Website Monitoring Checklist: Every Signal Your Team Should Review

The first thing to check is whether the site responds at all. A reachability check sends an HTTP request to the domain and records whether a response comes back and what the status code is. A 200 OK means the server responded successfully. Other codes — 301/302 for redirects, 404 for not found, 500 for server error — each indicate something worth reviewing.

Check the correct URL for the site, including whether www and non-www both work and redirect correctly to the same canonical version. Also check any important subdomains — app, checkout, blog, docs — that have different hosting or configuration from the main domain.

If the check returns no response at all (connection refused or timeout), the issue is likely at the hosting or DNS level. If it returns a 500 or similar server error, the issue is in the server configuration or application code. Both warrant investigation before reporting a clean bill of health.

• Does the site return a 200 status code for the homepage?
• Does www redirect correctly to the canonical URL (or vice versa)?
• Do important subdomains respond correctly?
• Is there any redirect chain longer than two steps?
• Does the final URL after redirects match the expected canonical address?

After confirming the site is reachable, verify that HTTPS is active and the SSL certificate is valid. Check that HTTP requests redirect to HTTPS rather than serving content over an unsecured connection. Verify that the certificate is valid for the exact hostname being tested — not just the root domain, but any subdomains that serve content.

The most important detail beyond current validity is the expiry window. A certificate expiring in more than 60 days is low priority. A certificate expiring in 30 days should be scheduled for renewal. A certificate expiring in 14 days or fewer is urgent and should be renewed as soon as possible.

Note the expiry date in your client records so you have advance warning even between scheduled health checks. If the site uses auto-renewal through Let's Encrypt or a managed certificate service, verify that the auto-renewal has been working — do not assume it is running without checking.

• Is HTTPS active and the connection secure?
• Does HTTP redirect to HTTPS correctly?
• Is the certificate valid for the current hostname?
• How many days remain until certificate expiry?
• Is the certificate issuer trusted by major browsers?
• For wildcard certificates: does it cover all subdomains in use?

Response time is the time between sending a request and receiving the first byte of the response from the server. It measures server-side processing speed before browser rendering. A healthy response time is under 500ms. Response time above 1 second warrants investigation; above 2 seconds is affecting visitor experience and likely conversion.

Compare response time to previous checks if you have historical data. A sudden increase in response time is often the first signal of a server problem, a new plugin or code causing performance overhead, or a traffic spike the hosting plan cannot handle. Trending up over multiple checks is a signal to discuss hosting capacity with the client.

Note that response time varies by testing location and network conditions. A single elevated reading may not be significant; a consistently elevated result across multiple checks is.

• Is the server response time under 500ms?
• Has response time changed significantly since the last check?
• Is response time consistent across multiple check runs?
• For ecommerce or high-conversion pages: is checkout response time acceptable?
• Has there been a recent change (update, migration, new plugin) that could explain a change?

Security headers are HTTP response headers that instruct browsers on how to handle the page securely. They are invisible to visitors but protect against several common browser-level attack types. Key headers to check are: Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Content-Security-Policy.

Security headers are frequently dropped after hosting migrations, CDN changes, plugin updates, or any configuration change that touches server settings. A site that had all headers configured before a migration may arrive at the new host without any of them — and there will be no visible sign that anything changed unless someone checks.

For agencies, security headers are a concrete care plan deliverable. Including them in the monthly health check and noting their status in client reports demonstrates that basic security hygiene is being maintained.

• Is Strict-Transport-Security (HSTS) present?
• Is X-Frame-Options present?
• Is X-Content-Type-Options present?
• Is Referrer-Policy present?
• Has anything changed since the last check (migration, plugin update)?
• For regulated industries: are additional security headers required?

Domain health is often overlooked in website monitoring workflows because it sits outside the normal web hosting context. But an expired domain takes the website, email, and any branded link offline immediately — and the renewal warning typically goes to the domain registrant's email, not the agency or developer managing the site.

Note the domain expiry date in your client records. Most registrars provide 30, 60, and 90-day renewal warnings, but these go to whichever email was used at registration — often the client's personal email or an old address. Having your own record of the renewal date is essential.

Domain health signals to watch include: the registration status (is the domain registered and active), the nameserver configuration (does DNS still resolve to the correct hosting), and the registrar lock status (is the domain protected from unauthorized transfer).

• When does the domain registration expire?
• Is the domain locked against unauthorized transfer?
• Are the nameservers pointing to the correct hosting?
• Is domain renewal managed by the client or the agency?
• Does the client have active control of the domain registrar account?

The final step in a website monitoring workflow for agencies is translating check results into client-facing communication. This does not require a detailed technical report — most clients want to know whether their site is healthy, what was found, and what was done about it.

A useful monthly health check summary includes: check date, overall status (healthy or issues found), SSL expiry date and days remaining, response time snapshot, any security header notes, any domain notes, and a clear statement of what needs attention if anything does.

For clients on active care plans, the health check summary is proof that the service is active and delivering value. Sending it consistently each month — even when everything is healthy — reinforces the value of the retainer.

• Has the health check summary been documented for the client file?
• Has the client received a summary of this month's health review?
• Are any findings being followed up on with a timeline?
• Is SSL expiry date noted in the client record?
• Is domain expiry date noted and renewal scheduled?