The Tools usage guide is a detailed look at the features and configuration options located in the WPMU DEV Hosting Tools tab, which include:

  • Password Protection
  • Web Application Firewall (WAF)
  • Multisite
  • PHP Version
  • Database Manager
  • File Manager
  • Object Cache
  • Static Server cache
  • WP-Config
  • Migrate Existing Site
  • Bruteforce Attack Protection
  • Reset WP

Use the index on the left to locate usage guidance for a specific feature quickly.

If you have not set up a WPMU DEV hosting account, visit hosting to explore the features, pricing, and get a free trial.

Already a Member?

Visit your hosting dashboard to get started. More on getting started with WPMU DEV hosting can be found here.

Access your Hosting Tools from the Hosting tab by clicking the site you wish to manage.

Hub hosting domain list

Then, click the Tools tab.

Hosting tools tab

6.1 Password Protection

Copy chapter anchor to clipboard

You have the option of enabling ‘Password Protection’ on any site. Unlike your WordPress credentials, which control access to a site’s admin areas, Password Protection controls access to an entire site, meaning only those who know the password can work on or view a site. It even hides a site from search engines.

This is useful when developing a new site that you don’t want yet publicly available on the web. You can share the username and password with clients or colleagues, but unauthorized admin users and the general public will not have access.

Password Protection uses Basic HTTP Authentication and does not use any WordPress usernames or login details.

Users who attempt to access any part of your site will see a login modal similar to the one in the image below. Only by entering the correct credentials will the user be allowed to proceed.

Password protected login modal

Click On/Off in the Password Protection row to enable/disable the feature.

Enable password protection for a WPMU DEV hosted site

Then use the toggle in the modal to turn site protection on or off.

tools-password-protection

Once active, create a username and password you wish to apply to this site. A strong password will be generated, or you can add a custom password into the field. When activating or deactivating your password, click Save to save your changes.

tools-password-protection-enable

6.2 Web Application Firewall (WAF)

Copy chapter anchor to clipboard

Our Web Application Firewall (WAF) monitors the IP addresses and user agents attempting to access your site and filters out traffic that is known to be unsafe or that you have identified as unwanted.

The key distinction between our WAF and typical site security protocols is that a security plugin protects a site at the point of attack, whereas a WAF prevents unwanted traffic from ever reaching its intended target in the first place (learn more about how WAFs work).

Our WAF protects sites from attacks such as cross-site request forgeries, cross-site-scripting (XSS), file inclusions, and SQL injections.

Additional Protection

For additional steps in protecting your site, use Defender, and check out the Ultimate Guide to Security on the blog.

NOTE

When enabled, the WAF will intercept any files with filenames that contain single quote characters (e.g., file-‘name’.jpg), and will block them from being uploaded to prevent potential security exploits. More information about invalid special characters in WordPress can be found here.

Configuring your WAF

A WAF protects against vulnerabilities and filters out attacks and malicious traffic by requiring all traffic to pass a set of rules before it ever reaches your WordPress site. WPMU DEV has a custom set of WAF rules and allows you to add your own, as follows:

  • IP Allowlist
  • IP Blocklist
  • User Agent Allowlist
  • User Agent Blocklist
  • URL Allowlist
  • URL Blocklist
  • Disable Rule IDs

Click On/Off in the Web Application Firewall row to enable/disable the feature.

Enable WAF on a WPMU DEV hosted site

Then click the toggle switch in the popup to access the configuration panel.

Activate hosting waf

WPMU DEV maintains a set of rules that will identify and block known, unsafe traffic, but admins can allowlist or blocklist IP addresses and user agents as they see fit using this configuration panel.

IP Allowlist/Blocklist

The IP or Internet Protocol address is a unique number that is linked to all online activity for a given user. You can block or grant access to specific machines, locations or users with the IP Allowlist/Blocklist fields.

You can Allowlist or Blocklist an IP address by entering it into the fields provided or by entering an IP range in CIDR notation. This is done by specifying the number of bits used for the network portion of the address in the following format: start of IP address range/number of network bits. For example, entering the range from 192.168.100.0 to 192.168.103.255 should be written as 192.168.100.0/22 and 192.168.100.0 to 192.168.101.255 would be 192.168.100.0/23. More information on this can be found in this DigitalOcean article or on the Petri site.

