The Tools usage guide is a detailed look at the features and configuration options located in the WPMU DEV Hosting Tools tab, which include:

  • Password Protection
  • Web Application Firewall (WAF)
  • Multisite
  • PHP Version
  • Database Manager
  • File Manager
  • Object Cache
  • Static Server cache
  • WP-Config
  • Migrate Existing Site

Use the index on the left to locate usage guidance for a specific feature quickly.

If you have not set up a WPMU DEV hosting account, visit hosting to explore the features, pricing, and get a free trial.

Already a member?

Visit your hosting dashboard to get started. More on getting started with WPMU DEV hosting can be found here.

Access your Hosting Tools from the Hosting tab by clicking the site you wish to manage.

Hosting domain list

Then, click the Tools tab.

Hosting tools tab

5.1 Password Protection

Copy chapter anchor to clipboard

You have the option of enabling ‘Password Protection’ on any site. Unlike your WordPress credentials, which control access to a site’s admin areas, Password Protection controls access to an entire site, meaning only those who know the password can work on or view a site. It even hides a site from search engines.

This is useful when developing a new site that you don’t want yet publicly available on the web. You can share the username and password with clients or colleagues, but unauthorized admin users and the general public will not have access.

Password Protection uses Basic HTTP Authentication and does not use any WordPress usernames or login details.

Users who attempt to access any part of your site will see a login modal similar to the one in the image below. Only by entering the correct credentials will the user be allowed to proceed.

Password protected login modal

Click On/Off in the Password Protection row to enable/disable the feature.

Enable password protection for a WPMU DEV hosted site

Then use the toggle in the modal to turn site protection on or off.


Once active, create a username and password you wish to apply to this site. A strong password will be generated, or you can add a custom password into the field. When activating or deactivating your password, click Save to save your changes.


5.2 Web Application Firewall (WAF)

Copy chapter anchor to clipboard

Our Web Application Firewall (WAF) monitors the IP addresses and user agents attempting to access your site and filters out traffic that is known to be unsafe or that you have identified as unwanted.

The key distinction between our WAF and typical site security protocols is that a security plugin protects a site at the point of attack, whereas a WAF prevents unwanted traffic from ever reaching its intended target in the first place (learn more about how WAFs work).

Our WAF protects sites from attacks such as cross-site request forgeries, cross-site-scripting (XSS), file inclusions, and SQL injections.

Additional protection

For additional steps in protecting your site, use Defender, and check out the Ultimate Guide to Security on the blog.

Configuring your WAF

A WAF protects against vulnerabilities and filters out attacks and malicious traffic by requiring all traffic to pass a set of rules before it ever reaches your WordPress site. WPMU DEV has a custom set of WAF rules and allows you to add your own, as follows:

  • IP Allowlist
  • IP Blocklist
  • User Agent Allowlist
  • User Agent Blocklist
  • URL Allowlist
  • URL Blocklist
  • Disable Rule IDs

Click On/Off in the Web Application Firewall row to enable/disable the feature.

Enable WAF on a WPMU DEV hosted site

Then click the toggle switch in the popup to access the configuration panel.

Activate hosting waf

WPMU DEV maintains a set of rules that will identify and block known, unsafe traffic, but admins can allowlist or blocklist IP addresses and user agents as they see fit using this configuration panel.

IP Allowlist/Blocklist

The IP or Internet Protocol address is a unique number that is linked to all online activity for a given user. You can block or grant access to specific machines, locations or users with the IP Allowlist/Blocklist fields.

You can Allowlist or Blocklist an IP address by entering it into the fields provided or by entering an IP range in CIDR notation. This is done by specifying the number of bits used for the network portion of the address in the following format: start of IP address range/number of network bits. For example, entering the range from to should be written as and to would be More information on this can be found in this DigitalOcean article or on the Petri site.

Enter only one IP address or range per line, and click Change to save.

Hosting WAF IP blocking

This makes it easy to block attacks quickly before they reach your server or allowlist your own IP or team member’s IP so they can bypass the WAF.

Adding IP ranges

Note that if you need to add a range of IP addresses in either list, it must be added in CIDR Notation. For more info on that, see this Wikipedia article. And here’s a handy CIDR conversion tool to make your job a bit easier.

User Agent Allowlist/Blocklist

The user agent is the system information being used to access your site, including:

  • The browser application name and version
  • The host operating system and language

Often this information can be used to block a botnet that is originating from too many IPs to block but is using the same User Agent for its attack. You can view visitor User Agents in your access log.

Use the Allowlist field if you need to allow a good bot that doesn’t use specific IPs to bypass firewall rules. Remember, User Agents can easily be spoofed by bots, so allowlisting them should be done only when you can’t allowlist by IPs.

You can Allowlist or Blocklist a user agent by entering it into the fields provided. An example of a correctly formatted user agent to enter into the field is Mozilla/5.0 (Linux; Android 9; moto e(6s)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36. Enter only one agent per line, and click Change to save.

