Table of Contents
- Introduction: Multisite Security Challenges
- Understanding WordPress Multisite Architecture
- Network-Level Capabilities and Permissions
- Super Admin Capability Checks
- Cross-Site Security and XSS Protection
- Network Plugin Management
- Site Isolation and Data Protection
- FAQ
Introduction: Multisite Security Challenges
WordPress Multisite networks share infrastructure but isolate sites. This hybrid architecture creates unique security challenges:
- Shared database: Site data mixes in same database, requiring careful isolation
- Network-wide code: Plugins and themes affect all sites, making single bad plugin dangerous
- Cross-site attacks: Compromised site can attack others through shared infrastructure
- Permission complexity: Network admins, super admins, and site admins have different capabilities
Many plugin developers ignore multisite security, assuming single-site deployments. This mistake creates vulnerabilities for Multisite users. WordPress multisite security requires understanding how permission systems work across networks and building plugin features that respect site boundaries.
This guide explores building multisite-aware plugins that respect site isolation, implement proper capability checks, and protect network integrity while maintaining security.
Understanding WordPress Multisite Architecture
Multisite shares WordPress core but isolates site data. Understanding how multisite structures data is fundamental to security. WordPress Multisite enables running multiple WordPress sites from a single WordPress installation. One copy of WordPress core serves multiple sites, reducing server resources and simplifying updates. Each site has its own posts, users, settings, and content while sharing plugins and themes. This architecture creates both efficiency and complexity.
The shared infrastructure means security vulnerabilities in one place can affect all sites. A compromised plugin affects all sites it's activated on. Exposed options affect all users who can access that option. Insecure queries might return data from multiple sites. These risks are why Multisite security requires explicit attention to site isolation and proper permission checks. Single-site plugin development creates security gaps in Multisite environments if not carefully considered.
Database Structure
Single-site WordPress:
- wp_posts table contains all posts
- wp_users table contains all users
- wp_usermeta contains all user meta
Multisite:
- Site 1: wp_1_posts, wp_1_postmeta, wp_1_users, wp_1_usermeta
- Site 2: wp_2_posts, wp_2_postmeta, wp_2_users, wp_2_usermeta
- Network: wp_blogs, wp_users (shared), wp_usermeta (shared with prefix)
Each site gets its own table prefix:
// Get table for specific site
function get_site_table($site_id, $table) {
global $wpdb;
if ($site_id === get_current_blog_id()) {
return $wpdb->{$table}; // Current site table
}
// Different site's table
$prefix = $wpdb->base_prefix . $site_id . '_';
return $prefix . substr($table, strlen($wpdb->prefix));
}
// Example
$site_2_posts_table = get_site_table(2, 'posts');
// Returns: wp_2_posts
Users and user meta are network-wide but prefixed by site:
// User meta prefixed by site
add_user_meta($user_id, 'capabilities_' . $blog_id, [...]);
// Accessing in specific site context
$current_user = wp_get_current_user();
$caps_for_site_2 = $current_user->get('wp_2_capabilities');
Switching Contexts
Working with other sites requires context switching. When you need to access data from another site, you must switch to that site's context, execute queries, and restore the original context. This switching changes which site's data you access and what options and user meta you retrieve. Forgetting to restore context is one of the most common Multisite bugs.
Context switching is necessary but dangerous. If you switch sites and then an error occurs before restoring context, your plugin continues running in the wrong site's context. This can cause data written to the wrong site, options changed on the wrong site, or actions triggered on the wrong site. Always use try/finally blocks or restoration hooks to ensure context is restored even when errors occur.
The global $wpdb object also changes when you switch contexts. The table names and prefixes change to match the switched site. Custom table references must account for this. The current blog ID changes too, which affects get_current_blog_id() and any code depending on it.
// Work with site 2 data
$original_blog = get_current_blog_id();
switch_to_blog(2);
$posts = get_posts(); // Gets site 2 posts
switch_to_blog($original_blog);
// Shorthand using restore_current_blog()
switch_to_blog(2);
$posts = get_posts();
restore_current_blog();
Forgetting to restore context creates security issues:
// DANGEROUS: Doesn't restore context
function get_all_site_posts() {
for ($site_id = 1; $site_id <= 5; $site_id++) {
switch_to_blog($site_id);
echo get_posts(); // If error thrown, context not restored!
}
}
// SAFE: Restores even on error
function get_all_site_posts_safe() {
for ($site_id = 1; $site_id <= 5; $site_id++) {
switch_to_blog($site_id);
try {
echo get_posts();
} finally {
restore_current_blog();
}
}
}
Network-Level Capabilities and Permissions
WordPress has different admin levels with different capabilities. Proper checks prevent privilege escalation. Understanding the permission hierarchy is critical. Network super admins have site-wide access. Site admins have access only to their site. Regular admins or custom roles have specific permissions. Mixing up these levels creates security vulnerabilities where users access data or perform actions they shouldn't.
