Tutorials
Complete Guide to Securing WordPress Multisite Networks
Learn comprehensive security strategies for WordPress Multisite including network-wide protection, site isolation, and super admin security.
S
Sarah Chen
9 min read
2,585 views
Introduction
WordPress Multisite networks present unique security challenges. A vulnerability on one site can potentially affect the entire network. Super admin accounts have extraordinary power, and proper isolation between sites is critical.
Multisite Security Architecture
Understanding the Multisite security model:
- Shared codebase - All sites share WordPress core, plugins, and themes
- Separate databases - Each site has its own tables with shared users
- Super admin power - Can access and modify any site
- Network plugins - Activate once, affect all sites
- Upload directories - Shared wp-content/uploads with site subdirectories
Super Admin Account Protection
Super admin accounts need the highest level of protection:
Restrict Super Admin Access
// Limit super admin login to specific IPs
add_action('wp_login', function($user_login, $user) {
if (is_super_admin($user->ID)) {
$allowed_ips = array(
'192.168.1.100',
'10.0.0.50',
);
$client_ip = $_SERVER['REMOTE_ADDR'];
if (!in_array($client_ip, $allowed_ips)) {
wp_logout();
wp_die('Super admin access restricted to authorized locations.');
}
}
}, 10, 2);
// Require 2FA for all super admins
add_filter('wpfs_require_2fa', function($require, $user) {
if (is_super_admin($user->ID)) {
return true;
}
return $require;
}, 10, 2);Network-Wide Plugin Security
Manage plugins safely across the network:
Control Plugin Activation
// Prevent site admins from activating certain plugins
add_filter('site_option_active_sitewide_plugins', function($plugins) {
// These must be network activated only
return $plugins;
});
// Block specific plugins on subsites
add_filter('option_active_plugins', function($plugins) {
$blocked = array(
'dangerous-plugin/dangerous-plugin.php',
'security-risk/security-risk.php',
);
return array_diff($plugins, $blocked);
});
// Audit plugin activations
add_action('activate_plugin', function($plugin) {
$log = array(
'plugin' => $plugin,
'user_id' => get_current_user_id(),
'site_id' => get_current_blog_id(),
'timestamp' => current_time('mysql'),
'ip' => $_SERVER['REMOTE_ADDR'],
);
// Log to network options
$audit_log = get_site_option('plugin_audit_log', array());
array_unshift($audit_log, $log);
update_site_option('plugin_audit_log', array_slice($audit_log, 0, 500));
});Site Isolation Strategies
Prevent security issues from spreading between sites:
Upload Directory Protection
// Restrict upload access between sites
add_filter('upload_dir', function($dirs) {
// Ensure site-specific upload paths
$site_id = get_current_blog_id();
// Block path traversal attempts
if (strpos($dirs['path'], '../' ) !== false) {
wp_die('Invalid upload path detected');
}
return $dirs;
});
// Prevent cross-site file access
add_action('init', function() {
if (isset($_GET['file']) && strpos($_GET['file'], 'sites/') !== false) {
$requested_site = preg_match('/sites/(d+)/', $_GET['file'], $matches);
if ($requested_site && $matches[1] != get_current_blog_id()) {
wp_die('Cross-site file access denied');
}
}
});Network-Wide Security Headers
// Apply security headers to all sites
add_action('send_headers', function() {
header('X-Frame-Options: SAMEORIGIN');
header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
// CSP for network
$network_domain = network_site_url();
header("Content-Security-Policy: default-src 'self' {$network_domain}");
});User Management Across Sites
Manage user access carefully across the network:
Control User Registration
// Customize user creation on sites
add_action('wpmu_new_user', function($user_id) {
// Log new user creation
$user = get_userdata($user_id);
// Check for suspicious patterns
$email_domain = substr($user->user_email, strpos($user->user_email, '@') + 1);
$suspicious_domains = array('tempmail.com', 'throwaway.email');
if (in_array($email_domain, $suspicious_domains)) {
// Flag for review
update_user_meta($user_id, '_flagged_for_review', true);
}
});
// Prevent admins from escalating to super admin
add_filter('map_meta_cap', function($caps, $cap, $user_id, $args) {
if ($cap === 'manage_network' && !is_super_admin($user_id)) {
return array('do_not_allow');
}
return $caps;
}, 10, 4);Network Security Monitoring
Monitor security across all sites:
- Centralized security dashboard in network admin
- Aggregate login failure logs from all sites
- Network-wide malware scanning
- Automated security reports for super admins
Database Security
// Prevent SQL injection across sites
add_filter('query', function($query) {
global $wpdb;
// Block queries accessing other site tables
$current_prefix = $wpdb->prefix;
preg_match_all('/wp_d+_/', $query, $matches);
foreach ($matches[0] as $prefix) {
if ($prefix !== $current_prefix) {
// Log suspicious cross-site query
error_log("Cross-site query attempt: " . $query);
}
}
return $query;
});Conclusion
WordPress Multisite security requires network-wide thinking. Protect super admin accounts, isolate sites properly, control plugin deployment, and monitor security across all sites from a centralized dashboard.
S
Written by Sarah Chen
WP Folder Shield Team