Enter only one IP address or range per line, and click Save to save.

Hosting WAF IP blocking

This makes it easy to block attacks quickly before they reach your server or allowlist your own IP or team member’s IP so they can bypass the WAF.

Adding IP ranges

Note that if you need to add a range of IP addresses in either list, it must be added in CIDR Notation. For more info on that, see this Wikipedia article. And here’s a handy CIDR conversion tool to make your job a bit easier.

User Agent Allowlist/Blocklist

The user agent is the system information being used to access your site, including:

  • The browser application name and version
  • The host operating system and language

Often this information can be used to block a botnet that is originating from too many IPs to block but is using the same User Agent for its attack. You can view visitor User Agents in your access log.

Use the Allowlist field if you need to allow a good bot that doesn’t use specific IPs to bypass firewall rules. Remember, User Agents can easily be spoofed by bots, so allowlisting them should be done only when you can’t allowlist by IPs.

You can Allowlist or Blocklist a user agent by entering it into the fields provided. An example of a correctly formatted user agent to enter into the field is Mozilla/5.0 (Linux; Android 9; moto e(6s)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36. Enter only one agent per line, and click Save to save.

Hosting WAF user agent blocking

URL Allowlist/Blocklist

In the unlikely event that any site URLs get blocked, possibly due to embedded content, you can add them to the URL Allowlist as relative URLs.

You can also explicitly block any relative URL by adding it to the URL Blocklist.

Hosting WAF URL blocking

Disabled Rule Ids

You can also disable specific firewall rule IDs that appear in the WAF log under the Logs tab (see below).

hosting WAF rule ID allowlist

Remember, when activating, deactivating or editing rules in the WAF, click the Save button to save your changes.

WAF Logs

WAF Logs for a specific site can be found in Hosting under the Logs tab.

hosting-waf-log

Logs can be used to see where attacks are coming from, what requests were blocked, what rules those requests triggered, and changes that can be made to minimize false alarms. For example, if you are performing a valid action on your site and get blocked, you can find information on why in the WAF log and perhaps allowlist the IP or disable a specific firewall rule ID. More information about the WAF Logs can be found under the Logs document.

6.2.1 Allowing Legitimate Requests

Link to chapter 2

Occasionally, legitimate requests from plugins may be blocked by the WAF, which can result in HTTP client errors when interacting with affected plugins. To prevent this, the relevant WAF rule(s) can be disabled in the WAF settings.

To disable a problematic WAF rule, you’ll first need to identify the Rule ID. To do so, navigate to the Logs tab in The Hub’s Hosting module, and click WAF Log.

Access the WAF log

Then, identify and make a note of the Rule ID in the most recent related log entry.

WAF log details

Next, navigate to the Tools tab in the The Hub’s Hosting module, and open the Web Application Firewall settings.

Click the WAF settings button

At the bottom of the settings window, enter the Rule ID identified earlier into the Disabled Rule Ids field, and click Save.

Disable WAF rule IDs

Repeat this process as needed for all WAF rules that are blocking legitimate requests from plugins, and then verify that the affected plugins work as expected.

IMPORTANT

While not always possible, it is more secure to whitelist relevant user agents, IP addresses, or URLs as a means to allow certain blocked requests than it is to disable WAF rule IDs. Even so, keep in mind that adding any exclusion has the potential to make the WAF less secure.

You can convert your site into a Multisite network by clicking the On/Off button in the Multisite row to open the configuration popup.

Enable multisite on a WPMU DEV hosted site

IMPORTANT

Once you’ve converted a site to a Multisite network, you cannot easily revert the site to a single site. So, before making the change, be sure converting to Multisite is the right move for your site.

If you are uncertain which Multisite installation– Subdirectory and Subdomain– is right for you, see our WordPress Multisite documentation for guidance.

WHAT’S IN A NAME?

Looking for help mapping custom domain names for subsites on a Multisite network? Check out our domain mapping guide on the WPMU DEV blog. Or see our simple Multisite Domain Mapping guide if your site is hosted by WPMU DEV.