The permission system in Multisite is more complex than single-site because you must consider both site-specific and network-wide permissions. A super admin should be able to manage network settings but not arbitrarily access data from specific sites they don't own. A site admin should manage their own site but not other sites. Building these distinctions requires explicit capability checks at every permission boundary.
User Roles in Multisite
// Network-wide super admin
if (is_super_admin()) {
// User is network administrator
// Can manage all sites and network settings
}
// Site-specific admin
if (is_admin()) {
// User is site admin
// Can manage only current site
}
// Current blog admin (different from is_admin)
if (current_user_can('manage_options')) {
// User has manage_options capability for current site
// Could be admin, super admin, or custom role
}
Super Admin Capabilities
// Check for super admin explicitly
function my_plugin_require_super_admin() {
if (!is_super_admin()) {
wp_die('Super admin access required');
}
}
// Super admin can perform network-wide actions
add_action('network_admin_menu', function() {
add_menu_page(
'Network Settings',
'Network Settings',
'manage_network',
'my-network-settings',
'render_network_settings'
);
});
function render_network_settings() {
if (!current_user_can('manage_network')) {
wp_die('Unauthorized');
}
// Render network settings
}
Site-Specific Admin Capabilities
// Check capabilities for specific site
function can_manage_site($site_id, $user_id) {
$user = get_userdata($user_id);
if (!$user) return false;
// Super admin can manage any site
if (is_super_admin($user_id)) {
return true;
}
// Check if user is admin of specific site
$cap_key = 'wp_' . $site_id . '_capabilities';
$capabilities = $user->get($cap_key);
return isset($capabilities['manage_options']);
}
// Example
if (can_manage_site(2, $user_id)) {
// User can manage site 2
}
Custom Network Capabilities
// Define custom network capabilities
function get_network_caps() {
return [
'manage_network_plugins',
'manage_network_themes',
'manage_network_users',
'manage_network_settings'
];
}
// Grant capability to super admin role
function grant_network_capability($user_id, $capability) {
$user = new WP_User($user_id);
if (!is_super_admin($user_id)) {
return false; // Only super admins
}
$user->add_cap($capability);
return true;
}
// Check custom capability
function my_plugin_can_manage_network_plugins() {
return is_super_admin() && current_user_can('manage_network_plugins');
}
Super Admin Capability Checks
Improper capability checks are multisite's most common security issue. Always validate permissions explicitly. Network admin pages can be accessed by super admins and sometimes delegated admins. If you're not explicit about permission checks, you create privilege escalation vulnerabilities where unauthorized users change critical settings or compromise site integrity.
Capability checks must appear at the start of functions, not buried inside code. Early returns when capabilities fail prevent accidental execution. Nonce checks complement capability checks—they verify the action was initiated by the right user and not through CSRF attacks. Both checks are essential; capability checks alone are insufficient security.
Preventing Privilege Escalation
// VULNERABLE: Assumes user is super admin
function save_network_settings() {
if (!isset($_POST['my_plugin_nonce'])) {
wp_die('Nonce missing');
}
wp_verify_nonce($_POST['my_plugin_nonce'], 'save_network_settings');
// Missing capability check!
update_site_option('my_plugin_setting', $_POST['setting']);
// Any logged-in user could change network settings
}
// SECURE: Explicitly check super admin
function save_network_settings() {
if (!isset($_POST['my_plugin_nonce'])) {
wp_die('Nonce missing');
}
// Check nonce
check_admin_referer('save_network_settings', 'my_plugin_nonce');
// Check capability
if (!is_super_admin()) {
wp_die('Unauthorized', 403);
}
update_site_option('my_plugin_setting', sanitize_text_field($_POST['setting']));
}
Capability Checks in Hooks
// VULNERABLE: Hook fires without checking capabilities
add_action('admin_menu', function() {
if (get_option('my_plugin_show_menu')) {
add_menu_page(
'Settings',
'Settings',
'manage_options',
'my-plugin',
'render_settings'
);
}
});
// SECURE: Render function checks capabilities
function render_settings() {
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
// Render page
}
// Even better: Don't show menu unless user can access it
add_action('admin_menu', function() {
if (current_user_can('manage_options')) {
add_menu_page(
'Settings',
'Settings',
'manage_options',
'my-plugin',
'render_settings'
);
}
});
Network vs Site Admin Checks
// Function callable from network or site admin
function manage_plugin_setting() {
// Network super admin managing network-wide setting
if (is_network_admin() && is_super_admin()) {
return handle_network_setting();
}
// Site admin managing site-specific setting
if (is_admin() && current_user_can('manage_options')) {
return handle_site_setting();
}
wp_die('Unauthorized');
}
// Network-specific
add_action('network_admin_menu', function() {
add_menu_page(
'Network Settings',
'Network Settings',
'manage_network',
'my-network-settings',
'render_network_settings'
);
});
// Site-specific
add_action('admin_menu', function() {
add_menu_page(
'Site Settings',
'Site Settings',
'manage_options',
'my-site-settings',
'render_site_settings'
);
});
Cross-Site Security and XSS Protection
Multisite's shared infrastructure creates cross-site attack vectors. Compromise of one site could affect others. When fetching data from one site to display on another, you're introducing a new attack surface. A compromised site can inject JavaScript, CSS, or HTML that executes in other sites' admin areas. This cross-site contamination violates site isolation principles.
