Multi-site security monitoring
Add the sites you care about to a watchlist and SecurityWatch will, on every visit, run a five-point health check on each: uptime, page-content hash (defacement detector), TLS certificate expiry, HTTP security headers regression, and WordPress version drift. Snapshots are stored in your browser so changes between runs are highlighted in plain English. An optional webhook URL receives a JSON alert when something regresses, letting you wire SecurityWatch into Slack, Discord, n8n or your own monitoring stack with zero backend.
Watchlist is stored in your browser only (localStorage). Clearing browser data removes it. No account required.
What SecurityWatch monitors and why it matters
Most site incidents in 2026 are not zero-day exploits but slow, silent regressions: a TLS certificate that auto-renew failed and expires next Tuesday; a security header that was dropped during a theme update; a content management system that quietly upgraded a major version and broke a plugin; a defacement that replaced the homepage with a crypto-jacking script that lives there for three weeks because nobody scrolled to the marketing page. SecurityWatch is built for the small-team owner of one or several sites who needs to know within hours, not weeks, when something visible from outside has changed. The watchlist sits in your browser, scans are triggered from the page you control, and snapshot diffs surface anything that moved between two visits.
The tool runs five checks per site. Uptime is a simple HTTP request that captures the status code, the response time and the redirect chain. Defacement detection takes a hash of the homepage HTML stripped of timestamps, nonces and ad markup, so a real content change shows up while harmless variations do not. TLS expiry reads the certificate, the issuer and the days remaining; the threshold for an amber warning is 30 days, red is 14 days. Security headers looks at HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy, and flags a regression when a header that existed in the previous snapshot is missing now. WordPress version drift looks at the generator meta and the ?ver= query in CSS / JS to detect a major-version jump that warrants a deeper audit.
How the monitoring workflow runs without a backend
- Add a site to the watchlist by URL and an optional label. The entry is stored in
localStorageunder the keypag-securitywatch-v1in your browser. - Scan the site on demand by clicking “Scan now”. The scan calls four public REST endpoints on the PeopleAreGeek server (
headers,ssl,status,seo-page) and aggregates the results. No data goes anywhere else. - Compare the current snapshot with the previous one stored locally. Any change is listed as a finding in plain English: “TLS expiry dropped from 87 to 14 days”, “HSTS header is gone”, “homepage hash changed”.
- Optional webhook: paste a webhook URL (Slack incoming webhook, Discord webhook, n8n catch endpoint, your own server). When SecurityWatch detects a regression, it POSTs a small JSON to that URL so the alert reaches your team chat or your automation.
- Export the watchlist as JSON to back it up or move it to another browser. Import on the same page recovers it. No cloud account, no sync server, no lock-in.
Common use cases for SecurityWatch
- Small portfolio of client sites. A freelance developer who runs ten WordPress builds for clients can add all of them to the watchlist and run a one-click scan once a week before the Monday standup.
- Migration safety net. After moving a site to a new host or a new CDN, run SecurityWatch immediately and again 48 hours later. Any silent regression on headers or TLS becomes obvious.
- Defacement early warning. The page-hash check spots an unauthorised homepage edit within minutes of the next scan, much earlier than the next manual visit.
- Certificate renewal sanity. Even with auto-renew, certificates sometimes fail to install (DNS challenge issues, account rate limits). SecurityWatch is a final fallback that catches a forgotten renewal before users see a browser warning.
- Compliance evidence. The exported JSON snapshots make a credible audit trail for lightweight compliance frameworks that ask for documented periodic checks.
- Companion to SecuChecker. After running the one-shot deep scan with our SecuChecker tool, add the site to SecurityWatch to make sure the fixes you applied stay applied.
Limitations and privacy notes
SecurityWatch is a browser-side monitor, not a service. The scan only runs when the tab is open and you trigger it. There is no scheduled cron, no email scheduler, no cloud dashboard, no team accounts. The trade-off is that the watchlist follows your browser: it is private to you, but if you wipe the browser data or switch device it is gone unless you export it first. For 24×7 hands-off monitoring, pair SecurityWatch with a CI cron that hits the same endpoints, or use a dedicated SaaS like UptimeRobot, BetterStack or StatusCake for the uptime portion. SecurityWatch is the best free option when you want fast on-demand checks with zero account creation.
The probes are non-intrusive HEAD or GET requests against the public homepage of each watched site. The PeopleAreGeek server is the originating IP for every probe and is logged by major CDNs accordingly. The watchlist, snapshots, webhook URL and email address you type stay in browser localStorage and are never sent to PeopleAreGeek. The optional webhook fires from your browser directly to the URL you configured, so the recipient sees the JSON payload but PeopleAreGeek does not.
Frequently asked questions
Does SecurityWatch run continuously in the background?
No. It runs only when you open the page and click “Scan all now”, or when a per-site “Scan now” is triggered. For continuous monitoring without a tab open, run the same endpoints from a cron job or a CI workflow.
Where is the watchlist stored?
In your browser localStorage under the key pag-securitywatch-v1. It is never sent to PeopleAreGeek or to any other server. Export to JSON to back it up before clearing browser data.
What is the defacement check exactly?
SecurityWatch fetches the homepage HTML, strips inline scripts, head tags and well-known dynamic markup (timestamps, CSRF nonces, common ad noise), and computes a SHA-256 of what remains. A change in that hash between two scans flags as a possible defacement so you can review the page yourself.
How do I wire the webhook to Slack or Discord?
Create an incoming webhook in Slack (Workflow Builder or App Settings) or in your Discord channel (Edit Channel → Integrations → Webhooks). Copy the URL, paste it in the Alerts tab. SecurityWatch sends a JSON payload that both platforms parse out of the box.
What counts as a security header regression?
A header that was present in the previous snapshot and is now missing or empty. Adding a new header is reported as an improvement; removing one is reported as a regression with the severity of the missing control (HSTS removal is high, Referrer-Policy removal is low).
Will SecurityWatch trigger my WAF or my hosting provider?
Unlikely. The probes are normal HTTP HEAD / GET requests against the public homepage at a low rate. They look identical to what a search-engine crawler does. SecurityWatch does not authenticate, does not POST forms, does not fuzz parameters and does not crawl beyond the homepage.