When you’re ready, choose the Multisite installation you prefer and click Continue.

tools-multisite

If you are absolutely certain you wish to continue, enter your WPMU DEV account password, check the Yes, convert my site to a Multisite box, and click Continue. The conversion begins immediately, and there is no way to stop it or easy way to revert the changes.

tools-multisite-confirmation

The time it takes to convert depends largely on the size of the site, but it could range from just a few seconds to several minutes. A success notification will appear in The Hub when the conversion is complete.

Multisite conversion success message

For more information about Multisite networks, see our Multisite documentation and check out our Ultimate Guide to Multisite on the blog.

If you have chosen to go with a subdomain multisite, you will need to either generate a free Wildcard SSL certificate in your Hub or provide a custom wildcard certificate. This will ensure that you can serve your domain over HTTPS, which we require. This is covered in detail in our wildcard certificates documentation.

MULTISITES WITH BOTH SUBDIRECTORY AND SUBDOMAIN SUBSITES

It should be noted that wildcard certificates are not exclusively for subdomain multisites. You can also have a wildcard SSL certificate for a subdirectory multisite, meaning that you can map subdomains to subsites in it, making your multisitse seem as if it is subdomain-based rather than subdirectory-based. In this case, you could even have both subdirectory-based and subdomain-based subsites in the same multisite. See our Wildcard Certificates documentation for more information on this.

It is our policy to only provide support for the latest supported PHP versions. This is both to make sure our sites are secure, and to provide you with the fastest most performant hosting service we can!

Note that some third party plugins may occasionally be out of date and cause issues with the latest version of PHP. In that case you can look for updates, alternatives, or worst case, we do support downgrading your PHP version to older ones that still provide security patches.

PRO TIP

If you want to test your site’s compatibility with the latest version of PHP before upgrading, we recommend changing the PHP version in your staging environment and testing the functionality there first.

To upgrade or downgrade your PHP version, click the current PHP version number.

Change PHP version on a WPMU DEV hosted site

A list of available supported PHP versions will be displayed in the modal. Choose the version you wish to install, and click Apply.

Choose new PHP version from menu

Currently we default all newly-created sites to the latest release of PHP 7.4. However, PHP 8.0 is now available as well. It’s important to note though that this version of PHP should only be used on sites running WordPress 5.6 or greater. Also, the ionCube loader is not yet supported by PHP 8.0, so sites dependent on this extension should not update to that version. A notice will pop up to remind you of this if you choose that version.

Warning about PHP 8

WPMU DEV gives you access to easily edit and manage your Database from the phpMyAdmin database manager.

WARNING

Making changes to a site’s database can break the site. Take care when making changes. Contact support if you have questions. Detailed documentation for phpMyAdmin can be found on the phpMyAdmin site.

From the Tools tab, click the Manage Database link to open phpMyAdmin.

Manage the database for a WPMU DEV hosted site

phpMyAdmin includes tools for managing and viewing databases:

  • SQL
  • Status info
  • Export
  • Import
  • Settings
  • Variables
  • Charset
  • Engines
  • Plugins

WPMU DEV also gives you access to easily edit and manage your website files using a file manager interface in case you don’t want to mess around with SFTP.

From the Tools tab, click the Manage Files link to open the File Manager in a new tab.

Manage files for a WPMU DEV hosted site

NOTE

To help prevent inadvertent edits or deletions, core WordPress files are locked (read-only) and cannot be edited in the File Manager. If you absolutely do need to edit a core WP file, you will need to use an SFTP connection to do that.

The left panel allows you to navigate through files and logs from both the production server and the staging server.

Production and Staging server location in File Manager

The main toolbar at the top of the page offers features such as adding new folders and files, as well as uploading new documents.

Location of features on toolbar

If a tool is grayed out, it is unavailable for the selected location or document. To interact with folders and files without using the toolbar, right click on the location and a pop-up menu will appear. The pop-up menu includes features that are offered on the toolbar like open, download, and preview.

Example of toolbar features on pop-up menu

We leverage Object Cache at the database level, and this is enabled by default on all sites we host.

Object Cache improves performance by minimizing server load related to queries that are frequently called by WordPress, plugins, and themes. Because of this, you may need to clear Object Cache from your Hosting Hub after using a plugin that interacts directly with the database in ways outside of normal WordPress guidelines or if you make changes directly in your database using phpMyAdmin.