Hosting WAF user agent blocking

URL Allowlist/Blocklist

In the unlikely event that any site URLs get blocked, possibly due to embedded content, you can add them to the URL Allowlist as relative URLs.

You can also explicitly block any relative URL by adding it to the URL Blocklist.

Hosting WAF URL blocking

Disabled Rule Ids

You can also disable specific firewall rule IDs that appear in the WAF log under the Logs tab (see below).

hosting WAF rule ID allowlist

Remember, when activating, deactivating or editing rules in the WAF, click the Change button to save your changes.

WAF Logs

WAF Logs for a specific site can be found in Hosting under the Logs tab.


Logs can be used to see where attacks are coming from, what requests were blocked, what rules those requests triggered, and changes that can be made to minimize false alarms. For example, if you are performing a valid action on your site and get blocked, you can find information on why in the WAF log and perhaps allowlist the IP or disable a specific firewall rule ID. More information about the WAF Logs can be found under the Logs document.

You can convert your site into a Multisite network by clicking the On/Off button in the Multisite row to open the configuration popup.

Enable multisite on a WPMU DEV hosted site


Once you’ve converted a site to a Multisite network, you cannot easily revert the site to a single site. So, before making the change, be sure converting to Multisite is the right move for your site.

If you are uncertain which Multisite installation– Subdirectory and Subdomain– is right for you, see our WordPress Multisite documentation for guidance.


Looking for help setting custom domain names for subsites on a Multisite network? Check out our domain mapping guide on the WPMU DEV blog.

When you’re ready, choose the Multisite installation you prefer and click Continue.


If you are absolutely certain you wish to continue, enter your WPMU DEV account password, check the Yes, convert my site to a Multisite box, and click Continue. The conversion begins immediately, and there is no way to stop it or easy way to revert the changes.


The time it takes to convert depends largely on the size of the site, but it could range from just a few seconds to several minutes. A success notification will appear in The Hub when the conversion is complete.

Multisite conversion success message

For more information about Multisite networks, see our Multisite documentation and check out our Ultimate Guide to Multisite on the blog.

If you have chosen to go with a subdomain multisite, you will need to upload either a Wildcard SSL certificate or a certificate that covers all domains and subdomains that you plan to use. This will ensure that you can serve your domain over HTTPS, which we require. This is covered in detail in our Wildcard Certificates document.


It should be noted that wildcard certificates are not exclusively for subdomain multisites. You can also have a wildcard SSL certificate for a subdirectory multisite, meaning that you can map subdomains to subsites in it, making your multisitse seem as if it is subdomain-based rather than subdirectory-based. In this case, you could even have both subdirectory-based and subdomain-based subsites in the same multisite. See our Wildcard Certificates document for more information on this.

It is our policy to only provide support for the latest supported PHP versions. This is both to make sure our sites are secure, and to provide you with the fastest most performant hosting service we can!

Currently we default all newly-created sites to the latest release of PHP 7.4. Occasionally, some third party plugins may be out of date and cause issues with the latest version of PHP. In that case you can look for updates, alternatives, or worst case, we do support downgrading your PHP version to older ones that still provide security patches.


If you want to test your site’s compatibility with the latest version of PHP before upgrading, we recommend changing the PHP version in your staging environment and testing the functionality there first.

To upgrade or downgrade your PHP version, click the current PHP version number.

Change PHP version on a WPMU DEV hosted site

A list of available supported PHP versions will be displayed in the modal. Choose the version you wish to install, and click Apply.

Choose new PHP version from menu

WPMU DEV gives you access to easily edit and manage your Database from the phpMyAdmin database manager.


Making changes to a site’s database can break the site. Take care when making changes. Contact support if you have questions. Detailed documentation for phpMyAdmin can be found on the phpMyAdmin site.

From the Tools tab, click the Manage Database link to open phpMyAdmin.

Manage the database for a WPMU DEV hosted site

phpMyAdmin includes tools for managing and viewing databases:

  • SQL
  • Status info
  • Export
  • Import
  • Settings
  • Variables
  • Charset
  • Engines
  • Plugins

WPMU DEV also gives you access to easily edit and manage your website files using a file manager interface in case you don’t want to mess around with SFTP.

From the Tools tab, click the Manage Files link to open the File Manager in a new tab.

Manage files for a WPMU DEV hosted site


To help prevent inadvertent edits or deletions, core WordPress files are locked (read-only) and cannot be edited in the File Manager. If you absolutely do need to edit a core WP file, you will need to use an SFTP connection to do that.

The left panel allows you to navigate through files and logs from both the production server and the staging server.

Production and Staging server location in File Manager

The main toolbar at the top of the page offers features such as adding new folders and files, as well as uploading new documents.

Location of features on toolbar

If a tool is grayed out, it is unavailable for the selected location or document. To interact with folders and files without using the toolbar, right click on the location and a pop-up menu will appear. The pop-up menu includes features that are offered on the toolbar like open, download, and preview.

