Securing WordPress Multisite Networks

WordPress Multisite allows you to run multiple sites from a single installation. While efficient, this architecture introduces unique security challenges—a vulnerability in one site can potentially affect the entire network.

Multisite Security Challenges

• Shared codebase - One vulnerability affects all sites
• Super Admin access - Powerful accounts require extra protection
• Plugin/theme management - Network-wide activation risks
• Cross-site attacks - Potential for lateral movement
• Resource sharing - Sites compete for server resources

Super Admin Protection

Limit Super Admin Accounts

// Minimize super admin accounts
function audit_super_admins() {
    $super_admins = get_super_admins();

    // Alert if too many super admins
    if (count($super_admins) > 3) {
        wp_mail(
            get_site_option('admin_email'),
            'Security Alert: Too Many Super Admins',
            'Your network has ' . count($super_admins) . ' super admin accounts.
             Review and reduce if possible.'
        );
    }

    return $super_admins;
}
add_action('network_admin_menu', 'audit_super_admins');

// Require 2FA for super admins
function require_super_admin_2fa($user) {
    if (is_super_admin($user->ID)) {
        if (!get_user_meta($user->ID, '2fa_enabled', true)) {
            wp_redirect(network_admin_url('profile.php?setup_2fa=required'));
            exit;
        }
    }
}
add_action('set_current_user', 'require_super_admin_2fa');

Network-Wide Security Settings

wp-config.php for Multisite

// Multisite security settings
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
define('FORCE_SSL_ADMIN', true);

// Restrict plugin/theme installation to super admins
define('DISALLOW_UNFILTERED_HTML', true);

// Cookie settings for multisite
define('COOKIE_DOMAIN', '.yourdomain.com');
define('ADMIN_COOKIE_PATH', '/');

// Limit memory per site
define('WP_MEMORY_LIMIT', '64M');
define('WP_MAX_MEMORY_LIMIT', '256M');

Network Plugin Management

// Only allow approved plugins network-wide
function restrict_plugin_activation($plugin, $network_wide) {
    $approved_plugins = get_site_option('approved_plugins', array());

    if (!in_array($plugin, $approved_plugins) && !is_super_admin()) {
        wp_die('This plugin has not been approved for use on this network.
                Contact the network administrator.');
    }
}
add_action('activate_plugin', 'restrict_plugin_activation', 10, 2);

// Prevent site admins from accessing certain plugins
function hide_network_only_plugins($plugins) {
    if (!is_super_admin()) {
        $network_only = array(
            'security-plugin/security.php',
            'backup-plugin/backup.php'
        );

        foreach ($network_only as $plugin) {
            unset($plugins[$plugin]);
        }
    }
    return $plugins;
}
add_filter('all_plugins', 'hide_network_only_plugins');

Site Isolation

Prevent Cross-Site Access

// Restrict user capabilities per site
function restrict_cross_site_access() {
    if (is_multisite() && !is_super_admin()) {
        // Get user's blogs
        $user_blogs = get_blogs_of_user(get_current_user_id());
        $current_blog_id = get_current_blog_id();

        // Check if user has access to current site
        if (!array_key_exists($current_blog_id, $user_blogs)) {
            wp_die('You do not have access to this site.');
        }
    }
}
add_action('admin_init', 'restrict_cross_site_access');

// Prevent directory traversal between sites
function secure_upload_paths($upload) {
    // Ensure uploads stay within site boundaries
    $upload['path'] = str_replace('../', '', $upload['path']);
    $upload['basedir'] = str_replace('../', '', $upload['basedir']);

    return $upload;
}
add_filter('upload_dir', 'secure_upload_paths');

Network Monitoring

Implement network-wide security scanning:

• Iterate through all sites - Use get_sites() to loop through network
• Check SSL enforcement - Verify each site uses HTTPS
• Monitor plugin updates - Track outdated plugins across all sites
• Collect security issues - Build array of problems per site ID
• Schedule daily scans - Use wp_schedule_event for automated checks
• Alert administrators - Notify network admins of discovered issues

Registration Security

// Control site and user registration
// In wp-config.php or via Network Settings
define('NOBLOGREDIRECT', home_url());

// Custom registration validation
function validate_multisite_registration($result) {
    // Restrict to approved email domains
    $email = $result['user_email'];
    $allowed_domains = array('yourcompany.com', 'partner.com');

    $email_domain = substr(strrchr($email, '@'), 1);

    if (!in_array($email_domain, $allowed_domains)) {
        $result['errors']->add('email_domain',
            'Registration is restricted to approved domains.');
    }

    return $result;
}
add_filter('wpmu_validate_user_signup', 'validate_multisite_registration');

Conclusion

WordPress Multisite requires network-level thinking for security. Protect super admin accounts, implement site isolation, manage plugins centrally, and monitor all sites continuously for a secure network.