Having a secure website is a high priority for all admins, even more so for super admins on multisites. WordPress Multisite (WPMS) is like an apartment complex; tenants may have their own dedicated space, but some of the things they do will inevitably have an effect on any units above, below, or beside them. This is what makes things like security even more important, as you're not simply dealing with one site, but an entire network.
While there is no way to keep your site 100% secure— websites simply get hacked from time to time— there are certainly ways to mitigate risk. Here are some considerations for keeping your WPMS well-fortified:
What makes for a vulnerable WPMS?
So we've determined that site hacking happens but you can set yourself up for higher success. Now you may be wondering, "Is my current setup increasing my odds of getting hacked?" This is by no means everything, but we can highlight a couple of common oversights that can expose your network to bad actors:
As described in our guide WordPress Multisite: What to Consider when Getting Started it's very important to keep a solid handle on your network setup, maintenance, and growth. As your WPMS scales, having more eyes on network management duties will help intercept any suspicious activity sooner.
A strong multisite has a solid team to keep things organized and running smoothly.
Without a good workflow for monitoring and maintaining your sites, some will inevitably fall between the cracks; it's those forgotten, partially setup, out-of-date sites that attackers' automated scanners will spot most easily.
A strong multisite keeps everything up-to-date to mend any security holes.
The security holes sussed out by automated scanners can ultimately lead to a cross-infection; that is, even if that old forgotten site doesn't get any traffic, there is still a lot of risk to the rest of the sites in the network. To return to the apartment complex metaphor: if one unit is on fire, chances are it's going to spread to others.
A strong multisite gives equal care to each subsite, regardless of usage for the health of the overall network.
What else can I do to make a more secure network?
Addressing the common WPMS management oversights listed above are essential starting points for hardening your WPMS, but they aren't the only things to consider. Although not a comprehensive list, below you'll find some more tips to keep your multisite safe:
This seems to go without saying, but utilizing strong passwords is one of the most basic and effective security measures you can take. There are various methods one can employ to create strong passwords, but our favorite is to use a password manager (we use 1Password) to generate and then save passwords for future autofill.
Limiting access doesn't mean completely shutting down your site to collaborators. Rather, you want to make sure that you give users just enough access for them to do what they need to do within your network. Although it may seem distrustful, it's really more about reducing points of access for bad actors to intercept than it is about not trusting your users.
WordPress software is open source, and it has become a mammoth figure on the web. While this fact actually serves the security of the software quite well— a strong developer community all deeply invested in the success of a tool results in some pretty amazing security supervision— this popularity also results in lots of theme and plugin contributors, and not all of them are trustworthy. That's not to say all of the non-trustworthy ones are malicious, some just simply aren't well-maintained.
Be sure to only download WordPress themes, plugins, and updates from wordpress.org. Even there, be sure to scrutinize your desired plugins and themes carefully before adding them to your network. What do the ratings and installation numbers look like? Have they been updated in the last year? Is the support forum responsive to submissions?
HTTPS is the industry standard configuration at this point for sites, so much so that some browsers will all but completely block traffic to a site not certified with SSL. This is because setting your site up with HTTPS will secure traffic between your site and your users, keeping out third-party observers.
Backups of your network are essential, as they'll allow you to easily restore and retain data if anything happens. Be mindful of how much space backups can take if they're stored on your account, though. Backing up to a remote location like Google Drive or Dropbox will help keep your account free to store your growing network.
There are plugins that can help you with your security efforts. Wordfence, for example, is a highly popular option that includes an endpoint firewall and scans for malware.
Hopefully these tips give you some helpful starters for making your WordPress Multisite more secure, but know that you can always reach out to Reclaim Hosting Support if you have any concerns.