← Docs

Website monitoring

Monitor a website — no agent required

You don't need to install anything to monitor a website with Astrari. Add the URL, and we run a full external scan from our infrastructure: SSL, headers, blacklists, email security, exposed files, and — for WordPress sites — CVE matching against 12,250+ tracked vulnerabilities.

If you also run the server, link it later to unlock deeper agent-assisted checks. That's optional.

1

Sign up — no card needed

Create an account. The free Starter plan covers 1 site and 1 server, kept free forever. Every paid plan includes a 14-day trial.

2

Add your website

Go to Sites in your dashboard, click + Add site, paste the full URL (e.g. https://example.com), and give it a label.

That's it. No DNS records to add, no plugin to install, no JavaScript snippet to embed. Astrari scans your site externally — exactly as a visitor would see it.

3

See the first scan

The first scan runs immediately and typically completes in under 60 seconds. You'll see SSL status, security headers, blacklist results, and findings for anything that looks off — all on the site's detail page.

If it's a WordPress site, Astrari additionally enumerates installed plugins and themes from the public surface and matches them against the CVE database. Findings appear with severity, fix version, and a link to the upstream advisory.

4

Re-scans run automatically

From there, Astrari rescans on a schedule — every 24 hours on Starter / Basic, 12 hours on Professional, 6 hours on Agency. New CVEs that affect your site trigger a finding within minutes of being added to the threat feed. On-demand scans are available at any time.

What gets checked externally

SSL certificateValidity, expiry, chain. Alerts at 30, 14 and 7 days before expiry.
TLS deep auditDeprecated protocols (TLS 1.0/1.1), weak RSA keys, SHA-1/MD5 signatures, HSTS max-age and includeSubDomains posture. Cloudflare and Let's Encrypt aware — won't false-alarm on healthy short-lived certs.
Domain expiryWHOIS-based — know before your domain registration lapses.
Security headersHSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
Cookie securityHttpOnly, Secure, SameSite flags on all set cookies.
Email securitySPF and DMARC DNS record presence and policy strength.
Blacklist checkSpamhaus DBL and SURBL — flagged immediately if listed.
SEO spam / cloakingCompares Googlebot view to user view; detects hidden links and injected SEO content.
External script auditFlags scripts loaded from suspicious or low-reputation IPs.
Exposed file detectionwp-config.php, debug.log, xmlrpc.php, .env, .git/config and similar.
Uptime monitoring5-minute probes from outside. Three consecutive failures fire a HIGH availability alert.
JavaScript supply-chainTracks every external script we observed. New script appearing or SRI hash changing fires a finding (the Magecart attack class).
Content / defacementHashes your homepage (and up to 5 paths) every 6 hours; alerts on unexpected content drift. Side-by-side baseline-vs-current diff view in the dashboard.
Performance regression alertsWeekly synthetic Core Web Vitals (LCP, CLS, INP, overall score) via Google PageSpeed Insights. Mobile strategy. We alert when the numbers measurably regress and surface the changes that landed at the same time — third-party scripts added, TLS cert switched, redirects introduced — so you can tell a deploy from a problem.

WordPress sites get more

For sites Astrari recognises as WordPress, we add WP-specific checks on top of everything above:

  • Plugin, theme, and WordPress core version detection
  • CVE matching against 12,250+ vulnerabilities (Wordfence Intelligence)
  • Outdated plugins / themes / core flagged with fix versions
  • User enumeration detection (?author=N probing)
  • Directory listing detection on /wp-content/

Optional: link the hosting server later

If you (or your hosting provider) also run the Linux server the site lives on, you can install the Astrari agent there to unlock additional checks for this site:

  • Authenticated WordPress plugin/theme enumeration via wp-cli — catches plugins not visible externally
  • WordPress database scan for injected iframes, obfuscated payloads, and hidden links
  • .htaccess auto-fixes for common hardening issues (xmlrpc, user-enum, directory listing)
  • Per-site forensic diagnostics — boot history, PHP-FPM errors, OOMs scoped to this domain's vhost

None of this is required. Site-only monitoring catches the vast majority of public-facing issues. When you're ready, see the agent install guide.

Add your first site freeOr install the server agent →