WordPress Site Health Critical Issues Explained (and Fixed) 2026
Quick answer
WordPress Site Health flags critical issues that affect security, performance, or update reliability. The most common are: outdated PHP (fix: update to PHP 8.2+ via host panel), missing PHP modules (fix: ask host to enable curl, imagick, intl), HTTPS not enforced (fix: install SSL and force HTTPS in wp-config), background updates disabled (fix: check DISABLE_WP_CRON and file permissions), and REST API failures (fix: resave permalinks, disable REST-blocking security rules).
How to read Site Health properly
In wp-admin go to Tools → Site Health → Status. Each critical issue links to a technical explanation, but WordPress's language is aimed at engineers. Below is the plain-English version of the eight issues we see 90% of the time on client sites — plus the exact fix.
Critical #1 — Your version of PHP is outdated
WordPress 6.5+ requires PHP 7.4 minimum and strongly recommends 8.2 or 8.3. If you're on 7.4 or older, plugins will break as they drop old-PHP support through 2026.
Fix: log into your host control panel (cPanel → Select PHP Version, or Plesk → PHP Settings). Switch to 8.2 or 8.3. Test the site — if a plugin breaks, replace or update it. Never stay below 8.1 in 2026.
Critical #2 — One or more required PHP modules missing
WordPress needs curl (for external API calls), imagick or GD (for image processing), intl (for internationalization), and mbstring (for multibyte strings). Missing any of these breaks core functionality.
Fix: contact your host and ask them to enable the missing module(s). All reputable hosts enable them by default; if yours doesn't, that's a signal it's time to migrate.
Critical #3 — Your site is not using HTTPS
Chrome flags non-HTTPS sites as "Not Secure" and Google demotes them in search. Fix: install a free Let's Encrypt SSL cert via your host panel (one click on 95% of hosts). Then force HTTPS by adding to wp-config.php:
define('WP_HOME', 'https://yourdomain.com'); define('WP_SITEURL', 'https://yourdomain.com');
Prefer we just fix it?
Errors like this stop happening on a proper maintenance plan — staged updates, visual regression, daily backups, and a human on-call. From $99/mo, cancel anytime. Learn more about WordPress maintenance plan or grab a slot below.
Critical #4 — Background updates are not working
WordPress auto-updates security releases in the background — but only if cron is running and files are writable. If Site Health warns background updates fail: check DISABLE_WP_CRON in wp-config.php (should be either absent or paired with a real server cron), verify /wp-content and /wp-includes are writable by the web server user, and confirm your host isn't blocking outbound HTTPS to api.wordpress.org.
Critical #5 — The REST API encountered an error
The block editor and many plugins rely on the REST API. If it fails: resave permalinks (Settings → Permalinks → Save Changes), disable security plugins one at a time to find one blocking /wp-json/, and check Cloudflare WAF rules for a WordPress managed rule blocking authenticated REST calls.
See our separate guide on "Updating failed: the response is not a valid JSON response" for the deep-dive fix.
Critical #6 — Communication with WordPress.org failed
Your server can't reach api.wordpress.org. Auto-updates, plugin installs, and health checks all fail. Fix: ask your host to whitelist outbound HTTPS to api.wordpress.org and downloads.wordpress.org, or move to a host that doesn't sandbox outbound traffic.
Critical #7 — A scheduled event has failed
wp-cron isn't firing. See our guide on "WordPress cron not running" — the fix is to disable pseudo-cron and set a real server cron every 5 minutes.
When to call for help
Site Health critical issues rarely require an emergency — they're chronic, not acute. But if two or three are firing at once, it usually means you're on a host that's under-provisioning your account. That's when a migration pays for itself. We audit Site Health on every care plan and clear the entire list.
Common questions
Are WordPress Site Health critical issues actually critical?+
They're not "site is down right now" critical, but they affect security, performance, or update reliability. Outdated PHP and missing HTTPS are urgent. Missing PHP modules and background update failures are chronic — fix them within a month.
How do I fix the outdated PHP warning in WordPress?+
Log into your host control panel (cPanel → Select PHP Version, Plesk → PHP Settings, or your managed host's dashboard). Switch to PHP 8.2 or 8.3. Test the site immediately — replace or update any plugin that breaks. Never stay below PHP 8.1 in 2026.
What does "REST API encountered an error" mean in Site Health?+
The WordPress REST API endpoint isn't responding properly. The block editor and many plugins need it. Fix by resaving permalinks (Settings → Permalinks → Save Changes), disabling any security plugin that blocks /wp-json/ for non-authenticated users, and checking Cloudflare WAF rules.
How do I hide non-critical Site Health warnings?+
You shouldn't — they're worth reading. But if a specific check is firing false-positive because of your host's configuration (common with managed hosts that handle background updates differently), install Health Check & Troubleshooting and disable individual tests.
Want help with this?
The pages below go deeper, by service and by city.
Want this handled for you?
Book a call and we will review your site before recommending anything.