WordPress 5.1 introduced a new feature called Site Health.
When you upgraded to WordPress 5.1 you might have noticed a warning in the Dashboard if your site was running an outdated version of PHP.
WordPress Site Health Check introduced in version 5.2
WordPress 5.2 takes Site Health one step further. With the upgrade a new menu item appears in Tools > Site Health.
Site Health Status tab
Site Health runs through a number of tests in a WordPress install to check for issues and shows you the results of the tests.
The intention is to empower site owners to understand and correct things they might not have been aware of which affect site performance or security.
If any issues show up, they’re listed as either Critical issues or Recommended improvements.
You can toggle a title to find out more and get advice.
All the tests that are passed show up at the bottom of the page. You can toggle the button to read the full list if you wish.
At the time of writing, Site Health scores your site out of 100, though that’s not been without controversy. Some developers have argued that this measure is misleading and could make webmasters unnecessarily anxious about achieving a 100% score.
There’s also no agreement about what makes a site perfectly healthy. Web servers come in all types and configurations, and it’s quite subjective which is best. So don’t panic!
Another reason to be cautious is that plugin developers can add or remove their own tests to the list. There’s an example given on the Site Health Check in 5.2 blog of a test added by a caching plugin to see if it is enabled. (Caching plugins work to speed up sites.)
A risk going forwards is that less scrupulous plugin developers may add warnings that your site is insecure or poorly performing. They might try to upsell paid services to remedy things which could be fixed for free, or don’t need fixing at all.
Site Health Info tab
This tab displays more technical information related to your site. There’s the option to copy and paste it to the clipboard. This info can be passed on to your web host or a developer for troubleshooting.
Health Check and Troubleshooting plugin
Site Health is a stripped down version of the Health Check & Troubleshooting plugin. If you have this plugin installed, you’ll find the same info in Tools > Site Health plus some additional functions.
What Site Health issues should I be concerned about?
Here’s some of the common problems that you should consider taking action on.
If you are not confident in your technical prowess, mention the issue to your host or web developer and ask them for help.
I highly recommend taking a backup before making any changes.
Your PHP version requires an update / We recommend that you update PHP / Your PHP version should be updated – Security/Performance issue
PHP is a programming language that WordPress runs on. Some WordPress sites run with older versions of PHP which are less efficient and less secure.
Right now the newest version is PHP 7.3, which came out in December 2018.
You can see the proportions of sites using different versions of PHP in WordPress stats.
Currently about half of WordPress sites are using version 7.0 or above; the remainder are using version 5.6 or lower. (There was no PHP 6, in case you are wondering!)
Upgrading PHP leads to a faster, safer site. Pushing users to update PHP is better for site owners, users and developers.
There are 3 possible variations of the “upgrade” message. In order of importance they are:
- Your PHP version requires an update: this is a critical security issue. Your version of PHP is old, most likely PHP 5.6 and you should update.
- We recommend that you update PHP: your PHP version is still getting security fixes but upgrading is recommended.
- Your PHP version should be updated: Not so much of a risk. You are probably running PHP 7.0, 7.1 or 7.2. Check with your host to see if they have PHP 7.3 available yet (it depends if they’ve installed it on their web servers).
As of WordPress 5.2 the minimum PHP version WordPress will run on is PHP 5.6. PHP 5.6 was released in August 2014 and support for it ended in December 2018.
If your site uses a PHP version older than 5.6 you won’t even be able to upgrade to WordPress 5.2 to use Site Health Check! You would see a message like this:
You cannot update because WordPress 5.2 requires PHP version 5.6.20 or higher. You are running version 5.4.45.
How do I know what PHP version I have?
You can find your PHP version by going to the Site Health Info tab and toggling the Server section. PHP version is the third item in the list.
Any drawbacks of upgrading PHP?
It’s possible that if you’re running older themes or plugins they may not be compatible with the latest version of PHP, and may cause errors. This is because the language evolves and some functions become deprecated i.e. replaced with newer ones.
This would be a good time to audit your themes and plugins and check that they are compatible.
