Guide

WordPress Site Keeps Going Down? 7 Causes and How to Get Alerted Instantly

Q: Will WordPress's Recovery Mode email tell me when my site goes down?

Not reliably. Recovery Mode was added in WordPress 5.2 (May 2019) and emails the site administrator a recovery link when a PHP fatal error fires. The mechanism depends on the email pipeline working, which depends on the site working, which is the failure being reported. Recovery Mode emails frequently bounce, land in spam, or arrive at an abandoned admin address. External monitoring is more reliable because it does not depend on the broken site to deliver its own alarm.

May 2, 202613 min read

Quick rundown: Your WordPress site keeps going down for one of seven recurring reasons: cheap shared hosting with noisy neighbors, plugin conflicts after an auto-update, PHP memory limits hit by a traffic spike, brute force on wp-login.php saturating the PHP workers, an expired domain, database bloat in wp_options, or a theme update that broke a hook. WordPress 5.2 added a Recovery Mode email for fatal errors, but it depends on the email pipeline working, which depends on the site working, which is the thing that just broke. The reliable signal is an external monitor that pings your site from outside your host's infrastructure. The free plan gives you 10 monitors at 5-minute intervals across 5 regions, and one of those slots can be a browser login monitor that signs in to wp-admin every 15 minutes, enough to catch each of the seven causes within minutes. External monitoring catches each within minutes. For the broader pattern of how the wrong monitor configuration misses real outages, see why uptime monitors miss outages.

Recurring outages are not bad luck, they are a structural cause

According to W3Techs data verified May 1, 2026, WordPress runs 42.5% of all websites and holds 59.9% of the CMS market as of April 2026 (w3techs.com, verified 2026-05-01). The cheap end of WordPress hosting does not carry contractual SLAs that pay you back when the site goes down. Bluehost, GoDaddy, and the entry tiers at most shared hosts publish a 99.9% number on the marketing page and reserve any SLA credit for cloud or managed plans only. Even premium managed hosts log multi-hour outages in their best quarters. Per HostingStep's 2025 benchmark series, Kinsta publicly reported 99.97% uptime in Q4 2025 with 149 minutes of total downtime across 5 outages for the full year, attributed to Cloudflare incidents (hostingstep.com, verified 2026-05-01).

Translate the math. 99.9% allows roughly 8.76 hours of downtime per year by definition. The directional industry baseline from Pingdom's long-running public-uptime data set was about two hours of downtime per month per monitored site, which is closer to 99.7% than to 99.9% (royal.pingdom.com, legacy figure, verified 2026-05-01). Treat that Pingdom number as directional rather than as a current annual benchmark, but the shape of the data has not changed: the recurring outages you are experiencing sit comfortably inside the band the entire industry treats as acceptable. That is fine for the host. It is not fine for you. The only way to know what is actually happening is to monitor your site from outside the host's infrastructure. For the broader list of patterns small WordPress sites get wrong here, see the most common monitoring mistakes for small WordPress sites.

Cause 1: cheap shared hosting and the noisy neighbor problem

Another tenant on the same shared server runs a runaway script, exhausts CPU and memory, and every site on the box slows to a crawl or starts returning 502 and 503 responses. You did nothing wrong. There is no plugin to blame. The host's status page may not even mention it. The industry term is the noisy neighbor effect, and Cloudways and devpanel both name it as one of the most persistent failure modes in shared CMS hosting.

The structural reality is that shared hosting plans at the entry tier rarely carry a contractual SLA with compensation. Only managed or cloud tiers do. The historical Provo, Utah, data center incidents that took out Bluehost, HostGator, and HostMonster (router failures, a substation maintenance error) are well-documented examples of how a single shared infrastructure event can affect millions of sites at once. Those incidents are old, from the 2013 to 2015 era under the EIG ownership of the day, and used here as a structural pattern rather than recent news. The mechanism still applies anywhere a shared box runs more tenants than its hardware comfortably handles.

How to detect it. An HTTP monitor with a keyword assertion, run from multiple regions, catches noisy-neighbor 502s and partial outages your host's own status page may not acknowledge. Multi-region is essential because a regional shared infrastructure incident might only affect North American visitors while the host's status page reports green from elsewhere.