The object cache should only be flushed if absolutely necessary. It is usually not needed except after making direct database edits or during development. If you aren’t sure, contact support, and we’ll help you out.

To clear cache, click Clear in the Object Cache row.

Clear object cache for a WPMU DEV hosted site

A “Are you sure?” pop-up will verify you would like to clear your cache. Click Continue to flush object cache.

clear object cache screen

Note that the Object Cache is not enabled on staging sites.

6.8 Static Server Cache

Copy chapter anchor to clipboard

This is page caching at the server level using FastCGI. Much faster than any PHP plugin, Static Server Cache greatly speeds up your site and allows for an average of 10 times more concurrent visitors.

Static Server Cache can be toggled On or Off by clicking the button to the right.

Clicking the On/Off toggle will pop open a modal window with additional options that you can configure. Your configuration here will be saved even if you temporarily disable the cache for any reason.

  • Enable / Disable Static Server Cache – Toggle the cache on or off while keeping other options saved.
  • Allow Caching Query String (Params) – Enter any query strings (e.g., ref, utm_source, utm_medium, utm_campaign, etc), one per line, that you want to be cached.
  • Exclude Urls From Caching – Enter any site URLs or URL strings that you don’t want cached. E.g., if you add /blog it will also exclude /blog/samplepost or parentpage/blog/ from the cache.
  • Cache Lifetime – Select the expiry time for the cache. Cache will regenerate automatically each time it clears.

Static server cache options in the Hub

When it’s enabled, simply click the Clear button if you need to clear the Static Server Cache, then click the Continue button in the modal to confirm. Note that this cache also clears itself automatically every hour.

tools-static-server-cache-clear

Recommended Reading

Want to learn more about what WPMU DEV’s Static Server Cache can do for you site performance? Check out our blog post on How to Speed up Hosting with Static Server Cache.

Compatibility

Our Static Server Cache is fully integrated with our Hummingbird performance plugin, meaning that any action or process in Hummingbird that triggers the clearing of page cache will also clear the Static Server Cache.

So if you have Page Caching enabled in Hummingbird, and click a Clear Cache button in the plugin, Static Server Cache will clear as well. Or if you have options like “Clear cache on interval” or “Clear full cache when post/page is updated” enabled in Hummingbird, Static Server Cache will respect those settings too.

WooCommerce is supported by default, meaning that any dynamic process in Woo is not cached. So if a user adds items to their cart, etc, that would not be cached by the Static Server Cache, so no worries there.

What does it cache exactly?

The following should give you a good idea about what does and does not get cached when Static Server Cache is enabled.

  • GET/HEAD requests are cached (that’s your content; meaning all your posts, pages, etc.).
  • POST requests are skipped (for example, forms or any other frontend submission).
  • Query strings are skipped.
  • wp-admin, xmlrpc, wp-*.php, feed, index.php, sitemap URIs are skipped.
  • Cache is skipped if these cookies are found: comment_author, wordpress_, wp-postpass, wordpress_no_cache, wordpress_logged_in, woocommerce_items_in_cart.
  • Cache is skipped if these WooCommerce URIs are found: /store, /cart, /my-account, /checkout, /addons.
  • The max size of any item is 1Gb.

Are any query strings cached by default?

Newly created sites will have the following query strings cached by default. Note that no query strings are cached by default on existing sites, so you can add any that you may need according to your site’s current configuration.

ref
utm_source
utm_medium
utm_campaign
utm_term
utm_content
utm_expid
fbclid
fb_action_ids
fb_action_types
fb_source
mc_cid
mc_eid
gclid
dclid
_ga
campaignid
adgroupid
_ke
cn-reloaded
age-verified
ao_noptimize
usqp
mkt_tok
epik
ck_subscriber_id

How to see if it’s working

To check any page to see if it’s being cached by our Static Server Cache, pop open your browser’s developer tools, and click on the Network tab. Then reload your page.

Have a look at the Response Headers for the main document type of your page, and look for x-cache where you’ll see the following possible values.

