The Complete Website Monitoring Checklist: 15 Things You Should Be Tracking

Uptime / Availability

What to monitor: Whether your site returns a successful HTTP response (200 OK) when accessed from the outside. This is the most basic and most important check.

Why it matters: If your server crashes, your hosting provider has an outage, or a deployment goes wrong, uptime monitoring is the first thing that catches it. Without it, you are relying on customers to tell you something is broken.

Recommended frequency: Every 1 to 5 minutes for most sites. Every 30 seconds for revenue critical pages like checkout flows or login endpoints.

Related: How to Set Up Website Monitoring in 5 Minutes

Response Time

What to monitor: How long your server takes to respond to a request, measured as Time to First Byte (TTFB). Track both the current value and the trend over time.

Why it matters: A site can technically be "up" but so slow that users leave. Response time degradation is often the earliest warning sign of deeper problems: an overloaded database, a memory leak, or a server running out of disk space. Catching slow responses early lets you fix issues before they become full outages.

Recommended frequency: Every 1 to 5 minutes. Set an alert threshold at roughly 2x your normal response time so you catch degradation without false alarms.

Related: How to Monitor Website Response Time

DNS Resolution

What to monitor: Whether your domain name resolves correctly to the right IP address, and how long DNS resolution takes.

Why it matters: DNS failures are invisible and devastating. If your DNS stops resolving, your entire site disappears for users even though the server is running perfectly. DNS issues can also be a sign of domain hijacking or misconfigured nameservers after a provider migration.

Recommended frequency: Every 5 minutes. DNS failures tend to persist once they start, so faster checks are less critical than for uptime.

Related: Server Uptime Monitoring

SSL Certificate Expiration

What to monitor: When your SSL/TLS certificate expires and whether it is valid. With the industry moving toward 47-day certificate lifecycles, automated renewal failures will become increasingly common.

Why it matters: An expired SSL certificate triggers a full-screen browser warning that tells visitors your site is not secure. Most users will leave immediately. Search engines also penalize sites with invalid certificates, damaging your SEO rankings.

Recommended frequency: Daily certificate validity checks. Set alerts to fire at 30 days, 14 days, and 7 days before expiration.

Related: SSL Certificate Monitoring: How to Never Miss an Expiration

Domain Expiration

What to monitor: When your domain registration expires. Even if you have auto-renewal enabled, payment failures, outdated credit cards, or registrar account lockouts can cause renewals to fail silently.

Why it matters: A lapsed domain means your entire online presence vanishes. Worse, expired domains can be purchased by domain squatters or used for phishing attacks against your customers. Recovering an expired domain is expensive and sometimes impossible.

Recommended frequency: Daily checks. Set alerts at 60 days, 30 days, and 14 days before expiration to give yourself time to resolve any payment issues.

Related: Domain Expiration Monitoring: How to Prevent Losing Your Domain

Page Load Time

What to monitor: The total time it takes for your page to fully load in a browser, including all assets (images, scripts, stylesheets). This is different from response time, which only measures the server's initial reply.

Why it matters: Google uses page speed as a ranking factor. Users expect pages to load in under 3 seconds, and conversion rates drop 7% for every additional second of load time. A sudden increase often means a new script, unoptimized image, or broken CDN is affecting the user experience.

Recommended frequency: Run synthetic page load tests hourly or use Real User Monitoring (RUM) for continuous data. Set alerts for any page that exceeds 5 seconds.

HTTP Status Codes

What to monitor: The HTTP status codes your server returns. Watch specifically for 4xx errors (client errors like 404 Not Found) and 5xx errors (server errors like 500 Internal Server Error, 502 Bad Gateway, or 503 Service Unavailable).

Why it matters: A spike in 5xx errors means your server is failing. A spike in 404 errors after a deployment means you broke internal links or removed pages without redirects. Both damage user experience and SEO. Monitoring status codes gives you an early warning system for problems that may not cause a full outage but are still harming your site.

Recommended frequency: Continuous via server access logs. For external checks, monitor key URLs every 1 to 5 minutes.

Related: How to Fix a 502 Bad Gateway Error | How to Fix a 503 Error | How to Fix a 500 Error

Error Rates

What to monitor: The percentage of requests that return errors over a given time window. Track both server-side errors (5xx) and application-level errors logged by your code.

Why it matters: A 1% error rate on a site handling 10,000 requests per hour means 100 users every hour are hitting failures. Error rate tracking helps you distinguish between isolated incidents (a single bad request) and systemic problems (a database connection pool is exhausted). A rising error rate is one of the strongest predictors of an approaching outage.

Recommended frequency: Continuous via application logs or an APM tool. Set alerts when the error rate exceeds your baseline by 2x or more.