Cause 2: plugin conflicts and the white screen of death

If the WordPress white screen of death keeps coming back every few days on your site, plugin conflicts are the first place to look. Patchstack's 2025 mid-year vulnerability report logged about 6,700 new WordPress vulnerabilities in the first half of 2025 alone, with 41.5% of them real-world exploitable (up from 30.4% the year before), 89% in plugins, 11% in themes, 1 in core, and 58% requiring no authentication (patchstack.com, verified 2026-05-01). The same plugin surface that drives the security number drives the availability number, because plugin conflicts are the single most frequent named cause of the white screen of death, particularly after auto-updates run overnight.

No vendor publishes a clean percentage for the share of WordPress outages caused by plugin conflicts, so we will not invent one. Every WordPress hosting support team will tell you it is the call they take most often. The mechanism is straightforward. A plugin updates at 2 AM. Its new version calls a function a second plugin deprecated last month, or registers a hook a theme overrides, or allocates more memory than the PHP limit allows. The site immediately serves either a fatal error or a blank body with HTTP 200, and the owner finds out the next morning when a customer complains. This is the classic pattern behind a WordPress site that goes down at night and is back up by the time you check it in the morning, or a WordPress site down after a plugin update you did not consciously authorize.

How to detect it. An HTTP monitor with a keyword assertion catches the white-screen case where the response is HTTP 200 but the body is empty or partial. The browser login monitor catches the parallel case where the front-end keeps serving but the owner cannot get into wp-admin to fix anything. For the deeper write-up specifically on plugin-update breakage, see the deeper write-up on plugin-update breakage. If you run a membership site, the failure modes are different and worth a separate read.

Cause 3: PHP memory limits and the silent Recovery Mode email

WordPress 5.2, released in May 2019, added a Recovery Mode that catches PHP fatal errors and emails the site administrator a recovery link. The mechanism depends on the email pipeline working, which depends on the site working, which is the failure being reported. Recovery Mode emails frequently bounce, land in spam, or arrive at an abandoned admin address, so external monitoring is more reliable.

The defaults are tight. WordPress sets WP_MEMORY_LIMIT to 40MB for single-site and 64MB for multisite, and the constant in wp-config.phponly takes effect if the host's PHP memory limit allows it. Cheap shared hosts cap server-level PHP at 64 to 128MB, which is below what a moderately plugin-loaded WooCommerce site needs during a checkout spike. The symptom is a Fatal error: Allowed memory size of N bytes exhausted page returned to the visitor, often as HTTP 500 but sometimes as HTTP 200 with the error embedded in a partial render.

The load-bearing argument for external monitoring lives here. Recovery Mode landed in WordPress 5.2 in May 2019. It is the single biggest reason WordPress owners do not know their site is down. The admin email often goes to a former developer's address, lands in Gmail's promotions tab, gets blocked by an over-eager spam filter, or sits unread until morning. The site waiting for someone to click a recovery link in an email is the site that just emailed itself for help (make.wordpress.org, verified 2026-05-01).

How to detect it. An HTTP monitor with a keyword assertion that matches Fatal error or Allowed memory size catches the symptom in seconds, independent of whether the Recovery Mode email ever lands.

Cause 4: brute force on wp-login.php

Wordfence's firewall blocks over 6.4 billion brute force attempts every month across the network of sites it protects (wordfence.com, verified 2026-05-01). That figure is fleet-wide, not per site. The honest per-site picture is that the average WordPress site sees thousands of automated login attempts per day, and a poorly hardened wp-login.php under sustained brute force can exhaust PHP-FPM workers and take the whole site down without any successful login ever happening.

The structural problem is built into the defaults. wp-login.php sits at the same URL on every WordPress site by default. The default install does not rate-limit login attempts. The default admin username has historically been admin. A botnet pointed at a few thousand WordPress sites can probe each one hundreds of times per minute and burn through the host's PHP worker pool even when every attempt fails.

How to detect it. An HTTP monitor with a keyword assertion on the homepage catches the cascading PHP-FPM exhaustion, because legitimate page loads start timing out long before the brute force succeeds. The browser login monitor catches the case where wp-login.php itself becomes unreachable because the worker pool is saturated. The monitor account should be a dedicated low-privilege account, never the owner admin: a Subscriber- or Editor-role user with a unique email and a strong unique password, used for nothing else. Treat the dedicated wp-admin watcher as its own monitor and monitor your wp-admin login from outside on a low-privilege account.

