Descripció
AVAR Server Monitor is a privacy-first WordPress health dashboard, uptime monitor, server diagnostics and security insight toolkit built directly into wp-admin.
It helps WordPress administrators understand whether their site is technically healthy, available, secure and running on a reliable server environment — without requiring an external SaaS account.
Instead of showing scattered technical data across multiple places, AVAR Server Monitor brings the most important signals into one clear dashboard: uptime, SSL status, PHP and database health, server resources, WP-Cron, security checks, activity log, 404 monitoring, diagnostic exports, database maintenance and more.
Know what is wrong before visitors notice
WordPress sites often break quietly.
A cron task stops running.
An SSL certificate gets close to expiration.
The database grows.
Debug errors are exposed.
A plugin update changes something important.
A server starts running out of memory.
A backup directory may be exposed.
A WooCommerce store accumulates technical clutter.
AVAR Server Monitor helps you spot these problems early and decide what needs attention first.
Site Health Score
The main dashboard includes a 0–100 Site Health Score that summarizes the technical condition of your WordPress site.
The score is based on weighted categories:
- Core & Updates
- Server Environment
- Security Posture
- Reliability & Monitoring
- Performance & Storage
The score is not just a decorative number. It includes top issues, recommendations, action links and severity caps for critical problems.
For example, if a monitored domain is down, an SSL certificate has expired or a snapshot directory is publicly accessible, the score is capped so the site does not appear healthier than it really is.
Monitoring and diagnostics in one place
AVAR Server Monitor includes practical tools for everyday WordPress administration:
- Uptime monitoring for one or more domains.
- SSL certificate checks and expiration warnings.
- WP-Cron monitor with overdue event detection.
- Server resource overview with CPU, memory, disk and database information.
- WordPress environment overview with versions, plugins, themes and updates.
- Health Advisor for PHP, database, extensions, cache and connectivity checks.
- Security audit for HTTPS, debug exposure, file editor status, readme.html, REST API, XML-RPC and login hardening.
- Core file integrity scan against official WordPress.org checksums.
- Activity Log for important plugin, theme, update, user and login events.
- 404 monitor for frequently requested missing URLs.
- Email alerts for downtime, version changes, resource thresholds and summaries.
- Diagnostic snapshots for troubleshooting and support.
- Safe Client Health Report for communicating technical status to clients or hosting support.
- Database cleanup preview with risk labels, impact descriptions and confirmation flow.
- Maintenance mode with preview, countdown and role-based bypass.
Login security and access control
AVAR Server Monitor includes a built-in login security layer, so you can harden wp-admin without adding a separate plugin:
- Two-factor authentication (2FA) with an authenticator app (TOTP — Google Authenticator, Microsoft Authenticator, Authy and others) and/or one-time codes by email, with the method chosen at login when both are enabled. Includes QR-code setup, one-time backup codes, a «require 2FA by role» policy and an optional «remember this browser» duration.
- Brute-force protection with escalating lockouts, an IP allowlist and blocklist (CIDR and wildcard support) and manual block/unblock of active lockouts.
- A persistent, paginated login attempt log with per-IP statistics: failed attempts, incidents, lockouts and successful sign-ins, plus top attacking IPs and most-targeted usernames.
- A login CAPTCHA on the login, registration and lost-password forms — a privacy-first self-hosted math question with honeypot by default, or optional Cloudflare Turnstile, Google reCAPTCHA v2 or hCaptcha with your own keys.
- An optional custom login URL that serves the login page from a secret slug and returns 404 for the default wp-login.php.
These features run locally and require no external account; CAPTCHA providers are contacted only if you explicitly choose one.
Privacy-first approach
AVAR Server Monitor is not an external monitoring SaaS platform.
Most features run locally inside your WordPress installation. The plugin does not require an AVAR cloud account and does not send local health reports, diagnostic snapshots or server data to AVAR servers.
Some features may connect to public external services only when needed, such as the WordPress.org API for checksums and version information, or geolocation providers for server location lookup.
Built for safety
Because monitoring and diagnostics can touch sensitive areas, AVAR Server Monitor includes a dedicated Advanced Tools safety model.
