Monitoring WebPress Client Sites for Agencies: SSL, DNS, and Platform Opacity

Managed WordPress hosting has changed how agencies deliver WordPress sites. Platforms like WebPress abstract away server management, PHP version control, and SSL certificate renewal — reducing the operational burden on agencies whose clients don't want to think about infrastructure. For agencies managing large WordPress portfolios, managed hosting makes per-site maintenance tractable.

The trade-off is opacity. When the managed hosting platform controls the SSL layer, certificate renewal happens on the platform's schedule through the platform's tooling. When something in that process fails — a CAA record conflict blocks Let's Encrypt re-issuance, a CNAME delegation breaks after a client nameserver migration — the agency does not necessarily receive a platform alert. The site continues to run until the certificate expires or the CNAME fully breaks, at which point the problem becomes a client-visible outage.

This post covers the SSL and DNS failure modes specific to WebPress agency portfolios and what a managed WordPress-specific monitoring setup looks like.

How Managed WordPress Hosting Handles SSL

Managed WordPress platforms provision and renew SSL certificates automatically via Let's Encrypt or their own certificate authority. The general sequence:

The client connects a custom domain in the hosting dashboard
The hosting platform verifies domain ownership via DNS or HTTP challenge
SSL certificate is provisioned and stored in the platform's certificate management layer
Renewal happens automatically before expiry — typically 30–60 days ahead

This automation works reliably when the DNS configuration is stable. The failure modes emerge when DNS changes outside the platform's visibility break the ownership verification or CNAME delegation, blocking automatic renewal without triggering a platform alert to the agency.

The Failure Modes to Watch

1. CAA record conflicts blocking Let's Encrypt re-issuance

Certification Authority Authorization (CAA) DNS records specify which certificate authorities are permitted to issue certificates for a domain. When a client adds a CAA record to restrict certificate issuance — often done by a client IT team following security hardening guidance — and that CAA record does not include Let's Encrypt's authorization entry, the managed hosting platform cannot renew the certificate when it expires.

The site continues operating with the existing certificate until expiry. When the certificate expires and renewal fails, the site shows a browser security error. The managed hosting platform may notify the account holder — which is often the client, not the agency.

What to monitor: SSL chain validity for every client domain with expiry alerts firing 30 days before the expiry window. A CAA record conflict discovered 30 days before expiry is fixable before the certificate expires. A CAA conflict discovered on expiry day is an emergency.

2. CNAME delegation breaks after client nameserver migrations

Managed WordPress hosting typically requires clients to point their domain to the platform via CNAME records. When a client migrates their nameserver provider — moving to Cloudflare, consolidating DNS at a new IT provider, or switching registrars — the CNAME records must be recreated at the new nameserver provider.

This step is frequently missed or partially executed. The root domain CNAME might be recreated correctly while the www subdomain CNAME is forgotten. Or the CNAME target from the old provider might be recreated verbatim when the managed hosting platform uses a different CNAME target for the new configuration.

The symptom depends on what breaks: if the www CNAME is lost, https://www.clientdomain.com stops resolving while https://clientdomain.com stays up. If the root CNAME is wrong, the reverse happens. If both break, the site is fully offline.

What to monitor: CNAME record integrity for every domain delegation, verified with multiple independent DNS resolvers on every check interval. A CNAME that resolves correctly from one resolver may still be broken globally for several hours after a DNS change.

3. Staging subdomain SSL and DNS gaps

Agencies using WebPress for client site management often run client staging environments on platform-managed subdomains or client-branded staging subdomains: staging.clientdomain.com or dev.clientdomain.com. These subdomains have separate DNS records and separate SSL certificates from the production domain.

Staging environment SSL failures are lower severity than production failures but cause real operational problems: developers cannot test changes, clients cannot review work before launch, and QA processes break. When a staging SSL failure goes unnoticed — because the team only monitors production — the first notification is a developer reporting that the staging environment is inaccessible.

What to monitor: SSL chain validity and CNAME integrity for staging subdomains with the same coverage as production. Staging SSL failures should be low-urgency alerts rather than no alerts.

4. Domain expiry on client-controlled registrars

WordPress site clients frequently manage their own domain registrations independently of the hosting relationship. The agency manages the hosting. The client manages the registrar. When domain renewal fails — because a credit card on file at the registrar expired, auto-renewal was disabled, or a renewal email went to a former employee's inbox — the domain stops resolving.

The managed hosting platform, the SSL certificates, and the WordPress installation are all functioning. The domain simply does not resolve anymore. The entire site is offline until the domain is renewed, which can take 24–72 hours if the domain has entered the grace period or been released.

What to monitor: Domain expiry dates for every client domain with alerts firing 30 days before the expiry window. For client-controlled registrations, 30 days of lead time is enough to contact the client and confirm renewal is in progress before any DNS failure starts.

What a WebPress Agency Monitoring Setup Covers

An effective monitoring setup for a managed WordPress agency portfolio has four layers:

SSL chain validation: Full certificate chain monitoring for every client domain and staging subdomain. Alerts fire on any chain validation failure and 30 days before expiry — giving time to identify and resolve CAA conflicts or CNAME delegation issues before certificates expire.

CNAME integrity monitoring: DNS record verification for every CNAME delegation to the WebPress hosting infrastructure. Three independent resolvers verify the expected CNAME target on every check interval. When a nameserver migration breaks a delegation, the alert fires within minutes.

HTTP uptime for production and staging: HTTP availability checks for production pages and staging environments. These complement SSL and DNS monitoring by catching HTTP-layer failures — server errors, platform outages — that SSL and DNS monitoring alone does not detect.

Domain expiry tracking: Expiry date monitoring for every client domain, with 30-day alerts for client-controlled registrations where the agency does not manage the renewal process directly.

Why Managed Hosting Does Not Eliminate the Monitoring Need

The intuition that managed hosting removes the agency's SSL monitoring responsibility is understandable but incorrect. Managed hosting removes the certificate provisioning and renewal responsibility — the agency no longer needs to run certbot or manually request certificates. It does not remove the monitoring need for three reasons:

The platform monitors its own infrastructure, not the DNS configuration the client controls. CAA record conflicts and CNAME breaks are caused by DNS changes outside the platform. The platform may not detect these until certificate renewal fails — which is too late.

Platform alerts go to the account holder, not always the agency. Depending on how the agency has structured the client's hosting account, platform renewal failure alerts may go to the client's billing email rather than the agency's operations team.

Domain expiry is fully outside the hosting platform's visibility. No managed hosting platform monitors domain registration expiry at the registrar level. A domain that expires takes the site offline regardless of the hosting platform's health.

How Merlonix Covers Managed WordPress Agency Portfolios

Merlonix is designed for agencies managing client portfolios on platforms like WebPress where SSL and DNS configuration is partially transparent. Adding a client domain takes under two minutes: DNS TXT record verification, then full SSL chain monitoring and DNS record monitoring starts automatically for the apex domain and any additional subdomains.

CNAME integrity monitoring fires within minutes of any delegation change. SSL chain validation fires immediately on any certificate change or validation failure. Domain expiry alerts fire 30 days ahead of the expiry window.

Start a free trial and add your first managed WordPress client domain.