A tiny self-hosted dashboard for keeping PHP apps healthy.

PHP LittleKit is a lightweight app health dashboard for monitoring existing PHP applications such as Laravel, WordPress, Stackmint, and custom PHP projects. It is built with plain PHP 8.1+, Bootstrap 5, sessions, and SQLite so it can be uploaded as a small folder and run without a full framework.

PHP LittleKit is not a replacement for Laravel Forge, CloudPanel, cPanel, MainWP, or full server management tools. It is a tiny app health dashboard for existing PHP applications.

Main dashboard:

Health graphs:

PHP LittleKit helps you keep an eye on basic health signals for PHP apps you already host:

• App path exists and is readable
• HTTP status and response time
• SSL certificate expiration
• Disk space
• Writable storage/cache directories
• Large log files
• Framework-specific health checks
• Backup path detection
• Simple client-friendly HTML reports
• Optional email alerts with PHP mail()

It does not deploy apps, create servers, update WordPress plugins, run Laravel commands, modify monitored files, or replace a server control panel.

Because PHP LittleKit runs on your own server, it cannot alert you if that same server is completely offline. For best coverage, pair it with an outside uptime or ping service that checks your public sites from another network.

PHP LittleKit is aimed at:

• Freelancers maintaining several client PHP sites
• Small agencies that want a simple internal health panel
• Indie PHP developers managing side projects
• Developers who host apps on VPS, shared hosting, or small private servers
• Teams that want a lightweight read-only dashboard instead of a large monitoring stack

PHP LittleKit is not:

• A hosting control panel
• A deployment platform
• A replacement for Laravel Forge, CloudPanel, cPanel, Plesk, MainWP, or similar tools
• A WordPress update manager
• A backup system
• A server security scanner
• A full uptime monitoring service

It is intentionally small and focused on app health visibility.

• Plain PHP 8.1+ application
• No Laravel, Symfony, or full framework dependency
• Bootstrap 5 UI from CDN
• SQLite persistence
• Session authentication
• Passwords stored with password_hash()
• Login verification with password_verify()
• CSRF protection on POST forms
• Secure session cookie settings
• Basic failed-login rate limiting
• Dashboard summary cards
• App management for Laravel, WordPress, Stackmint, and plain PHP apps
• Read-only health checks
• Health result history
• Backup detection checks
• Email alert settings
• Client report page with browser print support
• Security status page
• Local folder-based plugin system
• Apache .htaccess protections
• Nginx and Caddy guidance

• PHP 8.1 or newer
• PDO SQLite extension
• cURL extension
• OpenSSL extension
• Writable storage/ directory
• PHP sessions enabled
• A web server that can run PHP

Recommended:

• HTTPS
• A private subdomain
• IP restriction at the web server or firewall when possible
• Server rules that block direct access to app, config, storage, and views

Use this when you want PHP LittleKit available at a path such as:

https://example.com/phplittlekit/

Steps:

1. Upload the PHP LittleKit folder to your site as phplittlekit.
2. Make sure the web server can write to storage/, storage/logs/, and storage/cache/.
3. Visit:

https://example.com/phplittlekit/install.php

4. Complete the installer.
5. Sign in at:

https://example.com/phplittlekit/login.php

Apache can use the included .htaccess rules. Nginx and Caddy need equivalent deny rules for protected folders.

Use this when you want PHP LittleKit on a dedicated hostname such as:

https://phplittlekit.example.com/

Recommended layout:

/var/www/phplittlekit/

Point the subdomain document root at the PHP LittleKit folder, then visit:

https://phplittlekit.example.com/install.php

A subdomain is usually cleaner than a subfolder because cookies, access rules, and IP restrictions are easier to isolate.

Use this when you do not want PHP LittleKit publicly reachable.

Example private run from the server:

cd /path/to/phplittlekit
php -S 127.0.0.1:8080

Then from your local machine:

ssh -L 8080:127.0.0.1:8080 user@example.com

Open locally:

http://127.0.0.1:8080/install.php

This option is useful for a private admin-only install, but for long-term use you will usually want a proper web server service instead of PHP's built-in server.