Cause 5: an expired domain can take a WordPress site fully offline (the Marketo lesson)

Yes, an expired domain absolutely can take a WordPress site down. A site goes globally dark the moment its domain registration lapses, because DNS resolution fails before any HTTP request reaches the server. Marketo experienced this on July 25, 2017 at 4:25 AM Pacific, when their primary domain expired and customers were locked out for two days while DNS TTLs cleared. External uptime monitors catch a domain expiration as a DNS resolution failure within minutes.

Marketo was valued over $1 billion at the time of the outage. CEO Steve Lucas blamed human and process error, the auto-renew on the main domain failed silently, and a senior applications engineer named Travis Prebble in State College, Pennsylvania, ended up paying for the renewal on his personal credit card to get the company back online. The DNS TTL was set to two days, which extended the customer impact long after the renewal cleared, per ThousandEyes' post-incident analysis (thousandeyes.com, verified 2026-05-01). Pair Marketo with Sorenson Communications, whose video relay service for deaf and hearing-impaired Americans went dark for three days in June 2016 from the same cause. The FCC fined Sorenson $252,000 and required them to reimburse $2.7 million to affected customers (theregister.com, verified 2026-05-01).

The auto-renew failure modes are mundane. A card gets reissued with a new expiration date and the registrar charge declines. The issuing bank declines a previously successful charge for an unrelated fraud signal. The billing-notification email lands in the inbox of a former employee or in a spam filter that nobody reads. ICANN's expired-registration recovery policy sets a 1 to 45 day auto-renew grace period, then a 30-day redemption window, then 5 days pending delete, then the domain is released. The site can be down for any portion of that timeline.

How to detect it. An external HTTP monitor sees a DNS resolution failure within minutes. The free plan's per-monitor SSL expiry alert catches the same class of forgot to renew failure, often weeks before the domain itself lapses, since people who forget to renew domains tend to forget to renew TLS certs too. For the full treatment of that mechanism, see how SSL expiry monitoring works on the free plan.

Cause 6: database bloat and the wp_options autoload trap

WordPress loads every row in wp_options with autoload=yes on every single request. A site that has installed and deactivated a few dozen plugins over the years accumulates orphaned options that nothing reads but everything loads. Kinsta, Pantheon, and Cloudways all publish the same guidance: a healthy site has 200 to 500 KB of autoloaded data, anything over 1 MB is a red flag, and sites past 5 MB add 100 to 200 ms to every page load just from loading wp_options (kinsta.com, verified 2026-05-01).

Bloat does not usually cause a hard outage. It causes timeouts under load. The site is fine for one user and dies the moment a paid-traffic burst, a coupon-email blast, or a sale-day campaign hits it. Visitors see slow page loads, then 504 gateway timeouts, then full failures as PHP workers stack up faster than they can finish. The owner refreshes the homepage from a fresh browser, it loads in 800 ms, and they conclude the host imagined the problem.

How to detect it. An HTTP monitor with a tight response-time threshold catches the slow degradation before the customer complaint does. A multi-step monitor (the free plan supports up to 3 steps) catches admin-only paths where the bloat hits hardest. For e-commerce sites where the same bloat surfaces during checkout traffic spikes, see monitor your WooCommerce checkout flow.

Cause 7: theme conflicts after an update

On March 4, 2024, the Astra theme (roughly 1 million active installs) released version 4.6.6 and broke many sites. Customization options stopped responding, the header rendered incorrectly in some cases, and page title sizes locked to a small fixed value. The WordPress.org forum filled with theme Astra has broken all of my websites threads within hours of the rollout. Astra published 4.6.7 inside 24 hours, but the auto-update window for affected sites was already over (wordpress.org, verified 2026-05-01). The blast radius was substantial across that install base.

GeneratePress 3.0.4 followed a similar pattern: scrambled formatting on category pages, white-screen rendering on some installs, and a fix that involved reinstalling a fresh copy of the theme. The mechanism is structural. A theme update changes hooks, templates, and scripts. If a child theme or a plugin still calls a deprecated hook, what was a deprecation notice yesterday becomes a fatal error today. Divi has shipped its own fatal-error fixes across 2024 and 2025 for the same shape of problem.

How to detect it. An HTTP monitor with a keyword assertion catches the broken-markup case where the response is HTTP 200 but the layout is malformed (a missing footer string, a broken header signature, a stale title tag). The browser login monitor catches the admin-area lockout case where the theme update breaks the customizer or wp-admin itself.