  • x-cache: BYPASS – Cache is bypassed for any reason (URL parameter, cookie, WooCommerce, logged in etc.).
  • x-cache: MISS – It will be cached on next page load.
  • x-cache: HIT – Cache is served.

Check if static cache is enabled using browser tools

Note that the Static Server Cache is not enabled on staging sites.

6.9 Reset wp-config

Copy chapter anchor to clipboard

The wp-config.php file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database-connection information. If you migrated a site from another host, this information might need to be reset.

Click Reset in the WP-Config row.

Reset wp-config for a WPMU DEV hosted site

Then click the Confirm Reset button to reset the wp-config.php file. This will reset the file back to the default state, and anything you may have added or changed in it will be lost.

Click the Close button to exit without resetting the file.

tools-reset-wp-config

6.10 Migrate Existing Site

Copy chapter anchor to clipboard

Use this option to migrate a 3rd-party hosted site into your existing WPMU DEV hosted site.

Sites can be migrated to WPMU DEV hosting using our migration tool or by requesting a manual migration by our hosting support team.

We recommend using the migration tool because it simplifies and accelerates the process and automatically resolves issues that occasionally interfere with a smooth migration.

IMPORTANT

Migration will overwrite everything on your WPMU DEV hosted site and replace it with exact duplicate of your 3rd-party source site. Please be sure this is what you want before proceeding.

6.10.2 Manual Migration by WPMU DEV Staff

Link to chapter 10

As a WPMU DEV member, you can also request that we manually migrate your site in case the above option doesn’t work for you.

Worried about downtime?

See our post on How To Manually Migrate WordPress Sites Quickly With No Hosting Downtime to learn how our expert hosting support team can help eliminate that.

Click the Begin Migration link in the Migrate Existing Site row.

Migrate to an existing WPMU DEV hosted site

A modal window will pop open where you’ll be prompted to select the site you wish to migrate. The dropdown will reveal a list of all the sites currently connected to The Hub. If the site you wish to migrate does not appear in the list, then it is not connected, and you should click the Please add it to your Hub first link, and follow the instructions provided.

Select site to migrate to WPMU DEV

Once the site is selected, click Next to proceed.

You’ll then be prompted to select the migration method you want to use. To request a manual migration by our hosting support team, you’ll want to select the Help me migrate my site option and click Next to proceed.

Migrate an existing site by WPMU DEV staff

You’ll be prompted to enter the credentials for the site you wish to migrate.

Manual migration request form

Enter the following information needed so the hosting support team can access your source site:

WordPress Details

  • Admin URL – Enter the URL to the admin area of your site, without the protocol (http/https).
  • Admin username – The username of an administrator user on that site.
  • Admin password – The password for the above user.

Host / Server Details

This section is optional, but we do recommended providing this information so the hosting support team can directly access your source site’s filesystem and database.

  • Server / cPanel login URL – The URL needed to access the control panel for your site at your 3rd-party host.
  • Source Site hosting provider – The name of your current hosting provider.
  • Host / cPanel username – The username you use to login to your site’s control panel.
  • Host / cPanel password – The password for the above user.

If you have the information handy, you can also click on the FTP / SFTP / SSH Details section to expand it and provide additional optional details.

Manual migration request form optional info

FTP / SFTP / SSH Details (Optional)

  • Host – The hostname you use to access your site’s file system.
  • Port – The port used by your host’s connection protocol.
  • Username – The username of the user that can access the root of the file system.
  • Password – The password for the above user.
  • Additional information – Any other information that may be needed to access the file system, like server path for example.

Once you have provided all the required and any optional information in the form, click the Submit button to submit your request.

A confirmation notice will appear on screen to inform you that your request has been successfully submitted.

Manual migration request success message

The notice contains a link to the private support ticket that is automatically created for you in the Hosting Support forum. All the information that you provided in the form is available only to the hosting support team in a private task linked to that ticket.

Manual migration request ticket created

If the notice closes before you have a chance to click on the ticket link, you’ll find it listed in the My Tickets section of the Support area in your Hub.

Manual migration request ticket in the Hub

The hosting support team will be notified of your request and will proceed with the manual migration of your site within 24-48 hours. As soon as they reply on your ticket, with confirmation that the migration has been completed or if they require more information, you’ll receive an email notification of their reply.

