WordPress security is a hot topic. We all know by now that the world’s highest market share open source CMS, though fantastically wonderful, has security concerns that we all need to be aware of. However, many who use WordPress are not security experts, though we all want to do what we can to make our sites secure.
So a plugin is often resorted to.
However, one thing to know is that when you use security plugins with WordPress, you need to know what you’re doing. Using a security plugin, though seemingly easy, may cause problems, rather than provide solutions for the ‘average’ WordPress user.
After documenting some issues that security plugins can bring up, we rounded up the advice of some WordPress security experts who graciously donated their time to help us understand this topic better!
Our accolades go out to Jim Walker, The Hack Repair Guy, Howard Carson, the CTO of US Server Net (a managed WordPress hosting company), and Thomas Oliver, who is highly knowledgeable in .htaccess and Regular Expression. They are quoted in this article and helped in its editing process.
This article is not to say that we shouldn’t use security plugins in all instances, but certainly that if WordPress users want to use one, they need to be ready for what caveats may come with it. Understanding the technicalities behind what these plugins do to a site may be confusing for non-technical users.
There are many security plugins available for WordPress, and this article merely summarizes the pitfalls that could come with any of them, in principle. And, as Howard points out:
The quality of coding varies tremendously…There are some plugins that are excellent, work behind the scenes to protect sites, and will never cause problems, in principle or in fact!
With the above said, let’s dive into some of the reasons why you may want to think twice about using WordPress security plugins.
Their Settings Require Security Knowledge
As Howard points out, this is not just a problem with security plugins. Sometimes lots of options exist in a plugin because advanced users want them. Though that’s not to say the user interface or settings are an indication of how well these plugins work. As a great example, Better WP Security tries to minimize options and simplify what non-technical users need by offering a “Secure my site from basic attacks” button.
But after you get past the “basics,” whoa horsey – how is anyone unlearned in the world of security supposed to know they should “change the wp-content directory”? Or in BulletProof Security, what is the difference between “Default” and “BulletProof Mode”? It takes a lot of reading to figure this stuff out, and if you’re hesitant about pushing buttons you don’t know the effects of (which you should be), you won’t get immediate relief knowing your site is secure once you install these plugins. Instead, you might wonder what on earth you just pressed and if anything is going to detonate soon.
So right out-of-the-box these plugins demand a good working knowledge of what they’re going to do to your site. That’s not easy for the ‘average’ WordPress user. Maybe they’re not meant to be easy, because, as Howard points out,
Website vulnerability management is not an easy topic. Solutions to the wide range of potential problems are varied and complex.
They Send You Spooky Messages
The thing with enabling a function to ban users, detect how many 404 pages they visit, or monitor file changes is that the site admin starts getting e-mails that, in all honesty, sound kind of scary. Like this one (from Better WP Security):
A host, 88.241.170.129 (you can check the host at http://ip-adress.com/ip_tracer/88.241.170.129) has been locked out of the WordPress site at http://my-WordPress-site.com until Friday, October 11th, 2013 at 11:11 am due to too many login attempts. You may login to the site to manually release the lock if necessary.
At first you’re like, “Oh wow this plugin is great, it’s blocking evil people from hacking my site!”
But then you start getting like 1 to 3 of them every day for the rest of your life. It takes a while but you figure out there must be tons of automated machines out there trying to hack WordPress sites all the time. Will they get in to your site? Let’s hope not. But you don’t necessarily have to receive scary e-mails like this to know your site is secure.
Jim says here that he “recommends disabling these messages by ‘unchecking the box’ unless you have a specific reason for receiving them. The messages essentially say, ‘the plugin is working.’ This is a good thing, though they provide no value to the average user.” Howard recommends only a webmaster responsible for security should receive these.
While these messages are sometimes legitimate concerns, you get them from security plugins just by updating another plugin or doing something ‘innocent’ on your site (can we put it that way?). Most of the time they mean nothing (at least we hope so!). Sometimes they may mean something serious, but they’re like the girl who cried wolf; eventually we mentally block out their importance because it’s the ‘usual’ false alarm.
They Create SEO Issues
You can lock down your site to the level of paranoia, but if it stops you from making money, what’s the point of having a website?