You can test for compatibility with newer versions of PHP by either:
- Asking theme/plugin developers about the PHP compatibility of their products through the WordPress support forums.
- Trying the PHP Compatibility Checker plugin. Note that this plugin hasn’t been tested with the latest WordPress releases, and it only tests compatibility up to PHP 7.2. I’ve also found that for some plugins it gives “Unknown” compatibility reports.
You should be able to revert to your previous PHP version if your site doesn’t work.
How do I upgrade PHP?
If you use a host with cPanel there’s an option to select PHP version.
Otherwise, ask your hosting support.
Your site does not use HTTPS – Security issue
If you haven’t moved your site to HTTPS by now you really should!
If you are still using insecure http you might see a “Not secure” warning in Chrome browser when browsing your site. It’s not a good look in terms of visitor trust.
To switch to HTTPS you will need an SSL certificate and some know-how to make the switch on your site. Plugins like Really Simple SSL help.
Only parts of your site are using HTTPS – Security issue
If you see this issue, it means that you have an SSL certificate but WordPress is still using http URLs in Settings > General.
Site Health provides a link to this screen so you can change e.g. http://www.yoursite.com to https://www.yoursite.com in the WordPress Address and Site Address fields. You need to change both. Scroll down for the Save Changes button and press it to apply this change.
You should remove inactive themes – Security issue
When you set up your site, you might have tried out several themes until you found the one you liked. Most likely you left the ones you weren’t using on the site.
The trouble with that is themes you’re not using can pose a security risk.
Site Health checks all the themes you have installed, which theme is active and recommends you keep only:
- Your active theme
- The default Twenty Nineteen theme
- Your parent theme (optional; only if you are using a child theme)
It might seem counter-intuitive to keep Twenty Nineteen theme if it’s not active. The reason for having a spare theme like Twenty Nineteen is in case of troubleshooting. It helps to be able to switch to this theme to rule out any theme conflicts.
If you use a child theme, make sure you do not delete your parent theme! Your site depends on it.
Not sure if you’ve got a child theme? In Appearance > Themes, click on the theme marked Active.
In the box that pops up, you’ll be told if it’s a child theme or not. In this case Genesis Sample is a child theme of Genesis, so you would want to keep both of these themes.
To delete unnecessary themes, click on the name of the theme you want to delete in Appearance > Themes. Click on Theme Details and then the Delete link in the corner.
Funnily enough, you will see this issue on a brand new site!
I created a site with WordPress 5.2 and three themes were installed, because they are part of the WordPress installer:
- Twenty Nineteen (active)
- Twenty Seventeen
- Twenty Sixteen
In this case it’s safe to delete Twenty Seventeen and Twenty Sixteen.
I wonder if in future WordPress will install only one theme, because they seem to be warning you about a problem they’ve created!
Out of date themes
You will also see a notice if any of your themes are out of date. Be sure to update them.
You should remove inactive plugins – Security issue
Perhaps a plugin you installed one time went wonky and you deactivated it. Then you clean forgot about it – until your site got hacked.
As Site Health says:
Inactive plugins are tempting targets for attackers. If you’re not going to use a plugin, we recommend you remove it.
Ironically, you may have the two default plugins that come with WordPress installed and inactive – Akismet and Hello Dolly. You can remove them if you aren’t using them. Follow these steps:
- Go to the inactive plugins list.
- Check the plugins you want to delete.
- Choose Delete from Bulk Actions.
- Click the Apply button.
- Choose OK in the dialog.
There’s a couple of cases where you won’t want to remove an inactive plugin right away:
- You’re building a site and are comparing plugins that perform a similar function. You plan to keep the best one when you’re finished.
- You have deactivated a plugin temporarily to debug a problem. If you delete the plugin you may lose its data.
Out of date plugins
Site Health also draws your attention to any plugins that are out of date. There’s a link to the plugins page to update them.
Caution: if you’ve updated an plugin and had to roll it back to an earlier version because it caused a problem, ignore the update notice until the developer releases a version with a fix.
