Off Site Monitoring for WordPress

Using plugins like the WordPress File Monitor Plus is a great way to keep track of what’s going on with your site. However the plugin needs to be active on your site to send you email notifications.

If a hacker gains access to your WordPress administration panel he could disable the plugin, and you would not be notified.

We will address this problem by using monitoring tools that run outside of your WordPress site.

We recommend that you use at least two of the monitoring tools described in this section as they give you different data and work in different ways.

In this article


Sucuri is a company founded in 2010, which specializes in website malware detection and removal.

What You Need To Do

Create an account and setup monitoring for your site.

Why Sucuri Is Important

Sucuri monitors many key settings for your website. If your site gets blacklisted by Norton, AVG McAfee or Google Safe Browsing for example you are immediately notified. Sucuri will also help you get removed from the blacklist.

The Sucuri monitoring also includes checks for changes to your WHOIS, DNS and SSL information.

These checks will ensure that you are informed if anyone hijacks your domain or changes your nameservers.

Your site is also scanned for malware, phishing, malicious javascript and iFrames, Drive-By Downloads (which could harm your visitors computers) and suspicious redirections.
sucuri web site scanner 

If Sucuri detects that your site has been infected they will clean it up. This is part of the subscription and does not cost extra.

As an added bonus Sucuri has developed a WordPress plugin, which adds substantial preventive protection to your site.

The plugin adds:

  • Web Application Firewall

  • Integrity Monitoring

  • Audit Logging and Activity Reporting

  • 1-click Hardening

For more information see Sucuri WordPress Security Plugin.
1 click hardening 

How You Complete This Security Checkpoint

Follow these steps:

  • Choose a plan. Click here.
    (Affiliate link: We get a small commission – you pay the same price).
    sucuri price plans 

  • Add your websites.
    add websites

  • Adjust your monitoring options.
    monitoring options

  • Setup alerts.
    You can be alerted by Email, Twitter, Instant Messenger, SMS or RSS.
    setup alerts

  • Install the WordPress plugin.


In addition to the security features provided by the WordPress plugin as discussed in WebsiteDefender WordPress Security they also offer an online scanner.

This scanner checks for malware, change of content, creation of WordPress administrator accounts and many other things.

For a free online scanning account click here (affiliate link).
By using the affiliate link you support the WordPress Security Checklist.

You can see the extensive list of features here.

The free accounts scans your site once per month whereas the paid accounts scan daily.

What You Need To Do

Create an account with WebsiteDefender and setup online scanning of your WordPress site.

Why This Point Is Important

This check runs independently of your WordPress site. Even if your site completely stops working this scan will still run.

How You Complete This Security Checkpoint

To enable the online scanner follow these steps:

  • Install and enable the WebsiteDefender WordPress Security plugin.

  • Register for a free account for the online scanner or enter your existing account details.
    To support the WordPress Security Checklist you can click here (affiliate link) and we will get a small commission.
    register for websitedefender

  • The status changes.
    Your first WordPress site scan is scheduled, and you will receive an email when it has completed.
    site scan scheduled

  • First scan email.
    first scan email

  • On your dashboard at you can adjust the scan settings.
    scan settings

  • Recommended: Enter a text pattern to search for on your home page.
    This could be the title of your WordPress site or a key piece of text that will rarely change.
    If the scan cannot find this text on your home page it will alert you by email. This is a good way to detect if your site has been changed without your knowledge.
    text pattern

  • Optional: Exclude directories from the scan.
    This could be the caching directories for example. The default for W3Total Cache is /wp-content/w3tc/*.
    exclude directories


Datafeedr Tip!

(What is Datafeedr?)

Datafeedr Folder ListIf you are using Datafeedr you should be storing your product image files locally (for performance reasons).

If you have a large store with many products you might receive many alerts on new product images being cached locally.

You may choose to exclude the store directory from the scan by adding /wp-content/uploads/store/*.

We recommend that you include the store directory.


  • The main dashboard gives you a nice overview.


Web site:

What You Need To Do

Create an account with Pingdom and setup monitoring for your WordPress site.

Why This Point Is Important

Pingdom is another online monitoring service, which will check for the presence of a key text on your home page.

Additionally they check your site is available with 5 minute intervals, and provide a nice monthly report with your average response times.

How You Complete This Security Checkpoint

Follow these steps:

  • Go to

  • Sign up for a free account.
    pingdom signup

  • On the Optional settings tab enter a string to check for.
    string check

  • Remember to Test your check before you save.

  • If this string is not present or if your site is unavailable you will receive an email (or optionally an SMS).

Change Detection

Web site:

What You Need To Do

Create an account and setup monitoring for your site.

Why This Point Is Important

Change Detection will check for changes to a page on your WordPress site – as opposed to checking for the presence of a key text.

How You Complete This Security Checkpoint

Follow these steps:

  • Go to

  • Create an account.
    change detection signup

  • Enter the page you wish to monitor and click Next.
    monitor page

  • Note the options.
    You might want to try out different settings here until you are happy.
    The “sizable change” option tends to work well, as it ignores smaller changes such as dates etc.
    monitoring options

  • You will now receive emails with notifications whenever the page changes.

  • You can study the details of the changes online, so you can see exactly what has changed.
    study changes

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: Cloudflare For Security
Previous article: Add SSL To The Admin Area[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!

About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week


  1. When setting up Pingdom, if you use Google Analytics, be sure to add the Pingdom Probe servers’ IP Addresses to your exclusion list. Here is a a link on “how to exclude multiple IP addresses from Google Analytics”
    If the Pingdom Probe Server IP addresses change, you will need to update the exclusion list in your website’s Google Analytics profile.

    • Hi Gary,

      Thanks for the tip. I have used Pingdom for a long time and have not had problems with it skewing my GA data – even without using this trick…

      It is necessary though to filter out your own visits, so thanks for posting the link.

Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see