Hosting Tools

You have the option of enabling ‘Password Protection’ on any site. Unlike your WordPress credentials, which control access to a site’s admin areas, Password Protection controls access to an entire site, meaning only those who know the password can work on or view a site. It even hides a site from search engines.

This is useful when developing a new site that you don’t want yet publicly available on the web. You can share the username and password with clients or colleagues, but unauthorized admin users and the general public will not have access.

Password Protection uses Basic HTTP Authentication and does not use any WordPress usernames or login details.

Users who attempt to access any part of your site will see a login modal similar to the one in the image below. Only by entering the correct credentials will the user be allowed to proceed.

Click On/Off in the Password Protection row to enable/disable the feature. Then use the toggle in the modal to turn site protection on or off.

Once active, create a username and password you wish to apply to this site. A strong password will be generated, or you can add a custom password into the field. When activating or deactivating your password, click Save to save your changes.

Our Web Application Firewall (WAF) monitors the IP addresses and user agents attempting to access your site and filters out traffic that is known to be unsafe or that you have identified as unwanted.

It’s a first layer of protection to block hackers and bot attacks before they ever reach your site. The WAF filters requests against our highly optimized managed ruleset covering common attacks (OWASP top ten) and performs virtual patching of WordPress core, plugin, and theme vulnerabilities.

The key distinction between our WAF and typical site security protocols is that a security plugin protects a site at the point of attack, whereas a WAF prevents unwanted traffic from ever reaching its intended target in the first place.

Our WAF protects sites from attacks such as cross-site request forgeries, cross-site-scripting (XSS), file inclusions, and SQL injections.

Note that WAF is not available on staging sites.

All NonprofitPress plans with Bronze Plus or a higher VPS tier support WordPress Multisite.

You can convert your site into a Multisite network by clicking the On/Off button in the Multisite row to open the configuration popup.

If you have any questions, please chat or email support - we will be happy to assist!

It is our policy to only provide support for the latest supported PHP versions. This is both to make sure our sites are secure, and to provide you with the fastest most performant hosting service we can! Currently, we default all newly-created sites to the latest release of PHP 8.2.

Note that some third party plugins may occasionally be out of date and cause issues with the latest version of PHP. In that case you can look for updates, alternatives, or downgrade your PHP version to any version that we currently support.

To upgrade or downgrade your PHP version, click the current PHP version number. A list of available supported PHP versions will be displayed in the modal. Choose the version you wish to install, and click Apply.

Note that the ionCube loader is not yet supported by PHP 8.3, so sites dependent on this extension should use a different PHP version.

If your site requires the ionCube Loader extension, you can enable it with this option. Click the On/Off toggle to pop open a modal window where you can enable or disable the extension as needed.

Note that ionCube is not supported in PHP 8.3. So if your site is using that version, this option will be locked.

This option will enable/disable the extension on your staging site as well if you have one created. Unless the staging site is on PHP 8.3, in which case it will not be enabled there, as noted above.

The performance of your site may be affected when this feature is enabled.

MWP Cloud provides easy access to edit and manage your Database from the phpMyAdmin database manager.

From the Tools tab, click the Manage Database link to open phpMyAdmin.

You should always make a backup before editing the database directly.

MWP Cloud also gives you access to easily edit and manage your website files using a file manager interface in case you don’t want to mess around with SFTP.

From the Tools tab, click the Manage Files link to open the File Manager in a new tab.

The left panel allows you to navigate through files and logs from both the production server and the staging server.

The main toolbar at the top of the page offers features such as adding new folders and files, as well as uploading new documents.

If a tool is grayed out, it is unavailable for the selected location or document. To interact with folders and files without using the toolbar, right click on the location and a pop-up menu will appear. The pop-up menu includes features that are offered on the toolbar like open, download, and preview.

We leverage Object Cache at the database level, and this is enabled by default on all sites we host.

Object Cache improves performance by minimizing server load related to queries that are frequently called by WordPress, plugins, and themes. Because of this, you may need to clear Object Cache from your Hosting Hub after using a plugin that interacts directly with the database in ways outside of normal WordPress guidelines or if you make changes directly in your database using phpMyAdmin.

The object cache should only be flushed if absolutely necessary. It is usually not needed except after making direct database edits or during development. If you aren’t sure, contact support, and we’ll help you out.

To clear cache, click Clear in the Object Cache row.

An “Are you sure?” pop-up will verify you would like to clear your cache. Click Continue to flush object cache.

Note that the Object Cache is not enabled on staging sites.

This is page caching at the server level using FastCGI. Much faster than any PHP plugin, Static Server Cache greatly speeds up your site and allows for an average of 10 times more concurrent visitors.

Static Server Cache can be toggled On or Off by clicking the button to the right.

Clicking the On/Off toggle will pop open a modal window with additional options that you can configure. Your configuration here will be saved even if you temporarily disable the cache for any reason.

• Enable / Disable Static Server Cache – Toggle the cache on or off while keeping other options saved.
• Allow Caching Query String (Params) – Enter any query strings (e.g., ref, utm_source, utm_medium, utm_campaign, etc), one per line, that you want to be cached.
• Exclude Urls From Caching – Enter any site URLs or URL strings that you don’t want cached. E.g., if you add /blog it will also exclude /blog/samplepost or parentpage/blog/from the cache.
• Cache Lifetime – Select the expiry time for the cache. Cache will regenerate automatically each time it clears.

When it’s enabled, simply click the Clear button if you need to clear the Static Server Cache, then click the Continue button in the modal to confirm. Note that this cache also clears itself automatically every hour.

For more information, please see the dedicated Cache article

The wp-config.php file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database-connection information. If you migrated a site from another host, this information might need to be reset.

Click Reset in the WP-Config row.

Then click the Confirm Reset button to reset the database connection information.

Note: Resetting the wp-config will only reset the database connection information, such as the database name, username, password, and host. However, if you want to reset the complete wp-config file, delete the wp-config.php file from the file manager or SSH/SFTP and reset it to create a new wp-config file.

Click the Close button to exit without resetting the file.

You can disable this protection if you wish, or keep it enabled and add specific IP addresses or ranges (in CIDR notation) to exempt them from this protection. Click the On link to the right of the feature to open the options modal.

Learn more in the dedicated Bruteforce Attack Protection article

XML-RPC is outdated and has now been replaced by the WordPress REST API. Blocking XML-RPC could help prevent security vulnerabilities and spam attacks.

Click the On/Off toggle to pop open a modal window where you can enable/disable the feature as needed.

This feature is only available for migrated sites that utilize custom plugins which require the legacy XML-RPC functionality. By default, it is disabled.

Note that XML-RPC is blocked by default on all newly created hosted sites.

If the Disable XML-RPC security recommendation is active in Defender but the feature is disabled at the server level here, requests will still reach your site and will consume resources. But when you enable Block XML-RPC at the server level, the requests never reach your site at all.