Is WordPress Multi-Site More or Less Secure?

When looking at site security, is using WordPress Multi-Site more secure than using multiple installations of WordPress (in single-site mode) on the same hosting account? Is Multi-Site less secure? One thing to remember is that they are the same software with some configuration options changed. You don’t install “new software” to change from WordPress to WordPress Multi-Site; you add database tables for each new site, that’s all. The “network management” screen becomes available when you are managing multiple sites, there is an additional login permission (network admin); but the software is identical files on your server.

“The more plugins you have, the more security issues you potentially open up. If 1 plugin from 1 site lets in hackers, they take over the entire set of sites you have installed. Then, secondly, you run into security issues that may be less common, but can happen when a person registers on 1 site and is able to cross over to another site with admin based security holes. If the core directory gets hacked, all websites hosted together will contain the hacked files, likely phishing sites, making a hackers job 30x more powerful and easy (if you had 30 sites).”

Let’s look at that, one item at a time.

I completely agree with the first two sentences: “The more plugins you have, the more security issues you potentially open up. If 1 plugin from 1 site lets in hackers, they take over the entire set of sites you have installed [in your WordPress Multi-Site installation].”

All plugins have direct access to the WordPress database manipulation functions. Same with all themes. Get plugins and themes only from major trusted sources (there are some free ones). Check the reviews. Check the support area. If there are reports of security problems, have they been addressed quickly? (Or, on the other side, are the reports debunked? Any site can have false negative reports…).

Similar argument about plugins and themes having full access to the entire file structure, on your whole hosting account. (Apache has had secured cross-account access for several years. If your host has ancient server software, throw a fit! And, move to a host with good server software, proper update procedures, and always use web hosting with strong attention to security.)

You must keep updated, every installation of WordPress on your hosting account, including that one tucked away in some folder that you have forgotten about, so go in FTP and look through all your folders. Update all WordPress core, plugins, and themes. If a plugin or theme is no longer being supported, you won’t be notified about it, so look (in FTP) for moldy plugins/themes. (Old doesn’t mean bad, it could be a well-written plugin that hasn’t needed any updates. But if it was written for an old major release of WordPress, e.g. if the current version is WordPress 4.4.1, a plugin written for WordPress 4.0 is suspect and don’t use a plugin written for WordPress 3.9.)

This applies equally to WordPress in single-site or multi-site mode. (If you have 30 single sites, aren’t you highly likely to have most of the plugins on each of your sites?)

One place where this is a concern is if you are a hosting reseller for many clients, and you let clients install plugins or themes. I advise hosting each on their own hosting account, to limit the affect one client can have on the others. Take advantage of the cross-account security the host provides! Many hosts will let you charge the clients, and you pay the host, but you pay for multiple accounts. Security is complex; few clients who would “have you take care of it for them” are competent to pick good plugins and themes. One of your services should be “you pick good plugins and themes for them”; but if not, host them separately.

“secondly, you run into security issues that may be less common, but can happen when a person registers on 1 site and is able to cross over to another site with admin based security holes.”

If a hacker gets into the network admin account of a multi-site installation, they don’t need to “cross over to another site” to affect all the sites on this installation; they already Are the admin. (WordPress multi-site admin permission is only on a single site, unlike the network admin.)

Any (single-site or multi-site) WordPress installation is a possible source of infection of any other on the same hosting account. All PHP files installed on your account (and any other programming language, including JavaScript and Perl and C# etc.) have full access to the file system and databases on your account. (Unless you have a hosting account that has taken specific steps to block that, which would normally be implemented as you having separate accounts with single-billing and a management interface for all of them.)

Passwords: Never use the password for your network administrator account, for anything else on the network. Never use your admin password for an account that only needs “editor” privileges. Use a password keeper software, such as KeePass or LastPass.

Which is easier to infect? “Yes, no, sometimes, I don’t know”. Which has more impact? Since it’s possible that an infected installation won’t infect another installation on the same account, I’ll say an infected multi-site has bigger impact. Which is harder to clean? Since it’s possible that any infected installation can infect, and re-infect, every installation on your hosting account, and multi-site has fewer files that could be infected (but still several thousand files per installation), multi-site is easier. Recommendation: 1) don’t get infected, by having good security configuration (including WordPress iThemes Security or WordFence plugins, and Sucuri plugin) 2) have professionals clean your sites, e.g. Sucuri. Best time to have Sucuri on your site? Before you get hacked!

What about another account on the same hosting company infecting your sites? If your hosting company doesn’t talk extensively and often about security, or “security” for them is only “backup diesel generators and security guard”, switch companies today. Server software that keeps hosting accounts completely isolated has been available for years, and is free and standard-issue and yet many hosting companies haven’t updated their software. The best companies have staff that Every Day check for globally-announced newly-found security holes, and add security rules. Check my page on selecting hosting providers, or my recommended do it yourself hosting, or WordPress Managed Hosting.






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.