Higher-risk tools are locked by default and require explicit activation.
Advanced Tools include features such as:
- Diagnostic snapshots.
- Full phpinfo().
- wp-config.php debug switches.
- Cron run/unschedule actions.
- Database cleanup.
- Table optimization.
- Force HTTPS.
- HSTS.
- Selected exports and filesystem operations.
Sensitive actions use capability checks, nonces, confirmations, safety warnings and safer defaults where appropriate.
Safer HTTPS and HSTS handling
Force HTTPS and HSTS are not simple checkboxes.
They are enabled through protected safety flows with pre-flight checks, host validation and typed confirmation for HSTS includeSubDomains.
This reduces the risk of locking yourself out of the site or accidentally applying strict HSTS rules to subdomains that are not ready for HTTPS.
Database cleanup with preview
Database cleanup can be useful, but it should never feel like a blind «delete everything» button.
AVAR Server Monitor analyzes cleanup candidates first and shows what can be removed, the risk level and the likely impact.
Riskier actions require typed confirmation. Revision cleanup supports retention rules. WooCommerce content in Trash is detected and order-like records are excluded unless explicitly selected.
The plugin uses WordPress APIs where appropriate, such as when deleting posts and comments, so other plugins and WordPress hooks can respond correctly.
Diagnostic snapshots
Diagnostic snapshots are designed for troubleshooting, support and quick technical review.
They use private storage by default when possible, long random archive names, self-healing protection files, public-access checks and safer file exclusions.
Snapshots are a diagnostic aid, not a replacement for a full disaster recovery backup strategy. For complete recovery protection, use hosting-level backups or a dedicated backup plugin.
Who is AVAR Server Monitor for?
AVAR Server Monitor is useful for:
- WordPress administrators who want a clear technical overview.
- Freelancers maintaining client websites.
- Small agencies managing business sites.
- WooCommerce store owners who want to catch technical risks early.
- Website owners who want monitoring without an external SaaS account.
- Developers who need quick diagnostics inside wp-admin.
- Support teams that need safe technical reports from clients.
What makes it different?
Many tools focus on only one area: uptime, backups, security, debugging, logs or server information.
AVAR Server Monitor focuses on the practical day-to-day question most WordPress administrators have:
«Is this site technically healthy, and what should I check first?»
It combines health scoring, monitoring, security checks, cron visibility, diagnostics, reports and safer maintenance tools into one privacy-first WordPress dashboard.
Typical use cases
Use AVAR Server Monitor to:
- Check whether your site is currently healthy.
- Monitor uptime and SSL status.
- See if WP-Cron is running correctly.
- Review PHP, database and server environment health.
- Detect security configuration issues.
- Track important plugin/theme/update activity.
- Find repeated 404 requests.
- Export a safe client or support report.
- Review database cleanup candidates before deleting anything.
- Create a diagnostic snapshot for troubleshooting.
- Understand which issues deserve attention first.
Important note
AVAR Server Monitor provides monitoring, diagnostics and safety-focused maintenance tools. Some Advanced Tools can change configuration, delete data or access sensitive diagnostic information.
Read warnings carefully, keep regular backups and test higher-risk actions on staging sites whenever possible.
External services
AVAR Server Monitor may connect to external services only for specific features:
- WordPress.org API — used for WordPress core checksums, plugin/theme information and version-related checks.
- Geolocation provider APIs — used when server location lookup is enabled or requested.
- The monitored site URLs — used by the uptime monitor to check availability of configured domains.
- CAPTCHA providers (only if you choose one) — Cloudflare Turnstile, Google reCAPTCHA or hCaptcha receive the challenge token and visitor IP to verify a login/registration attempt. The default self-hosted math + honeypot CAPTCHA uses no external service.
The plugin does not require an AVAR cloud account and does not send diagnostic snapshots or local health reports to AVAR servers.
Captures
Instal·lació
- Upload the plugin folder to
/wp-content/plugins/avar-server-monitor/, or install the plugin through the WordPress admin area. - Activate the plugin from the Plugins screen.