Third-Party Services

What to monitor: The availability and response time of external services your site depends on: payment processors (Stripe, PayPal), CDN providers (Cloudflare, Fastly), authentication services (Auth0, Firebase Auth), email delivery (SendGrid, Postmark), and any other API your application calls.

Why it matters: If your payment gateway goes down, your checkout is broken even though your server is running perfectly. If your CDN has a regional outage, users in that region cannot load your site. Monitoring third-party dependencies lets you identify the root cause of problems faster and communicate accurately with your users about what is happening.

Recommended frequency: Every 5 minutes for each critical dependency. Monitor their status pages as well for early warning.

API Endpoints

What to monitor: The health and response time of your own API endpoints, especially any that your frontend application, mobile app, or external partners depend on. Monitor both the status code and the response body (a 200 response with an error message inside is still broken).

Why it matters: Modern websites are often just a frontend that calls APIs for everything. If your user API is down, nobody can log in. If your product API is slow, pages render with empty content. API monitoring catches these failures even when the homepage still loads fine.

Recommended frequency: Every 1 to 5 minutes depending on criticality. Payment and authentication APIs warrant 30-second checks.

Related: How to Monitor an API Endpoint | API Uptime Monitoring

Public Status Page

What to set up: A public-facing page where users can check whether your services are operational. Good status pages show current status, recent incidents, and planned maintenance.

Why it matters: During an outage, your support inbox floods with "is it down?" messages. A status page answers that question automatically, reducing support tickets by 30% to 50%. It also builds trust by showing your team is transparent about reliability. For SaaS companies and e-commerce stores, a status page is expected by customers.

Recommended setup: Create a status page that updates automatically based on your monitoring checks. Add individual components for each service (website, API, database, payment processing). Enable subscriber notifications so users can opt in to updates.

Related: How to Create a Status Page | Uptime Status Pages

Alert Channels

What to set up: At least two independent alert channels for receiving downtime notifications. Email alone is not enough because inboxes get delayed and messages get buried. Combine email with SMS, phone calls, or Slack for redundancy.

Why it matters: The fastest detection in the world is worthless if the alert never reaches someone who can fix the problem. Email can be delayed by spam filters or simply missed during off hours. SMS cuts through the noise. Phone calls wake people up at 3 AM when revenue-critical services go down.

Recommended setup: Email for all incidents (creates a record), SMS for anything critical, phone calls for revenue-impacting outages, and Slack for team visibility. Test your alert channels monthly to make sure they still work.

Related: Website Downtime Alerts

Escalation Policy

What to set up: A defined process for who gets notified when, and what happens when the first responder does not acknowledge the alert. For example: first alert goes to the on-call engineer via SMS, and if not acknowledged within 10 minutes, escalate to the team lead via phone call.

Why it matters: Without an escalation policy, alerts go to one person. If that person is asleep, on vacation, or has their phone on silent, the outage goes unaddressed. Escalation ensures that someone always responds, and it removes the ambiguity about who is responsible.

Recommended setup: Define at least two tiers. Tier 1 is the primary on-call person. Tier 2 is a backup who gets notified after a defined timeout. Document this in a shared team document and review it whenever the team changes.

Incident Response Playbook

What to set up: A written document that tells whoever receives an alert exactly what to do next. Include: how to verify the issue is real, who to contact, what to check first (hosting dashboard, deployment logs, DNS records), how to communicate the outage to customers, and when to escalate.

Why it matters: When your site goes down at 2 AM, you are not thinking clearly. A playbook removes the need to make decisions under pressure. It turns a stressful event into a series of steps to follow. Teams with documented playbooks resolve incidents significantly faster than teams without them because nobody wastes time figuring out what to do first.

Recommended setup: Start simple. Write a one-page document that covers the five most common failure scenarios for your site and the steps to diagnose and fix each one. Store it somewhere accessible when your main systems are down (a shared Google Doc or printed copy works better than your internal wiki if your server is the thing that is broken).

Regular Review Schedule

What to set up: A recurring calendar event (quarterly is a good starting point) to review and update your entire monitoring setup. During the review, check that all monitors are still pointing to the right URLs, alert contacts are still valid, escalation policies reflect the current team, and any new services or endpoints have been added.

Why it matters: Monitoring setups decay over time. Team members leave and their alert email addresses bounce. Services get migrated to new URLs but nobody updates the monitor. New features launch without monitoring. A regular review catches these gaps before they cause a missed alert during a real incident.

Recommended setup: Schedule a quarterly review. Use this checklist as the agenda. Walk through each item and confirm it is still configured correctly. After any major infrastructure change (server migration, new CDN, domain transfer), do an immediate ad-hoc review.

Related: What is a Good Uptime Percentage?