Greenskeeper

FAQ

Does Greenskeeper report updates made outside the plugin?

Yes, from version 1.9.1. Greenskeeper hooks into WordPress’s
upgrader_process_complete action, which fires for any update that runs
through WordPress’s standard Plugin_Upgrader or Theme_Upgrader — including
updates made from the WordPress Updates screen, the Avada plugins dashboard
(for Avada Core and Avada Builder), or any other standard WordPress update
mechanism.

These external updates are logged automatically with a session labelled
“External” in the Update Log, and are included as a separate “Updates Made
Outside Greenskeeper” section in the next maintenance report email.

How does Greenskeeper handle Avada theme updates?

Greenskeeper handles Avada-related updates in two ways depending on the
update type:

Avada theme, Avada Core, and Avada Builder updates — once your Avada
license is registered, these appear in the standard WordPress updates list
and can be updated from either the WordPress Updates screen or the Avada
plugins dashboard. Both routes fire WordPress’s standard upgrade hooks.
Greenskeeper detects and logs these automatically and includes them in the
maintenance report email.

Avada Patches — patches applied through Avada’s own Maintenance →
Plugins & Add-Ons dashboard use Avada’s proprietary update mechanism and
do not fire WordPress’s standard hooks. Greenskeeper cannot detect these
automatically. They should be documented manually using the Additional
Manual Updates field on the Email Reports page before sending the report.

The Updates page also shows a contextual notice when the Avada theme is
installed, explaining the required update order: Avada theme first, then
Avada Core, then Avada Builder.

What is the difference between an external update and a manual update?

An external update is one that Greenskeeper detected automatically
because it went through WordPress’s standard update mechanism (Plugin_Upgrader
or Theme_Upgrader). These are logged and included in the email without
any action from you.

A manual update is one that Greenskeeper cannot detect — for example
an Avada Patch, a plugin updated through a vendor’s own proprietary
dashboard, or an FTP file replacement. These must be documented using the
Additional Manual Updates field on the Email Reports page.

Does the plugin support Avada theme updates?

Yes, with important notes. Avada Core and Avada Builder appear in the standard
WordPress plugin update list once your Avada license is registered, and the plugin
can update them normally. The Updates page shows a contextual notice when Avada is
installed, explaining the required update order: Avada theme first, then Avada Core,
then Avada Builder. A confirmation prompt appears if you select the Avada theme for
update, reminding you to follow up with the companion plugins.

Avada Patches are managed separately through Avada’s own dashboard (Avada →
Maintenance → Plugins & Add-Ons) and do not appear in the standard WordPress update
API, so they cannot be detected or applied from this plugin. The Updates page
includes a direct link to that dashboard so you can check after completing your
regular updates.

Does this plugin support WordPress Multisite?

Yes. It can be network-activated by a Super Admin to cover all sites simultaneously, or activated per-site by individual Administrators. Each site maintains its own isolated database tables, update log, and email log. The plugin handles cross-site AJAX correctly on Multisite so email sending always reads from the correct sub-site’s log table.

Why are my updates not showing in the Update Log?

If you upgraded the plugin by uploading new files without deactivating first, the database schema may not have been upgraded. Open Update Log, expand the Database Diagnostic panel at the bottom, and click Force DB Upgrade Now. The panel shows both database tables with their column lists highlighted in green (present) or red (missing). After the upgrade click Refresh — all sessions should appear.

Emails are not being delivered. What should I do?

By default WordPress sends email via PHP’s mail() function, which many hosting providers block or which major inboxes mark as spam. Go to Settings → SMTP & Email Delivery and configure a dedicated SMTP provider. Use Send Test Email to verify your connection before sending a real report. See the SMTP Setup Guides section below for step-by-step instructions for each supported provider.

Why did a plugin or theme update fail?

Premium and licensed plugins that require a valid license key for automatic updates will fail with a mapped error message. The Update Log and email reports both include a plain-English explanation and an action recommendation. These items must be updated manually through the vendor’s dashboard or by providing a valid license key.

Can I send the report email from a specific email address?

Yes. Go to Settings → SMTP & Email Delivery and fill in the From Name and From Email fields. The From Email must be authorised to send from your SMTP provider or domain — using an unverified address is the most common cause of delivery failures.