- Open AVAR Server Monitor from the left admin menu.
- Review the Overview dashboard and Site Health Score.
- Enable uptime monitoring, email alerts or Advanced Tools as needed.
- Read the warnings carefully before using sensitive tools.
PMF
-
Do I need an external account or SaaS service?
-
No. The plugin is designed to work directly inside WordPress. Most features run locally inside wp-admin.
-
Does the plugin send data to an AVAR server?
-
No. The plugin does not require an AVAR SaaS account and does not send local diagnostic data to an AVAR server.
-
Does the plugin use external services?
-
Yes, some features may use public external services. For example, the WordPress.org API may be used for checksums, plugin/theme/core information, and geolocation providers may be used for server location lookup. These services are documented by the plugin.
-
Is the plugin suitable for beginners?
-
Yes. Basic monitoring and the Site Health Score are designed to be useful for regular WordPress administrators. Higher-risk tools are separated into Advanced Tools and include additional warnings.
-
Can the plugin break my site?
-
Regular monitoring and diagnostic features are read-only or low risk. Some Advanced Tools can change configuration, delete data or work with files. These actions are protected with confirmations, nonces, capability checks and safety warnings.
-
Are database cleanup tools safe?
-
The plugin uses WordPress APIs where appropriate, such as when deleting posts and comments. Cleanup is preview-first, risky items are not selected by default and permanent deletion requires typed confirmation.
However, these are still irreversible operations. We recommend having a current backup before running database cleanup.
-
Does the plugin delete WooCommerce data?
-
The plugin detects WooCommerce content in Trash during database cleanup and shows special warnings. Order-like records such as orders, refunds and subscriptions are excluded unless explicitly selected by the user.
-
Are snapshots a replacement for a full backup solution?
-
No. Diagnostic snapshots are intended for troubleshooting and analysis. For full disaster recovery, use hosting backups or a dedicated backup plugin.
-
Where are snapshots stored?
-
The plugin uses private storage outside the web root by default when available. If private storage is not writable, it may use an uploads fallback with best-effort protection.
-
Why is HSTS protected through Advanced Tools?
-
HSTS can cause problems if misconfigured, especially when includeSubDomains is used and not all subdomains support HTTPS. For this reason, HSTS activation uses a dedicated safety flow and typed confirmation.
-
Does the plugin work on multisite?
-
Yes. The plugin includes basic multisite support and a network overview. Some features may be limited by network configuration and permissions.
-
Does the plugin slow down the site?
-
The plugin is designed to minimize performance impact. Admin assets are loaded only where needed. 404 logging includes throttling and static asset ignores. Resource history and uptime monitoring use scheduled tasks and limits.
Some manual diagnostic actions, such as size scans, database cleanup or table optimization, may be heavier on large sites.
-
How do I get support, report a bug or suggest a feature?
-
The best place is the plugin support forum on WordPress.org at https://wordpress.org/support/plugin/avar-server-monitor/. Post your question, bug report or feature suggestion there — replies are public, so they also help other users. You can also contact the author by email at support@avar.sk or through the plugin website at https://plugins.avar.sk/avar-server-monitor.
Ressenyes
No hi ha ressenyes per a aquesta extensió.
Col·laboradors i desenvolupadors
«AVAR Server Monitor» és programari de codi obert. La següent gent ha col·laborat en aquesta extensió.
Col·laboradors
“AVAR Server Monitor” s’ha traduït a 3 configuracions regionals. Gràcies als traductors per les seves aportacions.
Traduïu «AVAR Server Monitor» a la vostra llengua.
Interessats en el desenvolupament?
Navegueu pel codi, baixeu-vos el repositori SVN, o subscriviu-vos al registre de desenvolupament per fisl de subscripció RSS.
Registre de canvis
1.7.0
- Added two-factor authentication (2FA): authenticator app (TOTP — Google Authenticator, Microsoft Authenticator, Authy and others) and/or one-time codes by email, with the method chosen at login when both are enabled. Includes QR-code setup, one-time backup codes, an optional «require 2FA by role» policy, and an optional «remember this browser» option with an admin-defined duration. No external service.
