WordPress Multisite lets you run dozens — or hundreds — of WordPress sites from a single installation. It's efficient, but it creates security challenges that single-site installations don't face.
The fundamental Multisite security problem
In a standard WordPress installation, a vulnerability affects one site. In Multisite, a vulnerability in a shared plugin affects every site on the network.
- One compromised site can be used to attack others on the same network
- Super Admin accounts have god-level access to every site
- All sites share the same
/wp-content/plugins/and/wp-content/themes/directories - A malware infection in shared code spreads instantly to all sites
Risk 1: Cross-site privilege escalation
A user who is an Editor on Site A might find a way to escalate to Administrator — or even Super Admin — through plugin vulnerabilities. In Multisite, that escalation doesn't just affect one site.
Mitigation:
- Audit user roles across all sites regularly
- Remove the
unfiltered_uploadcapability for non-Super Admins - Use WO Security Shield to monitor for new admin accounts created on any network site
Risk 2: Shared plugin vulnerabilities
When you activate a plugin network-wide, every site is exposed to its vulnerabilities. A single SQL injection in a contact form plugin can be exploited across all 50 sites simultaneously.
Mitigation:
- Audit plugins before network activation — review our guide on third-party plugin security risks and test on a single site first
- Keep plugins updated across the network (updates in Multisite apply to all sites)
- Prefer plugins that are actively maintained with a strong security track record
- Run integrity scans after every plugin update
Risk 3: Super Admin account exposure
Super Admins can:
- Install and activate any plugin or theme
- Edit any user on any site
- Access the database through admin tools
- Modify network settings
If a Super Admin account is compromised, the attacker controls every site.
Mitigation:
- Limit the number of Super Admin accounts (ideally 1-2)
- Enforce strong passwords and two-factor authentication on all Super Admin accounts
- Never use "admin" as a Super Admin username
- Monitor Super Admin login activity with WO Security Shield
Risk 4: Upload directory traversal
Each site in a Multisite network has its own upload directory (/wp-content/uploads/sites/[id]/), but they all live under the same filesystem. A file upload vulnerability on one site could be used to write files anywhere in the shared directory tree.
Mitigation:
- Restrict allowed upload file types network-wide
- Disable PHP execution in upload directories:
# In /wp-content/uploads/.htaccess
<Files *.php>
deny from all
</Files>
- Monitor for PHP files appearing in upload directories
Risk 5: Database sharing
All Multisite sites share the same database (with different table prefixes). A SQL injection on one site can potentially read or modify data from any other site on the network.
Mitigation:
- Use parameterised queries in all custom code
- Audit plugins for SQL injection vulnerabilities before deployment
- Monitor database queries for cross-site access patterns
Monitoring a Multisite network with WO Security Shield
WO Security Shield can monitor your entire Multisite network from a single installation:
- Install the plugin on the main site (network-activate it)
- Connect it to your WO Security Shield dashboard
- All network sites are scanned together — shared plugins, themes, and core files are checked once
- Findings show which files are affected and which sites are impacted
The dashboard shows a unified view of your network's security posture — one scan covers all sites.
Multisite is powerful, but it concentrates risk. Every plugin, every user account, and every configuration change affects the entire network. Monitor comprehensively with WO Security Shield.
Multisite-Specific Attack Vectors
WordPress Multisite has unique security risks that don't exist in single-site installations:
1. Cross-Site Contamination
In Multisite, all sites share the same WordPress core files, plugin directory, and theme directory. If one site is compromised through a vulnerable plugin, the attacker has access to files shared by every site on the network.
Standard WordPress:
Site A compromised → Only Site A affected
WordPress Multisite:
Site A compromised → Sites A, B, C, D... all at risk
(because they share /wp-content/plugins/ and /wp-includes/)
2. Super Admin Privilege Escalation
Multisite has an additional admin level — Super Admin — with network-wide powers. If an attacker gains Super Admin access (through any site on the network), they control every site.
Regular admin on one site → can only damage that one site Super Admin → can install plugins network-wide, create/delete sites, modify all themes
Mitigation: Limit the number of Super Admin accounts to the absolute minimum (ideally 1-2). Use strong, unique passwords and enforce 2FA for every Super Admin.
3. Shared Cookie Domain
By default, Multisite uses shared authentication cookies. A session hijacking attack on one subdomain potentially grants access to all subdomains:
site-a.example.com ─┐
site-b.example.com ──┤── Shared authentication cookies
site-c.example.com ─┘
Mitigation: Add cookie security to wp-config.php:
define('COOKIE_DOMAIN', ''); // Don't share cookies across subdomains
define('COOKIEPATH', '/');
define('SITECOOKIEPATH', '/');
define('ADMIN_COOKIE_PATH', '/wp-admin');
4. Database Exposure
All sites in a Multisite network share the same database. Each site gets its own table prefix (wp_2_posts, wp_3_posts, etc.), but a SQL injection on one site can access tables belonging to other sites.
Multisite Hardening Checklist
Network-Level Settings
// In wp-config.php
// Restrict plugin activation to Super Admins only
define('DISALLOW_FILE_MODS', true);
// Force SSL across the entire network
define('FORCE_SSL_ADMIN', true);
// Disable file editing for all sites
define('DISALLOW_FILE_EDIT', true);
Per-Site User Management
| Role | Capability | Risk level |
|---|---|---|
| Super Admin | Full network control | 🔴 Critical — limit to 1-2 people |
| Administrator | Single-site admin | 🟠 High — vet carefully |
| Editor | Content management | 🟡 Medium — standard editorial access |
| Author/Contributor | Content creation | 🟢 Low — limited access |
Plugin Security for Multisite
Not all plugins are Multisite-compatible. Incompatible plugins can:
- Create database tables without the correct prefix (data leaks between sites)
- Store files in shared directories without site-specific paths
- Register global hooks that affect all sites unintentionally
Before network-activating any plugin:
- Check if the plugin explicitly supports Multisite
- Test on a single site first before network-activating
- Review the plugin's database table creation (does it use
$wpdb->prefix?) - Monitor file changes across all sites after activation
Monitoring a Multisite Network
With WO Security Shield, monitoring a Multisite network is streamlined:
- Single installation covers all sites on the network
- Unified dashboard shows security status across all sites
- Per-site findings so you know which site has an issue
- Network-wide file integrity — changes to shared files are reported once, not per-site