That email will contain a link back to your ticket where you can reply if needed. Please do not reply directly in the email itself.

Supported Migrations & Conversions

It’s important to note that some types of migrations are out-of-scope and cannot be handled by our support or hosting staff. Following are the types of manual migrations/conversions that we can and cannot do for you.

  1. Supported migrations
    • Yes – If Single site -> Single site
    • Yes – If Multisite -> Multisite
  2. Supported conversions
    • Yes – If Single site -> Multisite
    • Yes – If Subsite -> Single site (you should expect to need to perform some cleanup in the converted site, and there may be configuration issues for some plugins due to conversion)
    • Depends – If Multisite -> Single site (supported only if there’s just a main site, without subsites)
    • Depends – If Subdomain -> Subdirectory (supported only if there’s just a main site, without subsites)
    • Depends – If Subdirectory -> Subdomain (supported only if there’s just a main site, without subsites)
  3. Not supported – Out of scope
    • No – If Single -> Subsite (3rd party developer required for this type of migration)
    • No – If Subsite -> Subsite (3rd party developer required for this type of migration)

6.10.3 Troubleshooting

Link to chapter 10

Site migration via (S)FTP may fail for a variety of reasons, including incorrect login details, exceeding max retries, a throttled connection, and more.

See the below troubleshooting tips for help if you encounter an error while migrating an existing site, and contact our support team if the issue persists.

No Route to Host

Example error message: Fatal error: max-retries exceeded (No route to host) for ftp://[email protected]:22. Please check the entered details and try again.

"No route to host" error

This error may occur when the entered hostname is incorrect, or lies behind a proxy service, such as Cloudflare. In this case, enter the server’s IPv4 address.

Login Authentication Failed

Example error message: Login failed: 530 Login authentication failed for ftp://[email protected]:21. Please check the entered login details and try again.

"Login authentication failed" error

This error may occur if the entered username and/or password are incorrect. In this case, either verify that the entered credentials are correct or reset your password.

Login Incorrect

Example error message: Login failed: Login incorrect for sftp://[email protected]:22. Please check the entered login details and try again.

"Login incorrect" error

This error may occur if the entered username and/or password are incorrect. In this case, either verify that the entered credentials are correct or reset your password.

No Address Associated with Hostname

Example error message: open: ftp.example.com: No address associated with hostname

"No address associated with hostname" error

This error may occur when the FTP host is unable to resolve the hostname’s IP address. In this case, enter the server’s IPv4 address.

Too Many Connections

Example error message: Fatal error: max-retries exceeded (421 Too many connections (8) from this IP) for ftp://[email protected]:21. Please check the entered details and try again.

"Too many connections" error

This error may occur if the source host is limiting the number of connections for file transfer. In this case, either transfer files on at a time, or contact the source host to request that our IP addresses be whitelisted.

Connection Throttled

Example error message: Your host appears to be throttling connections. Please try starting the migration again in a few minutes once our IP is unblocked, and we will attempt using a slower compatibility mode.

"Connection throttled" error

This error may occur due to our migration tool fetching multiple files at once, causing some source hosts to block the connection. If this occurs, try again in a few minutes, and our migration tool will automatically fetch files one at a time to prevent a subsequent block.

6.11 Bruteforce Attack Protection

Copy chapter anchor to clipboard

All sites hosted by WPMU DEV have measures enabled by default at the server level to help prevent bruteforce attacks. This is to help ensure your site’s server never goes down due to a bot attack on the most commonly targeted WordPress URIs: /wp-login.php & /xmlrpc.php

Bruteforce attack protection for WPMU DEV hosted sites

You can disable this protection if you wish, or keep it enabled and add specific IP addresses or ranges (in CIDR notation) to exempt them from this protection. Click the On link to the right of the feature to open the options modal.

How it Works

The /wp-login.php and /xmlrpc.php URIs are continuously monitored on our hosting, and if either of them receives more than 1 request every 2 seconds (30 requests/min) from a single IP address, rate limiting will be applied automatically to block access to any user with that IP, and a 429 error page will be displayed to that user.