Example of toolbar features on pop-up menu

We leverage Object Cache at the database level, and this is enabled by default on all sites we host.

Object Cache improves performance by minimizing server load related to queries that are frequently called by WordPress, plugins, and themes. Because of this, you may need to clear Object Cache from your Hosting Hub after using a plugin that interacts directly with the database in ways outside of normal WordPress guidelines or if you make changes directly in your database using phpMyAdmin.

The object cache should only be flushed if absolutely necessary. It is usually not needed except after making direct database edits or during development. If you aren’t sure, contact support, and we’ll help you out.

To clear cache, click Clear in the Object Cache row.

Clear object cache for a WPMU DEV hosted site

A “Are you sure?” pop-up will verify you would like to clear your cache. Click Continue to flush object cache.

clear object cache screen

Note that the Object Cache is not enabled on staging sites.

5.8 Static Server Cache

Copy chapter anchor to clipboard

This is page caching at the server level using FastCGI. Much faster than any PHP plugin, Static Server Cache greatly speeds up your site and allows for an average of 10 times more concurrent visitors.

Static Server Cache can be toggled On or Off by clicking the button to the right.

Then click the Continue button in the little modal that pops up to confirm the action.


When it’s enabled, simply click the Clear button if you need to clear the Static Server Cache, then click the Continue button in the modal to confirm. Note that this cache also clears itself automatically every hour.



Our Static Server Cache is fully integrated with our Hummingbird performance plugin, meaning that any action or process in Hummingbird that triggers the clearing of page cache will also clear the Static Server Cache.

So if you have Page Caching enabled in Hummingbird, and click a Clear Cache button in the plugin, Static Server Cache will clear as well. Or if you have options like “Clear cache on interval” or “Clear full cache when post/page is updated” enabled in Hummingbird, Static Server Cache will respect those settings too.

WooCommerce is supported by default, meaning that any dynamic process in Woo is not cached. So if a user adds items to their cart, etc, that would not be cached by the Static Server Cache, so no worries there.

What does it cache exactly?

The following should give you a good idea about what does and does not get cached when Static Server Cache is enabled.

  • GET/HEAD requests are cached (that’s your content; meaning all your posts, pages, etc.).
  • POST requests are skipped (for example, forms or any other frontend submission).
  • Query strings are skipped.
  • wp-admin, xmlrpc, wp-*.php, feed, index.php, sitemap URIs are skipped.
  • Cache is skipped if these cookies are found: comment_author, wordpress_, wp-postpass, wordpress_no_cache, wordpress_logged_in, woocommerce_items_in_cart.
  • Cache is skipped if these WooCommerce URIs are found: /store, /cart, /my-account, /checkout, /addons.
  • The max size of any item is 1Gb.

How to see if it’s working

To check any page to see if it’s being cached by our Static Server Cache, pop open your browser’s developer tools, and click on the Network tab. Then reload your page.

Have a look at the Response Headers for the main document type of your page, and look for x-cache where you’ll see the following possible values.

  • x-cache: BYPASS – Cache is bypassed for any reason (URL parameter, cookie, WooCommerce, logged in etc.).
  • x-cache: MISS – It will be cached on next page load.
  • x-cache: HIT – Cache is served.

Check if static cache is enabled using browser tools

Note that the Static Server Cache is not enabled on staging sites.

5.9 Reset wp-config

Copy chapter anchor to clipboard

The wp-config.php file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database-connection information. If you migrated a site from another host, this information might need to be reset.

Click Reset in the WP-Config row.

Reset wp-config for a WPMU DEV hosted site

Then click the Confirm Reset button to reset the wp-config.php file. This will reset the file back to the default state, and anything you may have added or changed in it will be lost.

Click the Close button to exit without resetting the file.


5.10 Migrate Existing Site

Copy chapter anchor to clipboard

  1. During migration, the source site overwrites everything on the destination site, including all content, plugins, themes and settings. Be sure this is what you want before proceeding.
  2. If you don’t have (S)FTP access to the site you want to migrate here, you should be able to create (S)FTP credentials in your current host’s control panel. Or you can try automated site migration with our Shipper plugin, instead.

To migrate a site to your WPMU DEV hosted site, click the Begin Migration link in the Migrate Existing Site row.

Migrate a site to a WPMU DEV hosted site

Then from the dropdown, choose the site you want to migrate.


If you don’t see the site you wish to migrate, Add it to your Hub first and refresh the list.

Click Next to continue.

On the next screen, enter the (S)FTP credentials for your site. You should be able to view or create (S)FTP credentials in your current host’s control panel, or you can try migrating with the Shipper plugin instead.


Once you’ve entered the information, click Start Migration to continue.

If you encounter any issues with migrating your site or using or configuring the Tools, Members have 24/7 support and site migration assistance.