The solution is proper escaping whenever displaying data from one site in another site's context. WordPress escaping functions like wp_kses_post() and wp_kses() remove potentially malicious HTML while preserving legitimate formatting. Whitelisting allowed tags prevents injection while maintaining usability. These practices ensure sites remain isolated even when data moves between them.
Preventing Cross-Site Script Injection
// VULNERABLE: Content from one site displayed on another
function display_cross_site_content($site_id) {
switch_to_blog($site_id);
$content = get_option('site_announcement');
restore_current_blog();
// Site announcement contains JavaScript!
echo $content; // XSS vulnerability
}
// SECURE: Escape output
function display_cross_site_content($site_id) {
switch_to_blog($site_id);
$content = get_option('site_announcement');
restore_current_blog();
// Escape when displaying
echo wp_kses_post($content);
}
// BETTER: Use allowed HTML only
function display_cross_site_content($site_id) {
switch_to_blog($site_id);
$content = get_option('site_announcement');
restore_current_blog();
$allowed_html = [
'strong' => [],
'em' => [],
'p' => ['class' => []],
'a' => ['href' => [], 'title' => []]
];
echo wp_kses($content, $allowed_html);
}
Sanitizing Cross-Site Data
// Data from one site used in another site context
function get_user_from_site($site_id, $user_id) {
switch_to_blog($site_id);
$user_data = get_userdata($user_id);
restore_current_blog();
// User email could come from anywhere
return $user_data->user_email;
}
// Safely use cross-site data
$email = get_user_from_site(2, $user_id);
// Sanitize before use
$email_safe = sanitize_email($email);
// Or use in specific context
wp_mail(
sanitize_email($email),
'Subject',
'Body'
);
Preventing Object Injection
// VULNERABLE: Unserialize data from other sites
function get_site_settings($site_id) {
switch_to_blog($site_id);
$settings = get_option('serialized_settings');
restore_current_blog();
// Object injection if settings contains malicious object
return unserialize($settings);
}
// SECURE: Use safe unserialization
function get_site_settings($site_id) {
switch_to_blog($site_id);
$settings = get_option('serialized_settings');
restore_current_blog();
// WordPress 4.7+
return maybe_unserialize($settings);
}
// BETTER: Store as JSON instead
function get_site_settings($site_id) {
switch_to_blog($site_id);
$settings_json = get_option('settings_json');
restore_current_blog();
return json_decode($settings_json, true);
}
CSRF Protection in Multisite
// Nonces are blog-specific
function save_site_setting() {
check_admin_referer('save_setting', 'nonce');
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
update_option('my_setting', sanitize_text_field($_POST['value']));
}
// When switching sites, regenerate nonce
function cross_site_form() {
switch_to_blog(2);
$nonce = wp_create_nonce('save_setting');
restore_current_blog();
?>
<form method="post">
<?php wp_nonce_field('save_setting', 'nonce'); ?>
<input type="text" name="value" />
<button type="submit">Save</button>
</form>
<?php
}
Network Plugin Management
Network-wide plugins affect all sites. Management requires careful oversight. When a plugin is activated network-wide, all sites run that code immediately. A single vulnerability in a network plugin affects every site on the network. This creates security decisions that super admins must make carefully. What plugins can be installed? Who can install them? Are all plugins reviewed for security?
Network plugin management is where single-site plugin assumptions cause Multisite problems. A plugin that works fine on a single site might leak data between sites on Multisite, or might not handle Multisite permission checks correctly. Plugins that properly support Multisite are safer to activate network-wide. Those that don't should be audited or restricted to single-site activation only.
