WordPress Multisite Security

Many individual and small company forays on the web are through WordPress on shared hosting accounts, and it’s not uncommon for a shared hosting account to hold multiple WordPress sites as needs and business grow. Site owners maintain each and every WordPress install, managing content, configuration, users and updates. At least they should. Maintaining multiple sites in a single shared hosting account is time-consuming and, as we’ll see, risky as each site on the account is a point of access that has to be secured.

In this post, we’ll discuss how conglomerating multiple WordPress sites in a single account may not save time and money, it may in fact lead to the compromise of every site on the account. We’ll also discuss how to host securely, keeping all your sites from falling due to a single plugin vulnerability.

Disorganization

Maintenance is vital for WordPress security. When websites are poorly maintained, attackers can exploit gaps in the software’s security. With multiple websites configured on the same hosting plan, this problem is compounded. WordPress site owners have more work in maintaining these sites, and keeping them up to date is more difficult with plugins, themes and core files vying for the owner or admin’s attention.

With multiple websites to maintain, attackers will find any flaws in these sites quickly through automated scans. Weeks of work maintaining an array of sites may be undone with only minutes worth of scans to locate and exploit their vulnerabilities. Automated attacks are an unfortunate staple of the web, and most websites that are taken over are only exploited because they were poorly maintained. Sites that are forgotten, partially developed sites, old versions of sites, all are targets because of poor maintenance. A disorganized hosting account leaves plenty of places for missed or forgotten updates or files, and these leftovers are the security holes that attackers are looking for.

Cross Infection

When a security hole is found in a WordPress plugin let’s say, attackers can add malicious software or seize control of that site. A single security flaw is enough for a website takeover. There is a mistaken belief that a forgotten site doesn’t matter because the content isn’t important or updated often, if at all. Poorly maintained sites are untouched for a reason, and it is easy to not care if that website is hacked. But for any sites under the same shared hosting account, the compromise of one website often means the compromise of all of the sites in the account. A poorly protected site, WordPress or otherwise, is the weak link in an entire hosting account’s security defenses, and the consequence is cross-infections of every site in the account.

Remediation

How do you protect against security flaws when you have a large amount of WordPress sites to manage? Keep sites organized into smaller groups, splitting them across different shared hosting accounts. Or, use a virtual private server (VPS) to keep WordPress sites separate through web server configuration. The more sites on a shared hosting account, the more at risk those sites are, so keep this in mind when you organize your websites.

The most important sites to your business or needs should be kept completely separate from other sites. This keeps flaws on less-maintained sites from impacting your most vital Internet presence. Extraneous sites, sites that are in development or are old, and especially site files that are known to be hacked, should all be kept off of the hosting account or deleted altogether. Please don’t move a compromised WordPress install to a directory called ‘wordpress-hacked’ and leave it on the account.

Should you use a shared hosting account for each individual site? Ideally, yes. Or a properly configured VPS. Is it essential? No. Though as stated, organize sites to keep them manageable and familiar.

Finally, keep your WordPress site up to date and keep backups of your database and wp-content directory. Make sure your plugins and themes are up to date and keep the backups of your site on local storage. Backups kept among site files are a potential security risk, so hold those backups offline.

Above all else, Know Your Sites. Know what directories and files belong, keep important sites separate and secure, and make backups. Keep WordPress up to date and remove files or entire sites that you don’t need. Know Your Sites is a simple step that will help keep your online presence secure.

If you think that your website may be compromised, give SiteLock a call at 855.378.6200 to learn about your options.