I once had “Intrusion Detection” enabled in Better WP Security, and while there were no clear signs the plugin was definitely the cause, my site stopped being indexed by Google. I was getting lots of error messages in Webmaster Tools. I found a forum post that said, by the plugin author, that in some cases it could lock out Google, though it shouldn’t.
I disabled “Intrusion Detection” and the problem went away; Google could index my site again. Phew! So it was not the plugin itself, as Howard points out, it was the configuration of the plugin.
With security plugins, it could be this reason or that reason sites are not being indexed. As Howard explains, it depends “on which settings are enabled and which SEO plugin is used.”
As Jim explains very specifically,
Security plugins may not always interact with every WordPress installation as expected. If Google Webmaster reports an error accessing website, I recommend the Intrusion Detection setting be set to no lower than an Error Threshold of 30 or higher, or disabled entirely if more than a few errors occur each month.
There is a similar setting in Wordfence Security, as well, in the Firewall rules section, where I recommend a value of no lower than 30 per minute be set for crawler’s and 404 errors.
They Can Lock You Out of Your Own Site
We know that most hacks on WordPress sites happen because someone didn’t change the “admin” username and used a password like, “password” or something like that. So a plugin that limits login attempts is great (though really, there’s no hope for you if you insist on using “password” as your password).
As Howard explains, this is crucial because,
Limiting login attempts is important to preventing denial of service attacks. WP core doesn’t limit attempts, and hacker bots will run through a dictionary of common passwords if you let them. (Every hacker has the ‘500 most common passwords’ — if you use any of them, you’re begging to be hacked.)
But when a security plugin starts locking you, or your clients, out of their own site, oh, the agony!
For this reason, Howard says,
Yes, this can happen. One of the first things we do on new sites is create a second admin level account, to be used as a back door in the event of an unexpected lockout. A WordPress tech can use phpMyAdmin to fix this, most end users can’t.
You can usually set higher or lower tolerance levels for things like this, but the part that gets annoying is when you get locked out ‘just because.’ You don’t even have to visit a 404 page or use a wrong password. The plugin suddenly ‘feels’ like locking you out.
Ok, ok. Howard makes a legitimate point that computers “don’t ‘feel’ like doing things ‘just because.’ They follow instructions; something in the code is poorly written.”
But Jim confirms this can happen and says, “yes, I have reproduced this as well. And in those cases where it occurs more than once I generally fully uninstall the annoying plugin and try the alternate one.”
If you have an e-commerce WordPress site or a membership site, you’ll want to double-think using this type of feature, because your customers are for sure going to forget their passwords a lot. If they keep entering a wrong password, or visit the wrong URL or do something to tick off the plugin, they’re going to see an error page when visiting your site. That won’t be good for making more sales.
Again, try what Jim says: use another plugin. Or use our advice below and get managed WordPress hosting!
Note: as Howard points out, security is especially a big concern if you are running an e-commerce site. Extensive measures should be taken if you are completing credit card transactions on your site (too big of a topic for this article). You’ll need to find a workaround to this problem of plugins that can lock your customers out.
They Make Hard-to-Reverse Changes
If you don’t know how to reverse their changes, these plugins could create really big, time-consuming and expensive problems to fix. Like for example, the option to change the wp-content directory folder name. At first a new WordPress user might think, “well yeah, if a security plugin says I should do this to make my site secure, why wouldn’t I?”
But this can interfere with other plugins and themes on your site. Thankfully there are clear warning messages on plugins like Better WP Security that tell you this can happen.
Plus these types of changes are not always profitable. Using our example above, Thomas says that:
Renaming WordPress directories really does not provide additional protection. People with malicious intent usually use pre-built scripts to find vulnerabilities in any CMS like WordPress. They look for static files, that for the most part, cannot be changed without breaking their functionality. Like Javascript files.
If I wanted to see if a site was using a vulnerable plugin, I wouldn’t even worry about looking for wp-content. I would look for its changelog, readme, images, stylesheets, and/or any Javascript files. There are many vulnerability scans that do this already.
Changing parts of your installation through a security plugin can be a pain to deal with after you’ve hit the button to do it and need to change it back, especially if you are not using that plugin anymore. In our wp-content folder example, you would not only have to rename the folder again, you would have to take lines out of the wp-config file and scan your entire database to change all the URLs using the old folder name. A non-coder would find this difficult.