Another note of caution: premium plugins (and themes) may have different ways to update, which Site Health may not detect. Do double-check with the vendor to make sure you have the latest version.
The REST API encountered an error – Performance issue
This issue indicates a problem communicating with the REST API. The result may be problems viewing and saving content in the block editor.
I noticed this issue on a site and had the exact same error as for the loopback issue below.
cURL error 6: Could not resolve host: mydomain.com
If you’ve noticed problems using the block editor, ask your host for advice and mention this issue.
Your site could not complete a loopback request – Performance issue
This error can highlight a problem with scheduled tasks on your site. WordPress scheduled tasks are automatically run at set time intervals. You might find that scheduled posts don’t post, or backups don’t take place when expected.
Loopback requests are requests from your web server back to itself. These trigger the WP-Cron task scheduling system which automates the tasks.
Some hosts (notably Heart Internet) block loopback requests by default.
Troubleshooting this error can be tricky. You may need your host’s help.
One source of assistance is the Updraft Plus backup plugin’s guide on what to do if scheduled backups don’t run.
I found for a site that I run with this error that setting the ALTERNATE_WP_CRON constant to true allowed my scheduled tasks to run.
However, it did not stop Site Health showing the error. I’m still investigating why, but I’m not worrying about it too much.
Your site is set to display errors to site visitors – Security issue
If error display has been turned on it’s likely been done by someone developing or troubleshooting the site, who’s then forgotten to turn it off.
It poses a security risk because the debug information is printed out to everyone visiting the site. And that could give away vulnerabilities that you’d rather not have exploited.
The solution is to edit the wp-config.php file for your install and change the line
define( 'WP_DEBUG', true );
to
define( 'WP_DEBUG', false );
Warning: editing the wp-config.php file incorrectly could break your site. If this is all Greek to you, play safe and ask your hosting support or web developer to take care of it for you.
Site Health issues that maybe aren’t issues
Some of the issues that Site Health flags up may not be true issues. It depends on your hosting setup.
If you see these, check with your host first to see if there’s a genuine problem or if it’s a false alarm.
One or more recommended modules are missing – Performance issue
This test is for PHP modules (mini-programs) which are added to the web server to perform extra functionality.
This is the list of PHP modules that WordPress recommends.
On one site where I ran Site Health check, I saw the following:
Warning The optional module, imagick, is not installed, or has been disabled.
Is this a problem? Not necessarily, because there is another image module, GD, which may be used instead. Pagely has an article on Imagick vs GD and which to use when.
Developer Sybre Waaijer says about this check:
I also found some other complaints that I believe are invalid, like bcmath, exif, fileinfo, and imagick module requirements; WordPress doesn’t use most of these or has (better) alternatives.
Background updates may not be working properly – Security issue
This came up as an issue on my site when I used Site Health.
A message said:
Error The WP_AUTO_UPDATE_CORE constant is defined and enabled.
It turns out that this happens because I’m using managed WordPress hosting.
Managed hosting companies typically roll out WordPress updates on their own schedule. They don’t prevent you from updating WordPress yourself when a new version is available, but they don’t auto-update because they prefer to test out the new version themselves first to see if there are any bugs.
Check with your host or web developer to see if there is a good reason for this error. If not, ask them to investigate or explain what’s going on.
Is the WordPress Site Health Check a useful tool?
I think it is. It provides motivation to:
- Keep WordPress updated
- Keep plugins and themes updated
- Remove unused plugins and themes
- Run newer versions of PHP for greater site speed and security
- Use HTTPS
It’s not perfect, but it’s a good start towards improving WordPress sites’ efficiency and security.
Just don’t take its word as gospel!
Have you tried out Site Health Check yet? What do you think?
DoctorG says
This tool seems like a good idea, though it’s a blatant attempt to sell other software. I have found some its findings helpful, but it won’t completely scan my site.
Claire Brotherton says
Yes, the potential for misuse is definitely there.
About the scanning problems, have you tried leaving a message on the WordPress support forums?