Start the installer by visiting:

/install.php

For a subfolder install:

/phplittlekit/install.php

The installer checks:

• PHP version >= 8.1
• PDO SQLite
• cURL
• OpenSSL
• Writable storage directory
• Session support

The install form creates:

• Admin username
• Admin password
• Panel name
• Panel base URL

After installation, PHP LittleKit:

• Creates the SQLite database tables
• Stores settings in SQLite
• Stores the admin user with password_hash()
• Marks the app as installed
• Writes storage/installer.lock
• Redirects future installer visits to login

After signing in, go to Apps and choose Add App.

Each app has:

• Name
• Client / group
• App type: auto, Laravel, WordPress, Stackmint, or plain PHP
• Absolute server path
• Optional URL
• Environment: production, staging, local, or other
• Notes

App paths must be absolute existing directories. PHP LittleKit normalizes configured paths and rejects relative paths, traversal paths, and invalid paths.

For auto detection, PHP LittleKit looks for common framework markers such as Laravel artisan, WordPress wp-config.php, Stackmint-like structure, and public entry files.

You can run checks from:

• An app detail page
• The dashboard table
• The dashboard Run Checks for All Apps button
• The web cron endpoint, if enabled

Checks are synchronous in the current version. For a small number of apps this is simple and practical. A background queue may be added later.

PHP LittleKit includes an optional web cron endpoint.

In Settings, enable the web cron endpoint and generate a cron token. The endpoint will look like:

https://example.com/phplittlekit/cron?token=YOUR_TOKEN

Example cron entry:

*/15 * * * * curl -fsS "https://example.com/phplittlekit/cron?token=YOUR_TOKEN" >/dev/null 2>&1

Keep the token private. If it is exposed, regenerate it in Settings.

On VPS-style installs, you can also run cron from the command line without exposing a web cron URL:

*/15 * * * * cd /path/to/phplittlekit && php cli.php cron:run >/dev/null 2>&1

Run additive schema migrations from the command line with:

php cli.php migrate

PHP LittleKit is an admin dashboard. Treat it like one.

Recommended:

• Use HTTPS.
• Use a strong, unique admin password.
• Install on a private subdomain when possible.
• Restrict access by IP address if your server allows it.
• Enable the built-in login IP allowlist if web-server IP restriction is not available.
• Prefer a private subdomain, VPN, or SSH tunnel for admin-only installs.
• Keep app, config, storage, and views blocked from direct web access.
• Do not expose storage/database.sqlite.
• Do not expose storage/installer.lock.
• Keep PHP and your web server patched.
• Back up storage/database.sqlite.
• Review the Settings > Security Status page after install.
• Review Settings > Login Audit after suspicious sign-in activity.

Apache users can use the included .htaccess files. Nginx and Caddy users must add equivalent deny rules. See docs/server-config.md.

More deployment guidance is in SECURITY.md.

Laravel checks run only when Laravel checks are enabled in Settings and the app is detected as Laravel or has app type laravel.

Laravel checks include:

• .env exists
• APP_KEY present
• Warning for APP_ENV=local on production apps
• Warning for APP_DEBUG=true on production apps
• storage/ writable
• bootstrap/cache/ writable
• storage/logs/laravel.log size
• Failed jobs table check when database credentials can be read safely
• Scheduler marker check
• Migration file/status informational check

PHP LittleKit does not run artisan commands in v1.

For the scheduler check, add a marker touch after your normal scheduler command:

* * * * * cd /path/to/laravel-app && php artisan schedule:run && touch storage/framework/phplittlekit-schedule.txt

The scheduler check warns if the marker file is missing or older than 2 hours.

WordPress checks run only when WordPress checks are enabled in Settings and the app is detected as WordPress or has app type wordpress.

WordPress checks include:

• wp-config.php exists
• Warning when WP_DEBUG is true
• Warning when DISALLOW_FILE_EDIT is missing or false
• wp-content/uploads writable
• WordPress version read from wp-includes/version.php
• Plugin directory count
• Active plugin detection only when database access can be read safely
• Theme directory count
• Common error log size checks

PHP LittleKit does not update WordPress core, plugins, or themes. It is not meant to compete with MainWP.