How the free plan covers all 7

Translate the seven causes into one concrete free-plan setup. The free plan gives you 10 monitors at 5-minute intervals across 5 monitoring regions, and one of those slots can be a browser login monitor at 15-minute intervals. The natural allocation for a single WordPress site:

1 browser login monitor that signs in to wp-admin as a dedicated low-privilege monitoring account (Subscriber or Editor role, unique email, strong unique password, used for nothing else, never the owner admin) and asserts on the dashboard. Catches plugin conflicts that lock wp-admin, brute force that saturates PHP-FPM, and theme conflicts that break the admin customizer. Velprove launches a real browser behind the scenes. Not a probe pretending to be a browser, a real one.
1 HTTP monitor with a keyword assertion on the homepage. Catches the white screen of death, noisy-neighbor 502s, and PHP fatal errors with the error string in the body.
1 HTTP monitor on the wp-login.php URL with a keyword assertion on the form. Catches the brute-force-induced login outage.
1 HTTP monitor on the primary domain with SSL expiry alert enabled. Catches expired domain (DNS resolution failure) and expired TLS certificate.
Up to 6 more HTTP monitors on whatever pages matter most: WooCommerce checkout, the pricing page, the blog index, and any campaign landing pages.

That is the free plan, with no plugin to install and no card on file. Email alerts are included on the free tier; Slack, Discord, Teams, and webhooks start at the Starter plan. For the full WordPress-specific framing, see Velprove for WordPress and see plan details. If you would rather skip the wp-admin browser login monitor and run pure HTTP coverage, the case for that approach is in monitor WordPress uptime without installing a plugin.

Frequently Asked Questions

Why does my WordPress site keep crashing?

Almost always one of seven recurring causes: noisy-neighbor contention on cheap shared hosting, plugin conflicts after an auto-update, PHP memory limits hit by a traffic spike, brute force on wp-login.php saturating PHP workers, an expired domain registration, database bloat in wp_options, or a theme update that broke a hook. The recurring pattern is the diagnostic clue. A site that goes down once is bad luck. A site that keeps going down has a structural cause that an external monitor can name.

Is it the host or my plugins?

Usually the plugins, sometimes the host, occasionally both. Plugin conflicts are the single most frequent named cause of WordPress white-screen-of-death events, and Patchstack's 2025 mid-year report attributes 89% of new WordPress vulnerabilities to plugins. Hosting causes most often look like 502 or 503 from multiple regions at once, while plugin causes most often look like HTTP 200 with a broken or empty body. An external monitor with a keyword assertion tells the two apart in seconds.

Will WordPress's Recovery Mode email tell me when my site goes down?

Not reliably. Recovery Mode was added in WordPress 5.2 in May 2019 and emails the site administrator a recovery link when a PHP fatal error fires. The mechanism depends on the email pipeline working, which depends on the site working, which is the failure being reported. Recovery Mode emails frequently bounce, land in spam, or arrive at an abandoned admin address. External monitoring is more reliable because it does not depend on the broken site to deliver its own alarm.

How fast can a free monitor catch a WordPress outage?

Within minutes. The free plan runs HTTP monitors every 5 minutes from 5 monitoring regions and runs the browser login monitor every 15 minutes. A homepage outage is typically detected on the next 5-minute cycle, which means the alert lands in your inbox before most customers have time to notice the page is down.

Do I need to install a plugin to monitor my WordPress site with Velprove?

No. Velprove monitors your site from the outside, the way a real visitor would. There is no plugin to install, no PHP code to maintain, and nothing inside your WordPress install that a future WordPress or plugin update can break. The monitor runs on Velprove's own infrastructure and reports what it sees.

A WordPress site that keeps going down is almost always failing for one of the seven causes named above, and the same external monitor configuration catches every one of them within minutes. The free plan gives you 10 monitors at 5-minute intervals across 5 regions, and one of those slots can be a browser login monitor that signs in to wp-admin on a dedicated low-privilege account every 15 minutes. Start a free Velprove account. No credit card required. Set up the four core monitors described above (browser login, homepage keyword assertion, wp-login.php keyword assertion, SSL expiry on the primary domain) and you will know within minutes the next time any of the seven causes hits your site, regardless of whether the Recovery Mode email ever lands.