In another example, if you set a plugin to force your site to use https and in your “General” settings you have the http version of your URL set as the “Site Address,” your inside pages could be visible but your home page will be blank (or something like that). Un-doing SSL stuff is not easy-peasy stuff if you’re not a tech person.
If you have enabled any feature that would ban IP addresses from your site, your .htaccess file is going to start getting veeeeery long. This can slow down your site and, when you call your host for support you know what they’re going to say? “Your .htaccess file is really long.”
As Thomas points out,
Some hosts will actually suspend your site if your .htaccess has become resource expensive. It doesn’t necessarily have to be lengthy. You really need to know what you’re putting in your .htaccess and the pros and cons of doing so. Just inserting lines of code without having any idea on what it specifically does, can be more detrimental than helpful.
A security plugin, while locking out potential hackers, can also add IP addresses to your database it has locked out. So if you are locked out yourself, you have to know how to go into your database and delete the line with your IP address in it. If you have never been exposed to PhpMyAdmin, this is going to be a very difficult task for you.
Situations like this bring us to our last point, which is that professionals should be handling this kind of stuff.
They Require Personalized Support
I feel sorry for the people who have to handle the support threads for security plugins. I mean, look at this thread. And look at this thread too (for added sympathy).
In fact, if you visit support forums of any of security plugins, you’ll see similar problems and happenstances where a plugin did some gobbledygook to someone’s files, or locked them out, or wouldn’t uninstall completely, or something. Websites are hosted on different environments, use different themes and plugins, and have all kinds of variable circumstances that could make the answers to these forum posts different for everyone.
The WordPress community is surely glad and thankful for plugin authors that make complicated code-ey things simple for non-coders. What would the world be like without their humanity-helping breed? Not pretty.
However, drawing from the types of issues we’ve described above, we can conclude these plugins should not be marketed to just anybody. If a security plugin is really going to be for the masses, it should ideally be a paid service, where people get paid-for-quality support and a consultant that tells them what to do for their unique situation. Each case may be different and, if you’re not knowledgeable about security or technical things, you shouldn’t be handing a free plugin that comes with that kind of power.
But some people do know what they’re doing and want the control that comes with these plugins, so we can’t take them off the WordPress repository completely.
Here Howard chimes in with a very important point:
There are over 28K plugins in the repository. Selecting the right plugins is what’s most important. The star ratings help. Checking change logs to see how frequently a dev updates helps. Reading reviews helps. But if you select the wrong plugin, you may have problems. Even if you select the right plugin, there may be settings that are not easily understood by a novice. Having a qualified pro to help you is always going to be important. If I have a toothache, I can get a pair of pliers and yank it out. But I’m probably better off if I see a dentist.
What Else Can We Do?
Well, a few things, which don’t require a lot of technical knowledge. For one, check out Tom’s post on The 10 Things You Need to Know to Secure Your WordPress Site (minus 8, 9 and 10, because they conflict with what I’m saying here…lol, sorry Tom).
Secondly, read this article by iThemes which talks about the somewhat recent massive brute force attack on WordPress sites, so you understand the basics of how WordPress sites get hacked in the first place.
You might also want to check out this infographic which explains WordPress security and common vulnerabilities hackers can exploit.
Also check out these resources graciously dug up for us by Thomas:
Then go get a backup system that is tailored for WordPress. If you’re not using the wonderful, amazing ManageWP (which, by the way also lets you check your site for malware and viruses…just had to throw that in there), use VaultPress or iThemes’ BackupBuddy. Howard also uses UpdraftPlus which is a free plugin available in the WordPress repository. A managed WordPress host like WP Engine may have this built into their service for you already.
Think about it, this is your ultimate security. If your site gets hacked, and you have no backup you will have two choices:
- Spend hours finding the infected code to clean it up, or more realistically pay someone a premium fee to do this for you.
- Rebuild your entire site from scratch, which ain’t gonna be cheap.
If your site gets hacked and you have backups dating back to yesteryear, you have no worries. You just have to restore it to an older version. At most you might have to re-publish a bit of content that is not in the restored files. No biggy. (But make sure you aren’t restoring a version of the site that is still infected…which means your backups should go back a long ways).
Get an Akismet key to prevent spam on your site. It will save you a lot of headaches. Or you can disable all commenting on your site, which is a legitimate route to go in if your business is not in the business of online discussion. Howard especially prefers this solution unless the site is a blog.
