DEBUG, WP_DEBUG_LOG, WP_DEBUG_DISPLAY, SCRIPT_DEBUG, and DISALLOW_FILE_EDIT.
Why it matters: Production should generally have display off, logging on (to file), and file edit disabled in the admin.
Action: Set DISALLOW_FILE_EDIT true; keep display off; log to file for troubleshooting.
Action (unsafe): Disable in-admin file editing and public error display immediately; enable private logging.
wp-config.php and locate WP_DEBUG, WP_DEBUG_LOG, WP_DEBUG_DISPLAY, SCRIPT_DEBUG, and DISALLOW_FILE_EDIT.DISALLOW_FILE_EDIT to true on production to block editor-based code edits.WP_DEBUG_DISPLAY false) while logging to a file for troubleshooting.SCRIPT_DEBUG only temporarily when debugging asset issues.Checks whether an SMTP/transactional email plugin is active and the last test email status.
Why it matters: WordPress uses the server's mail() function by default, which often fails or lands in spam. Broken email impacts user registrations, password resets, orders, and alerts.
Good to know: Popular SMTP options include WP Mail SMTP, FluentSMTP, and Post SMTP. They integrate with providers like SendGrid, Mailgun, Postmark, and Amazon SES.
Action: Consider installing an SMTP plugin to improve email reliability. Send a test email to verify delivery is working.
Action: Email test failed or no SMTP helper detected. Fix SMTP credentials or install a plugin to prevent email delivery issues.
Note: Email logging helps debug issues—enable it if your plugin offers it.
Detection of common backup plugins and last-run signals (if available).
Why it matters: Offsite, frequent, tested backups are your safety net. Verify restores periodically.
Action: Ensure nightly offsite backups for files and DB; test a restore quarterly.
Action (no recent backups): Enable daily offsite backups now and perform a test restore.
Presence of .maintenance indicates WordPress maintenance mode.
Why it matters: Should be temporary during updates. If it persists, an update likely failed—remove the flag to restore access.
Action: If unexpected, remove .maintenance; re-run the last update safely.
Action (site stuck): Delete .maintenance, clear caches, and complete the failed update manually.
.maintenance file..maintenance file via FTP/SFTP or your file manager.Cache: Maintenance pages can be bypassed by stale edge or page caches. If you toggle maintenance mode but some users still see normal pages (or vice versa), clear the cache at every layer and confirm that the maintenance response isn’t being cached unexpectedly.
", "links": [], "titleBadge": null, "meta": { "section": "config", "metric_id": "maintenance_mode" } } }, "meta": { "generated_at": { "metric_key": "meta.generated_at", "title": "Generated At", "summary": { "html": "Timestamp (ISO 8601) for when this report was produced.
Why it matters: Helps you judge data freshness during troubleshooting.
", "evergreen": true }, "states": { "default": { "body_html": null }, "warn": { "body_html": null }, "bad": { "body_html": null } }, "how_to": { "evergreen_html": null, "state_overrides": { "default": null, "warn": null, "bad": null } }, "cache_note_html": null, "links": [], "titleBadge": null, "meta": { "section": "meta", "metric_id": "generated_at" } }, "schema_version": { "metric_key": "meta.schema_version", "title": "Schema Version", "summary": { "html": "Version of the report payload format.
Why it matters: Useful for dashboards/clients that parse the report and need to handle changes gracefully.
", "evergreen": true }, "states": { "default": { "body_html": null }, "warn": { "body_html": null }, "bad": { "body_html": null } }, "how_to": { "evergreen_html": null, "state_overrides": { "default": null, "warn": null, "bad": null } }, "cache_note_html": null, "links": [], "titleBadge": null, "meta": { "section": "meta", "metric_id": "schema_version" } } } }