Can I update WordPress Core separately from plugins and themes?

Yes. The Updates page has three separate sections — WordPress Core, Plugins, and Themes — each with its own Select All checkbox. You can update Core alone, plugins alone, themes alone, or any combination.

Is my SMTP password stored securely?

Yes. Passwords and API keys are encrypted with AES-256-CBC before being saved to the database. The encryption key is derived from your WordPress installation’s AUTH_KEY and SECURE_AUTH_KEY constants, which are unique per site and defined in wp-config.php. The raw password is never output into the browser — only a masked placeholder is shown when a value is already saved.

Where is the plugin data stored?

Three custom database tables per site:
* {prefix}_wpmm_update_log — one row per update action (session_id, item_name, item_type, item_slug, old_version, new_version, status, error_code, message, updated_at)
* {prefix}_wpmm_email_log — one row per email send (session_id, to_email, subject, body, status, sent_at)
* {prefix}_wpmm_spam_log — one row per blocked comment attempt (rule, author_ip, author_name, author_email, author_url, comment_content, post_id, blocked_at)

Plugin settings (branding, SMTP, spam filter configuration, client email, default admin, API key) are stored in the wpmm_settings WordPress option.

Can I review blocked spam comments?

Yes. Go to Site Maintenance → Spam Log. Every comment attempt blocked by
any local filter rule (honeypot, time check, keyword, IP, link count, duplicate)
is logged there with the author’s IP, name, email, and a content preview. Akismet-
blocked comments are logged here too and also appear in WordPress’s native
Comments → Spam queue.

From the Spam Log you can: filter by rule or IP, add an IP to the blocklist
with one click, delete individual entries, or clear the entire log.

Why were themes not showing in my email reports?

This was a bug in versions prior to 1.9.1. Theme update log entries stored
with item_type as ’themes’ (plural) were incorrectly bucketed into the
Plugins section. Version 1.9.1 normalises both spellings. No data was lost
— resending any previous email from the Sent Email History table will now
show themes in the correct Themes section.

Does the email report include spam filter activity?

Yes, from version 1.9.1. Every maintenance report email includes a Spam
Activity section listing comment attempts blocked since the last report was
sent. Each entry shows when it was blocked, which rule caught it, the
submitter’s IP, and a content preview. If no spam was blocked since the
last report the section is omitted entirely.

How does the administrator name appear in email reports?

From version 1.9.1 the email uses the administrator’s First Name and Last
Name from their WordPress user profile. Go to Users → Your Profile and
fill in the First Name and Last Name fields, then click Update Profile. If
no first or last name is saved, the Display Name is used as a fallback.

Who can access Greenskeeper?

By default, any WordPress Administrator can access the plugin. Once you save the
Manage Plugin Access settings (Settings → Manage Plugin Access), only the
administrators you have explicitly checked can see or use any part of the plugin.
Unchecked administrators see no menu item and cannot reach any plugin page.

Your own account is always locked in — you cannot accidentally remove your own
access from within the plugin.

Can a client with Administrator access see the plugin?

Not after you configure the Manage Plugin Access card. Go to
Site Maintenance → Settings, scroll to Manage Plugin Access, uncheck the
client’s administrator account, and click Save Access Settings. That account
will no longer see the Site Maintenance menu or any plugin page.

What if I get locked out of the plugin?

Lockout cannot happen from within the plugin UI — your own account is always
kept in the access list automatically. If you are locked out through a direct
database change, connect to the database and either delete the wpmm_settings
option (which resets to the manage_options fallback) or add your user ID back
to the access_user_ids array in that option.

Does the plugin support two-factor authentication?

The plugin does not implement 2FA itself. Instead, it detects whether a 2FA plugin
is active and shows a notice on every plugin page if none is found, with direct
links to install WP 2FA or Two Factor. We recommend protecting the administrator
accounts that have wpmm_access with 2FA via one of these dedicated plugins:
WP 2FA (by Melapress), Two Factor (official WordPress.org plugin),
Wordfence Security, or iThemes Security Pro.

How do spam filter settings work on a Multisite network?