If you know how, you should also change your database table prefix so it’s not “wp_.” This is something a plugin can automate for you “so you don’t have to muck around in MySql. Install, activate, change prefix, deactivate, uninstall. Done,” says Howard.
If it suits your fancy, you can also do it manually. If you don’t know how to do this, well, please don’t try this at home folks.
You can also visit posts that talk about things you can add to your .htaccess file. I found a few for you already by doing a quick Google search, but please make your code-inclusion decisions wisely:
- Cool WordPress .htaccess Tips to Boost Your WordPress Site’s Security
- WordPress Security Through .htaccess
Again, we emphasize, in Howard’s words, if you are a novice user, “kids, don’t try this at home.”
Finally, and most importantly, get a good host! I particularly am fond of, and use WP Engine, but there are others out there that I believe could do an amazing job as well. They are big on security over at WP Engine, and are also WordPress specialists, which means when you have a problem with WordPress, especially a security problem, they can help you and not be all like, “we don’t support WordPress, you have to contact WordPress support,” like some hosts out there (not that I want to mention any names…).
In fact, it says on their site that if your site gets hacked while hosted with them, they’ll fix it for free! You see, our anxiety problem is now solved, and we didn’t even have to install a plugin or do all that above-mentioned fancy footwork to get a good night’s sleep.
It’s Time For Your Input!
Now we’re throwing the baton over to you: what are your best tips for keeping a WordPress site secure? If you use and love your security plugins, please share which ones they are and why! We love all kinds of opinions on the ManageWP blog and everyone’s input and differing views keep us all the more informed.
Photo Credit: Darwin Bell
Heather
Is it harmful to use 2 security plugins at once? I found that I like wordfence because it has certain features I fancy. But i’m paying for sucuri firewall and cdn. Mostly for the CDN features. Do you think It could cause a problem having them both installed in the same website? Is it overkill? Or am I doing good by covering tracks in one plugin, that the other may or may not cover?
Sandra
In an online site for setting up websites almost a year ago it was recommended that we sign up for a free updraftplus account. I have done virtually nothing on the site since then and I am not at all an expert on site management. updraftplus has been sending notices daily like ” 6 files chanaged” etc. I assumed that they were referring to saved files of the website, meaning when they saved it the file was now a “new” file. To be honest I had no idea what was going on, I just trusted the instructor’s explanation and recommendation. As you probably know UpdraftPlus would be connected to my general update provider, which is Dropbox.
Recently I received a notification (the automated standard notification) of 9700 files removed. I contacted Dropbox and they had no answers. I know of no lost files on my computer. But then I started to look into exactly what UpdraftPlus does. However with a free account you are not allowed to make any queries, but must resort to WP forums. That is virtually useless for me. I tried and there seems to be no help as it is like looking in a jungle for your contact lens.
Any comments, suggestions, etc?
Thanks
Nemanja Aleksic
For starters, updaraft is not a security plugin. It just runs a backup of your website.
If you are looking for a turnkey solution, I recommend Sucuri – if you’re a business owner that doesn’t want to spend 10 hours every month trying to figure out what’s broken on your website, they are the perfect solution.
Anonymous
Hey,
I couldn’t stop laughing while reading this article. It’s hectic! You really nailed it.
I understood, how so-called security plugin does harm than what we expect good from them. LOL 😀
BTW, what’s your thought about S***ri, is it really good or just for affiliate marketer?
Thanks & Regards,
A
Ed Alexander
@Joyce – Overall I think is a very good article because you are not coming from the place of “I know best”. This article is more of a general report about what a lot of different folks are saying about security plugins and website security. So good reporting job Kudos to you for the informational format of this article. 😉
I think this additional information would be a good addition to this article and it is one of most important aspects of why someone should use a security plugin that has the capability to let someone know there site is or might be hacked already.
I’ll start with an actual example scenario that really occurred in real life: PersonA starts seeing some unusual things that indicate something is not right after installing security pluginA. PersonA contacts security pluginA plugin author and asks what these unusual things mean. security pluginA plugin author informs personA that these unusual things are an indication that personA’s website is already hacked. security pluginA plugin author does some historic frontend google research and finds the personA’s website has been hacked for more than 2 years without any obvious indications to personA that their website was hacked previously. So the obvious benefit to personA is that they are made aware by security pluginA that their website and hosting account is already hacked.