- Added an optional custom login URL: serve the login page from a secret slug and return 404 for the default wp-login.php (requires pretty permalinks; off by default).
- Added a login CAPTCHA on the login, registration and lost-password forms: a privacy-first self-hosted math question with honeypot by default, or optional Cloudflare Turnstile / Google reCAPTCHA v2 / hCaptcha with your own keys.
- Added a dedicated Login Security module: comprehensive brute-force protection with persistent, per-IP login attempt statistics.
- Every login attempt is recorded (date, IP address, username, result) to a dedicated database table and classified as informational, a possible incident, or an incident.
- Statistics dashboard: failed attempts (24h/7d), incidents, lockouts and successful sign-ins, plus top attacking IPs and top targeted usernames.
- Escalating lockouts (each repeat lockout for the same IP lasts longer, up to 24 hours), IP allowlist and blocklist (with CIDR and wildcard support), and active-lockout management (manual block/unblock).
- Optional email alerts when a lockout is triggered or when an administrator signs in; automatic log pruning with a configurable retention window.
- Detects attacks on admin-like or non-existent usernames and flags them as incidents. Moved login-attempt limiting from the Security tab to the new Login Security tab.
- Branded, mobile-friendly two-step verification screen at login, with a centered QR code on the profile setup page and a paginated login attempt log.
1.6.0
- Added a weighted Site Health Score with Core, Server, Security, Reliability and Performance categories, severity caps, top issues, recommendations and action links.
- Added Safe Client Health Report and improved system exports for support, diagnostics and client communication.
- Improved the Advanced Tools safety model for sensitive actions such as diagnostic snapshots, full phpinfo(), wp-config debug switches, cron management, database cleanup, table optimization and one-click security fixes.
- Improved Force HTTPS and HSTS flows with capability checks, nonces, HTTPS pre-flight checks, host validation and typed confirmation for HSTS includeSubDomains.
- Improved diagnostic snapshots with private storage by default, long random archive names, self-healing directory protection, public-access checks and safer file exclusions.
- Improved database cleanup with a preview-first workflow, risk labels, impact descriptions, batch processing, WordPress API deletion for posts/comments and typed confirmation for risky actions.
- Improved revision cleanup with retention options and safer WooCommerce handling, including warnings for store content and explicit opt-in for order-like records.
- Improved table optimization so it targets only the current WordPress table prefix by default, with an opt-in option for all database tables and clearer performance warnings.
- Improved cron tools so run and unschedule actions target a single event by hook, timestamp and arguments while protecting critical hooks.
- Improved wp-config.php edits with timestamped backups, atomic writes, permission preservation where possible and cancellation when a backup cannot be created.
- Improved REST API restriction with an allowlist and improved login-attempt limiting with IP + username matching and trusted proxy/CDN header support.
- Improved 404 logging, error-log handling and phpinfo access to reduce performance impact and better protect sensitive diagnostic information.
- Improved Health Score signals for downtime, SSL expiry and not-checked states, backup exposure, debug-log size and critical score caps.
- Improved admin navigation and UI organization across Overview, Monitoring, System, Security, Tools and Settings.
- Improved uninstall cleanup options for plugin-created files such as diagnostic snapshots and wp-config/readme backups.
- Fixed multiple HTML, SVG, cleanup, filesystem, directory-scan and WordPress.org readiness issues.
1.5.11
- Added plugin screenshots and aligned screenshot captions.
- Documentation-only update with no functional code changes.
1.5.10
- Initial public release on WordPress.org.
- Added WordPress health, server monitoring, uptime checks, resource history, environment details and server location overview.
- Added security audit tools, SSL checks, cron monitoring, activity logging, 404 monitoring and email alerts.
- Added diagnostic tools including backups/snapshots, database cleanup, table optimization, PHP diagnostics, maintenance mode and system exports.
- Improved WordPress.org readiness, coding standards compliance, filesystem safety and external-service documentation.
Earlier internal builds
- Internal development builds used before the first public WordPress.org release.
- Core monitoring, security, uptime, cron, logging, diagnostics and maintenance features were developed and tested during this phase.