Stackmint checks run only when Stackmint checks are enabled in Settings and the app is detected as Stackmint or has app type stackmint.

Because Stackmint app structure may vary, detection is intentionally flexible.

Stackmint checks include:

• Environment/config check
• Storage writable check
• Log size check
• Database connection check when readable config is available
• public/index.php check

All Stackmint checks are read-only.

Custom PHP checks run when plain PHP checks are enabled in Settings and the app is detected as plain PHP or has app type plain_php.

Custom PHP checks include:

• Public index.php check
• Common error log size checks
• Common writable directory checks
• Dangerous file exposure warnings

Dangerous file exposure warnings look for files such as:

• .env
• .git
• composer.json
• composer.lock
• Database dumps
• .sql files
• Backup zip files
• Log files

PHP LittleKit only reports warnings. It does not delete or edit monitored files.

PHP LittleKit can detect whether backups appear to exist. It does not create backups yet.

For each app, you can configure backup paths for:

• Database backups
• File backups
• Other backups

Detected backup file types include:

• .sql
• .sql.gz
• .zip
• .tar.gz
• .backup
• .bak

Backup checks can warn when no recent backup is found, the latest backup is empty, or fewer than 3 backup files are detected. Backup checks can be disabled in Settings for sites that do not use backups.

PHP LittleKit can collect lightweight host stats when cron runs. This is for the server running PHP LittleKit, not for every remote app URL.

The server health page can show:

• Load average and CPU core count
• Memory and swap usage
• Disk free space for the PHP LittleKit storage volume
• Uptime
• Top memory process snapshots
• Recent server health history

Server health collection can be disabled in Settings. Process snapshots can also be disabled or limited. This feature is read-only and uses PHP functions plus Linux /proc files when available. On hosts without readable /proc, PHP LittleKit records a warning instead of failing the cron run.

Server health history is cleaned up by the same health data retention setting used for app health history.

The Reports page creates a simple client-friendly HTML health report.

Report options:

• Select app
• Date range
• Include warnings
• Include technical details
• Include notes

Reports can be printed or saved as PDF through the browser print dialog. No PDF library is included in v1.

PHP LittleKit v1 sends simple text alerts using PHP mail().

Alert options:

• Alerts enabled
• Alert email address
• Only send on critical
• Send warnings
• Critical reminder interval hours

PHP LittleKit sends alerts on state changes, such as passing to warning or warning to critical. It does not repeat unchanged alerts every cron run. Set the critical reminder interval to 0 to never repeat unchanged critical alerts, or use a value such as 24 to resend ongoing critical reminders once per day.

PHP LittleKit supports local folder-based plugins. Upload plugin folders to /plugins, review the code, then enable them from Settings > Plugins. Disabled plugins are discovered but not executed.

Plugins can add dashboard widgets, app detail panels, read-only health checks, and scoped plugin routes. The included Laravel Ops plugin shows queue state, scheduler marker health, cache stats, and history charts for Laravel apps. See docs/plugins.md.

Plugins are PHP code. Only enable plugins from trusted sources after reviewing their files.

From the project directory:

php -S localhost:8000

Then open:

http://localhost:8000/install.php

Seed local demo data, including Laravel Ops history charts:

php scripts/seed-demo.php

Remove seeded demo data while keeping the admin account and settings:

php scripts/reset-app.php

Clear all monitored apps and app health data while keeping the admin account and settings:

php scripts/reset-app.php --all-app-data --yes

Possible future improvements:

• CLI cron command
• Background health check runner
• More detailed alert channels
• Better historical charts
• Exportable reports
• Optional dark theme
• Additional framework checks
• Configurable health check thresholds
• Two-factor authentication
• Role-based users
• Backup creation integrations

The application version is defined in config/app.php and displayed in the footer. The first alpha tag is v0.1.0-alpha.1. Before publishing a release, use docs/release-checklist.md.

PHP LittleKit is open-sourced under the MIT License. See LICENSE.