How common is this scenario? Unfortunately, it is very common. We see this all the time. Typically a high level hacker or hacker group will hack a site and install a hidden backdoor shell script. This/these hackers do not want the website owner to know their site is hacked. If other hackers/hacking groups find that this site is hacked (typically doing “dork” searches) then they will use the backdoor and probably do some obvious hacking things that make it obvious to the website owner that their site is hacked. In a way these hackers that come after the original hackers and do additional obvious hacking to the site (defacement, link injections, etc), end up actually helping the website owner by making the website owner aware that their site is hacked.
Summary: On average a website is typically hacked months (usually 1-6 months) before a website owner is aware that their site is hacked if the site was hacked by high level hackers who are very careful to not expose the fact that they have hacked the site and hosting account. Kiddie scripter hackers are in different category and just want to show off, but typically they do not have the hacking skills to do the original website hack and come after the original hackers have taken control of a hosting account and do obvious additional hacking stuff to a site that gives away the fact the site is hacked.
The most important benefit of installing a security plugin is to make someone aware that their site and hosting account is already hacked, which is rarely if ever stated anywhere on the Internet. I consider this to be the #1 most important aspect of installing a security plugin. Once someone knows their site and hosting account is completely controlled by a hacker or hackers or different hacking groups then they can wipe everything and start fresh. Hopefully the security plugin that someone chooses to install after the hosting account is completely cleaned up and hack free, will continue to keep the hosting account clean/hack free.
Best Regards,
Ed
Frank Dwyer
Bravo for a clear thinking article. I am a newbie to WordPress who created a website on my own. I found the one-click security plugin I purchased to be a major headache. It blocked me from using a key tutorial. Worst of all, I could not do a full backup using BackupBuddy (great plugin) until I first disabled the security plugin – and then I had to reconfigure it every time arghh:( Finally, I got so fed up with all the dire seeming messages and alerts – all of it in unfathonable language. Yes, I paid for it and I have just dumped it. For my simple site the all-in-one security thing proved a constant headache. Protection mabye but at what cosT?
webmaster
Well, i believe that you can’t run a big wordpress site without using some of the security plugins. The “thing” is to get one that is working well for your needs. I am using the BPS Security and seems that it doesn’t make any trouble, while it protects correctly. So my advice is, choose one that works correct and you’re good to go
security guard company
enabled in Better WP Security, and while there were no clear signs the plugin was definitely the cause, my site stopped being indexed by Google. I was getting lots of error messages in Webmaster Tools. I found a forum post that said, by the plugin author, that in some cases it could lock out Google, though it shouldn’t.
Chucho
All those security plugins made zero use for my site. Actually Ithemes security plugin even caused me more problems than good things. All the time it wrote bad codes in my htaccess file..a few times even deleted my whole code from htaccess file causing errors for inner pages…not a fan of those plugins at the moment…
Paul G.
Hey,
I think this article is leaning towards not installing a WordPress “security” plugin at all… and you’re right, you probably shouldn’t install one of those that potentially break your sites altogether.
Jim from HackRepair (who you feature in your article) also reviewed WordPress Simple Firewall plugin and scored it as the least likely to ever break/lock you out of your site. It never writes to the wp-config, .htaccess or any other WP files, it doesn’t let you change your wp-login, it doesn’t rename wp-admin/wp-content etc., and it has a fail-safe hard switch to turn the whole firewall off “just-in-case”.
That plugin is worth checking out if you want good site security features (spam, login brute force attacks, data-firewall etc.) but don’t want the risk of burning your site to the ground. 🙂
It’s on the WP.org repo: http://wordpress.org/plugins/wp-simple-firewall/
Cheers,
Paul.
Karen
Hi, I found your post because I got into this trap. I’m new to wordpress and worked on my website for the past 48 hours almost in a row. WP recommended the Better WP Security plugin and I thought “cool” and I did just like you said “if they recommend this this and that, it’s because it should be good”. How I regret that? I’m locked out and have no idea what to do. It is a self hosted website but when I accessed the files today, they were dated from the day I bought the package! That means no back up, right? anyways, I wasn’t using the website and wasn’t all ready so I did not care about the back up. It could be good or bad, if I had backed up after the damn plugin who knows what would have happened. I’ve read and read, but just can’t figure it out. I was wondering if there is really a way around if I hadn’t backed up anything. The solution is to re install it and start from scratch?