Each sub-site has its own independent spam filter settings stored in that
site’s wpmm_settings option. From Network Admin, go to
Settings → Spam Filter & Comments. The All Sites view shows a summary table
of every site with its spam status, Akismet connection, and comments status.
Select a specific site from the Site Scope Bar to edit its settings. Changes
only affect that site and are saved immediately.

Can I run updates for all sites at once, or only one site at a time?

Both. In Network Admin, the Site Scope Bar on the Updates page defaults to
All Sites, which shows all available updates for all installed plugins and
themes. Selecting a specific site filters the list to only the plugins and
themes activated on that site, and runs updates in that site’s context.

Does the network email report cover all sites?

Yes. When the Email Reports page is in All Sites scope (Network Admin,
no site selected), sending the report builds a consolidated email with a
section per site. Each section contains that site’s own Core, Plugins, and
Themes update tables. When a single site is selected, the report covers
only that site in the standard single-site format.

Does the spam filter work without an Akismet API key?

Yes. The local filtering layer (honeypot field, submission time check, link count
limit, keyword blocklist, IP blocklist, and duplicate detection) runs entirely on
your server with no external API calls. Local filtering alone catches the majority
of automated bot spam. Adding an Akismet API key activates a second layer of
AI-powered cloud filtering for more comprehensive coverage.

Do I need a paid Akismet account?

Akismet’s free plan is for personal, non-commercial sites only. Any commercial
website — including client sites managed by an agency — requires a paid Akismet
plan. Visit akismet.com/plans to choose the right
plan. Greenskeeper provides the Akismet integration; licensing is your
responsibility.

Will the spam filter conflict with the standalone Akismet plugin?

No. Greenskeeper detects when the standalone Akismet plugin is already
active and skips its own Akismet API call automatically. Only the local filtering
layer runs in that case, so you never get double-filtering. The Settings page shows
a notice when the standalone plugin is detected.

What happens if Akismet is unreachable when a comment is submitted?

The plugin fails open — the comment is allowed through rather than being blocked.
This prevents legitimate comments from being lost due to a temporary API outage or
network issue. Local filters still run normally regardless of Akismet availability.

Can I disable comments completely across the entire site?

Yes. The Disable Comments toggle in Settings → Spam Filter & Comments removes
comment support from every post type, closes all existing comments via WordPress
filter hooks, hides the Comments admin menu item, redirects direct access to the
comments admin page, and removes discussion meta boxes from the post and page
editors. This is a site-wide setting — it applies to all post types including
custom ones.

How do I add an IP address to the blocklist after catching a spammer?

Two ways to add an IP. From the Spam Log page, click the Block IP button on any row — the IP is added to the blocklist instantly without leaving the page. Alternatively go to Settings → Spam Filter & Comments, add the address to the Blocked IP Addresses textarea (one per line), and click Save Spam Settings.

How does Greenskeeper handle Multisite networks?

In Network Admin, a Site Scope Bar appears at the top of the Updates, Spam Log,
and Settings pages. You can select “All Sites” to operate across the entire
network, or choose a specific site to scope the view to that site only.

What does “All Sites” mode do on the Updates page?

In All Sites mode the Updates page shows every available update for every plugin
and theme installed on the network, regardless of which site has it activated.
Running updates applies them network-wide and logs results to the network admin
site’s update log. The email report lists each site as a separate section with
its own Core, Plugins, and Themes tables.

What does single-site scope do on the Updates page?

When you select a specific site, the Updates page filters the plugin and theme
list to only show items activated on that site (including network-activated
plugins). Updates run in that site’s context and log to that site’s own
wpmm_update_log table. The email report uses the single-site format.

Are spam filter settings shared across all sites in a network?

No. Each site has its own independent spam filter settings. In Network Admin,
select a site from the scope bar on the Settings page to view and edit that
site’s spam configuration. Selecting “All Sites” shows a summary table of all
sites with their spam filter status, Akismet connection status, and comments
toggle state.

Can I use this plugin alongside WP Mail SMTP or other SMTP plugins?

It is recommended to use either Greenskeeper’s built-in SMTP configuration or a separate SMTP plugin — not both. Both plugins hook into phpmailer_init and will conflict. If you already have WP Mail SMTP, FluentSMTP, or Post SMTP installed and configured, leave Greenskeeper’s SMTP setting on WordPress Default and let the other plugin handle delivery.