The managed host provisioned the SSL.
IT migrated the nameserver. The CNAME broke.
WordPress VIP agencies on WP Engine, Pantheon, and Kinsta rely on the managed host to provision SSL — but the CNAME delegation pointing the enterprise client's domain at the host is controlled by the client's IT department. When IT migrates nameservers or registrars, the host loses the delegation, SSL renewal fails, and the agency finds out from the client. Merlonix monitors the CNAME layer so you know before IT does.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where WordPress VIP agencies get caught out
Three failure modes specific to enterprise WordPress client deployments.
WordPress VIP agencies on WP Engine, Pantheon, and Kinsta deal with IT-controlled DNS breaking managed host SSL provisioning, Multisite subdomain certificate accumulation, and headless WordPress API subdomain SSL expiring independently from the frontend.
Managed host SSL depends on a CNAME the client controls
WP Engine, Pantheon, and Kinsta provision SSL automatically — but only while the client's DNS CNAME delegation remains intact
Managed WordPress hosts provision SSL certificates automatically when a custom domain is added to the hosting account. The certificate provisioning relies on the client's CNAME record pointing the domain at the host's infrastructure. Enterprise clients on managed WordPress hosting control their own DNS — often through a corporate registrar managed by procurement or an internal IT team. When IT migrates the registrar, consolidates DNS providers, or changes nameservers for an unrelated infrastructure project, the CNAME delegation breaks. The managed host can no longer validate the domain, SSL renewal fails, and the next renewal cycle produces a certificate error. The agency has no visibility into the client's DNS management decisions and no automatic notification when the CNAME breaks.
WordPress Multisite subdomain SSL accumulates across client network
WordPress Multisite networks on managed hosts provision a SSL certificate per subdomain — each one with an independent expiry and CNAME requirement
Enterprise WordPress agencies frequently deploy WordPress Multisite for clients running multiple brand sites, regional subsites, or departmental microsites from a single WordPress installation. Each subsite in the network — brand1.clientdomain.com, uk.clientdomain.com, press.clientdomain.com — requires its own CNAME delegation to the managed host and its own SSL certificate. Managed hosts provision these certificates, but certificate renewal for each subsite depends on its CNAME remaining intact. When a client adds a subsite and later decommissions it without removing the CNAME, the dangling record points at a hostname the host may eventually reassign. When a subsite is migrated to a new host without updating the CNAME, the old certificate breaks silently. Agencies managing Multisite networks accumulate SSL obligations across the entire client network — not just the primary domain.
Headless WordPress REST API subdomains carry independent SSL
Agencies running headless WordPress with a decoupled frontend configure a separate API subdomain whose SSL certificate expires independently from the frontend
WordPress VIP agencies building headless WordPress setups configure a REST API or GraphQL endpoint on a separate subdomain — api.clientdomain.com or cms.clientdomain.com — pointing at the WordPress backend on the managed host. The frontend runs on a different CDN: Vercel, Netlify, or Cloudflare Pages. The managed WordPress host provisions an SSL certificate for the API subdomain. The CDN provisions a separate SSL certificate for the frontend domain. These two certificates expire on different schedules. If the API subdomain SSL expires, the frontend continues to load correctly from the CDN while every content fetch from the WordPress backend fails with an SSL error. Standard uptime monitoring checking the frontend URL reports the site as up while all dynamic content is broken.
How it works
SSL and DNS monitoring across every domain in your WordPress enterprise client network.
Merlonix monitors CNAME integrity and SSL health for managed WordPress primary domains, Multisite subsites, and headless WordPress API subdomains from a single dashboard — so agencies catch IT-side DNS breaks before the managed host loses SSL provisioning.
01
Add every subdomain across the Multisite network
Verify ownership with a DNS TXT record on the apex domain. Multisite subsites, headless WordPress API subdomains, and staging environments are added without additional verification. The full network is monitored from a single dashboard regardless of which managed host or CDN each subdomain uses. Under two minutes per client to get full Multisite network coverage.
02
CNAME integrity checks catch IT-side nameserver changes
Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a client IT department migrates nameservers and silently drops the WP Engine or Pantheon CNAME, the alert fires within minutes — before the managed host loses domain validation and before SSL renewal fails. The agency knows before IT does.
03
SSL monitoring for managed host, CDN, and API subdomains independently
Full SSL chain validation on every monitored domain independently. A headless WordPress API subdomain certificate expiry fires 30 days in advance — separate from the frontend CDN certificate. Multisite subsite certificates are monitored individually. Domain registration expiry is tracked separately from SSL expiry for every domain in the network.
04
Vendor status for WP Engine, Pantheon, Kinsta, and CDN platforms
Merlonix monitors managed WordPress host platform status alongside client SSL and DNS. When a WP Engine infrastructure incident causes SSL provisioning failures across multiple client portfolios, you see the vendor event — distinguishing a host-side incident from a client IT-side DNS change that requires different remediation.
What the numbers mean for WordPress VIP agencies
Monitoring built for enterprise WordPress portfolios with IT-controlled DNS.
WordPress VIP agencies managing enterprise client networks on WP Engine, Pantheon, and Kinsta need SSL and DNS monitoring that covers the full Multisite subdomain network — and catches IT-side CNAME breaks before the managed host loses SSL provisioning.
< 10 min
Time from DNS change to alert — catches IT-side nameserver migrations before the managed host loses CNAME validation and SSL renewal fails
30 days
SSL expiry warning lead time — covers managed host certificates, headless API subdomain certificates, and Multisite subsite certificates independently
11 vendors
Upstream services monitored — WP Engine, Pantheon, and Kinsta platform status tracked to distinguish host incidents from client DNS changes
200 assets
Maximum monitored domains on the Agency plan — covers primary domains, Multisite subsites, and headless API subdomains across a full enterprise WordPress client roster
Pricing
Flat monthly fee. Every subdomain and Multisite network included.
No per-domain charges. No per-subsite fees. Pick the tier that fits your WordPress client count and add Multisite subsites without billing surprises.
Starter
For individual WordPress developers managing a small enterprise client portfolio.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For WordPress VIP agencies with Multisite networks and headless API subdomains across multiple enterprise clients.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full enterprise WordPress client roster on WP Engine, Pantheon, and Kinsta.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when an IT nameserver change breaks your managed WordPress SSL before the client escalates.
Add your first WordPress enterprise client domain in under two minutes. Multisite subsites and headless API subdomains are covered from the same dashboard. 14-day trial, no card required.