I wish I had read your post before :/
Thanks anyway!
Tom Ewer
Hey Karen,
You should definitely get in touch with the plugin’s developer and see what he might be able to do to help. It may also be worth talking to your hosting company and seeing if they make backups for you.
Cheers,
Tom
Chris Finnegan
Hi Joyce,
You certainly make a good point in this article. I find issues multiply when folks add multiple security plugins.
Like most things it’s worth learning some basics before reaching for more plugins.
One thing often missed when updating WordPress plugins is to check a plugin’s code is maintained! Just because there are no updates available does not mean a plugin is actually up to date and secure. It could be that a plugin has been abandoned by the developer. Visiting the plugin page at the WordPress plugin directory will tell you the time it was last updated, and you’ll see a message on pages where the plugin has not been updated in over 2 years,
Cheers
Chris
PS +1 for the Limit Login Attempts plugin;)
Dan Knauss
Why change the db table prefix? That’s kind of a voodoo practice people hang onto because years ago some SQLi exploits assumed the default prefixes. The root problem was vulnerability to SQLI of course, and that’s not likely to be an issue if you pick good plugins and keep everything updated. Trying to hide your username is pointless, inconvenient and unproductive. .htaccess trickery can be a fun learning experience but of very limited real security benefit in return for the time invested. If you want to do it, check out Jeff Starr’s site, book and annually updated models. Mika Epstein’s blog is another good source of advice about security and WP.
dj
Please get rid of that fixed meta pop-up crud. It certainly isn’t for convenience of users who have just begun reading your hard-fought content. It’s distracting and the fact that you choose to slam it right on the margin connecting with the content at the eye-level reading point is the most distracting “fluff” that I’ve seen on the net since \
Bart
Agree with that. When I was setting my site http://bart.volgers.eu I tried a social sidebar and dismissed it for exactly those two reasons. Distracting and not at the right spot. I now use the AddAny plugin to put social icons at the bottom of the post. The place where the really belong.
For security I use:
Limit Login Attempts plugin: it’s a fire an forget plugin and works fine
Login Security Solution: When I have more users on a site. It can be set to force users to use strong passwords.
When they lock me out, I just go to my hosting panel and change the plugin folder name, to switch them off.
One thing I really miss in this post is: Two factor authentication / One Time Password (OTP) This is a very good method to secure your site.
I use: Duo Two-Factor Authentication which give a great user experience and is free upto ten users. I also supports setting “save IP’s” from which two factor is bypassed.
You can also use a generic OTP plugin that works with google auth.
I also miss some quite important things in this post:
1) Alway use unique and strong passwords. This is easy by using a password manager, like 1Password for OSX
2) Never use the username “admin” If it’s there make a new user with an other name and with admin privelages and delete the “admin” user name. You will be prompted to transfer existing posts to a other user.
3) Always keep your WordPress installation up to date! There are plugins to mail you if there are updates, like: Update notifications. Or use ManageWP.
Wrapping it up, this isn’t the strongest post I have read on teh ManageWP blog.
Joyce Grace
Hi Bart!
Thanks for your added tips. Truth be told, articles are never going to be as strong as when the community gives their added input in the comments.
This article wasn’t meant to be a post about how to secure your site – that was beyond the scope of what it was trying to say.
We do mention passwords earlier up in the article, and I link to resources about how to secure your site, which mention the things you’re talking about. The last section mentioning security tips was really a concluding word, not the ‘meat’ of this article. So I hope you found the rest of it more useful for thought and consideration among the WordPress community.
Thanks again for letting us know your preferred security methods for WordPress!
Joyce Grace
Hi dj!
Thanks for your passionate feedback 🙂
Since this article isn’t about our site design I would recommend that in the future, if you have feedback of this nature that is off-topic, to write to us directly. That way your recommendations will be seen by the right eyes at the company. Right now your message is not going to get very far in making a difference because it’s written as a comment to an article about security plugins. I personally don’t make decisions about the site’s design, I am just a writer at ManageWP. But I do see what you mean. However, I think there are worser evils committed on the web that distract users 🙂 This is hardly top of the list 🙂
Anyway, feel free to carry this conversation on further by contacting the folks at ManageWP directly.