Default WPMU DEV error 429 page

This will throttle the connections a bit and help avoid having the server instantly go down due to an attack. If the connection is throttled 30 times within the last 30 minutes, then the attacking IP will be banned for 1 hour to help even more.

Any such 429 error will be logged by your server and can be viewed in the Access Logs in your Hub.

You can customize and brand the Error 429 page if you wish, just like any other default server error page, by following the directions in our Customizing Error Pages documentation.

Note that only the URIs noted above are monitored, and rate-limited if attacked. For example, if you have modified your wp-login.php slug using the Mask Login feature in Defender, and that custom slug is discovered and attacked by a malicious bot, your custom login would not be protected by these measures. We, therefore, recommend that any such custom login not be too obvious; don’t make it easy for bad actors to guess.

Also note that, while these measures can help mitigate the effects of DoS/DDoS attacks, they should not be considered as full protection for such attacks. You may want to consider using the robust protection options offered by CloudFlare for that.

6.12 New Relic Monitoring

Copy chapter anchor to clipboard

New Relic Monitoring feature in Hub Tools

This option enables you to easily integrate the performance monitoring features available from New Relic so you can view real-time data to help you when debugging issues on your site.

How can New Relic help you?

Get the lowdown on the performance monitoring features you need in our Easily Connect New Relic (for Free!) with WPMU DEV Hosted WordPress Sites post on the blog.

Begin by logging into your account at New Relic, or create a free account there now if you don’t already have one.

The only thing you need from your New Relic account for this integration is your License Key, which you’ll find here. If that link doesn’t work for you, click the API Keys option in your New Relic account profile menu to get to the correct page.

Get API Keys in New Relic account

On the API Keys page in your New Relic account, click the three-dot icon at the far right of the License Key row you’ll see there, and select the Copy Key option to copy your key to your clipboard.

Get API Keys in New Relic account

Now, back on the Tools screen of your site in your Hub, click the Off link next to New Relic Monitoring. That will pop open a modal window where you’ll be prompted to enter the License Key you just copied.

Then enter any name you like in the App Name field. This is the name for the app that will be automatically created in your New Relic account once you enable this integration.

Add credentials for New Relic Monitoring in the Hub

Once both your License Key and App Name have been entered, enable the integration by clicking the Enable / Disable New Relic toggle at the top of the modal. Then click Save at the bottom.

To disable New Relic Monitoring for your site, simply click the Enable / Disable New Relic toggle again. Note that you do not need to enter your license key again after you’ve saved it here once.

IMPORTANT

This feature will have a slight impact on site performance while it is active. So it is recommended to only enable it when you are actively debugging issues on your site.

To view any site performance data recorded during any time period this monitoring feature was active, first go to the Home screen in your New Relic account by clicking the New Relic logo at the top left. Then click the APM link in the main menu, and click on the name of the app you entered earlier in your Hub.

View app in New Relic account

You’ll find tons of useful data displayed that you can filter for any time or date range you need. You can even backtrack several months to view any data that was recorded during time periods this integration was active for your site.

View app data in New Relic account

Some of the most useful data can be found by clicking on the WordPress Hooks and WordPress Plugins and Themes options in the left-hand menu on that screen.

The data on those screens will help you glean valuable insight into the most sluggish processes, plugins & themes on your site.

View WordPress data in New Relic account

View WordPress data in New Relic account

There are way too many additional settings and configuration options at New Relic to get into here, but you’ll find they have useful and extensive documentation here that you can explore to familiarize yourself with how things work there.

Remember to disable New Relic Monitoring once you’re finished debugging things on your site.

6.13 Blackfire Profiler

Copy chapter anchor to clipboard

Blackfire Profiler feature in Hub Tools

This option enables you to easily integrate the performance profiling features available from Blackfire and get valuable data to help you when debugging issues on your site.

15-DAY FREE TRIAL

You can sign up to Blackfire’s Premium plan with a 15-day free trial of all features. If you decide to remain a free user after the trial period, your account would be downgraded to what they call their Hack Edition. That free plan has limited features though, such as profiling only on local development environments, and only 1-day data retention. More info here.

Begin by logging into your account at Blackfire or create an account there now if you don’t already have one.

Once logged-in to your Blackfire account, you’ll be prompted to create an Organization under which your site profiles will be logged. This can be anything you like really, as long as it’s recognizable to you.

Create an organization in Blackfire account

Once you’ve created your organization, click the User Credentials option in your Blackfire account profile menu at th bottom-left.

Get user credentials in Blackfire account

On the User Credentials page, scroll down to the bottom where you’ll see a section titled My Server Credentials. Copy both the Server ID and Server Token to your clipboard or a plain text file.

Get user credentials in Blackfire account

Now, back on the Tools screen of your site in your Hub, click the Off link next to Blackfire Profiling. That will pop open a modal window where you’ll be prompted to enter the Server ID and Server Token you just copied.

Add credentials for Blackfire Profiler in the Hub

Once both your Server ID and Server Token have been entered, enable the integration by clicking the Enable / Disable Blackfire toggle at the top of the modal. Then click Save at the bottom.

To disable Blackfire Profiling for your site, simply click the Enable / Disable New Blackfire toggle again. Note that you do not need to enter your server ID and token again after you’ve saved it here once.

IMPORTANT

This feature may have a slight impact on site performance while it is active. So it is recommended to only enable it when you are actively debugging issues on your site.

Now that Blackfire is enabled for your site, you need to install one of their browser extensions so the profiler can run. Select the extension you want according to the browser you’re using:

Once you have the extension installed in your preferred browser, click the Blackfire icon in your browser toolbar to launch the profiler. Then click the big red Profile! button.

Run Blackfire Profiler on a site

The tool will pop open as a bar pinned to the top of your browser, and begin running a profile of your site. You can give the profile a distinct Name while it’s running, or after it has completed, so you can find it easily in your Blackfire dashboard afterwards.

Blackfire Profiler running on a site

Once the profiler has finished, that top bar will populate with a summary overview of several useful metrics to help you diagnose possible issues with your site.

Blackfire Profiler metrics

Click any of those metrics, or any other button in that bar, to open the corresponding page in your Blackfire account.

Blackfire Profiler metrics

In your Blackfire account, your site profile will be presented in a detailed interactive view where you can really drill into any specific metric you need to pinpoint trouble areas on your site.

Blackfire Profiler profile

All your saved profiles can be accessed and viewed from the My Profiles page in your Blackfire account.

Viewing profiles in Blackfire account

There are way too many additional settings and options at Blackfire to get into here, but you’ll find they have useful and extensive documentation here that you can explore to familiarize yourself with how things work there.

Remember to disable Blackfire Profiling once you’re finished debugging things on your site.

Reset WordPress on live site

Use this option if you ever need to revert your live site to a fresh, default WordPress installation. Note that the option here does not affect your staging site if you have one set up; there is a separate option for that under the Staging tab.

Click Reset to pop open a modal window where you’ll be prompted to enter your WPMU DEV password, and confirm the action.

Reset WP Hosting dialog

This reset will delete all files (including non-WordPress files) in the Production directory of your live site before the fresh re-install of WordPress. However, a backup of your live site will be created before the reset, in case you change your mind afterwards and want to restore the site to how it was.

Once you click the Continue button, you’ll be prompted to create a new WordPress administrator account for the fresh install. You can use the same email, username and password as you had for your admin user before, or create a brand-new admin user.

Create WordPress Administrator account

Click the Continue button and you’ll then see a screen indicating the reset is underway. Depending on the size of the site, it can take several minutes for this to complete.

Reset WordPress on live site progress

When the reset process is complete, visit your site and you’ll see a brand-new default install of WordPress there for you to build on.

Resetting Multisite

The process for resetting a multisite is exactly the same as for a single site except for one important detail: when you reset a live multisite, it defaults back to a fresh single site install.

This means that if you intend to then push your existing staging multisite to live, you’ll need to first convert the new single site to a multisite. Then you can push your staging multisite to the new fresh live multisite. If you don’t do that, the system won’t be able to update the domain name where it needs to, and you’ll get a database connection error.

Restoring the site

If you made a mistake or changed your mind after resetting WordPress on your live site, you can restore the automatic backup that was made before the site was reset. You’ll see that backup labeled before wp reset production under the Backups tab of your site.

Reset WordPress on live site backup