Network-Only Plugins
// Mark plugin as network-only
/*
Plugin Name: My Network Plugin
Network: true
*/
// Check if running on multisite
if (!is_multisite()) {
wp_die('This plugin requires Multisite');
}
// Prevent single-site activation
add_action('activate_plugin', function($plugin) {
if ($plugin === plugin_basename(__FILE__)) {
if (!is_multisite()) {
wp_die('Network activation required');
}
}
});
Managing Network-Activated Plugins
// Get network-activated plugins
function get_network_active_plugins() {
if (!is_multisite()) {
return [];
}
return get_site_option('active_sitewide_plugins', []);
}
// Check if plugin is network-activated
function is_plugin_network_active($plugin) {
$network_active = get_site_option('active_sitewide_plugins', []);
return isset($network_active[$plugin]);
}
// Prevent plugins from deactivating if network-activated
add_action('network_plugin_deactivation', function($plugin) {
// Log deactivation event
error_log('Network plugin deactivated: ' . $plugin);
});
Site-Specific Plugin Override
// Allow sites to disable network-wide plugin features
function is_feature_enabled_for_site($feature_name, $site_id = null) {
if (!$site_id) {
$site_id = get_current_blog_id();
}
// Check site-specific override
switch_to_blog($site_id);
$site_disabled = get_option('disabled_features_' . $feature_name);
restore_current_blog();
if ($site_disabled) {
return false;
}
// Check network-wide setting
return (bool) get_site_option('enable_' . $feature_name);
}
// Admin UI for site to disable features
add_action('admin_menu', function() {
add_options_page(
'Plugin Features',
'Plugin Features',
'manage_options',
'plugin-features',
'render_feature_settings'
);
});
function render_feature_settings() {
$features = ['advanced_reporting', 'beta_api', 'experimental_ui'];
foreach ($features as $feature) {
$disabled = get_option('disabled_features_' . $feature);
?>
<label>
<input type="checkbox"
name="disabled_features"
value="<?php echo esc_attr($feature); ?>"
<?php checked($disabled); ?> />
Disable <?php echo esc_html($feature); ?>
</label><br />
<?php
}
}
Site Isolation and Data Protection
Multisite must isolate site data to prevent accidental or intentional leaks. Site isolation is the core principle of Multisite security. Each site's data should be completely separate from other sites' data. Queries should never return data from multiple sites. Custom tables should always filter by site ID. User data should be prefixed by site. This discipline prevents data leakage whether malicious or accidental.
Data leakage is often accidental. A developer writes a query that forgets the blog_id filter, or uses a network option when they meant site-specific. These mistakes happen easily if site isolation isn't a constant focus. Test on Multisite environments, audit queries, and review data access patterns to catch these issues before they cause security problems.
Query Site-Specific Data
// Get data only for current site
function get_site_specific_data() {
global $wpdb;
$blog_id = get_current_blog_id();
// Get table prefix for current site
$table = $wpdb->prefix . 'my_custom_table';
return $wpdb->get_results(
"SELECT * FROM $table WHERE blog_id = " . intval($blog_id)
);
}
// Accessing other site's data
function get_data_for_site($site_id) {
global $wpdb;
$prefix = $wpdb->base_prefix . $site_id . '_';
$table = $prefix . 'my_custom_table';
// Always verify user has permission to access site
if (!current_user_can_access_site($site_id)) {
return [];
}
return $wpdb->get_results("SELECT * FROM $table");
}
function current_user_can_access_site($site_id) {
// Super admin can access any site
if (is_super_admin()) {
return true;
}
// Site admin can access own site
$user_id = get_current_user_id();
$user = new WP_User($user_id);
$cap_key = 'wp_' . $site_id . '_capabilities';
return isset($user->{$cap_key}['manage_options']);
}
Prevent Data Leakage
// VULNERABLE: Show all sites' data
function get_all_bookings() {
global $wpdb;
// Returns bookings from all sites!
return $wpdb->get_results(
"SELECT * FROM wp_bookings"
);
}
// SECURE: Site-specific queries
function get_all_bookings() {
global $wpdb;
$blog_id = get_current_blog_id();
return $wpdb->get_results($wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}bookings WHERE blog_id = %d",
$blog_id
));
}
// SECURE: Always include blog_id in custom tables
function create_booking_table() {
global $wpdb;
$charset_collate = $wpdb->get_charset_collate();
$sql = "
CREATE TABLE {$wpdb->prefix}bookings (
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
blog_id INT NOT NULL,
customer_id INT NOT NULL,
booking_date DATETIME NOT NULL,
KEY blog_id (blog_id),
KEY customer_id (customer_id)
) $charset_collate;
";
require_once ABSPATH . 'wp-admin/includes/upgrade.php';
dbDelta($sql);
}
Multisite User Meta Isolation
// User meta is network-wide but can be prefixed by site
function set_user_site_meta($user_id, $meta_key, $meta_value, $site_id = null) {
if (!$site_id) {
$site_id = get_current_blog_id();
}
// Prefix meta with site ID
$prefixed_key = 'site_' . $site_id . '_' . $meta_key;
update_user_meta($user_id, $prefixed_key, $meta_value);
}
function get_user_site_meta($user_id, $meta_key, $site_id = null) {
if (!$site_id) {
$site_id = get_current_blog_id();
}
$prefixed_key = 'site_' . $site_id . '_' . $meta_key;
return get_user_meta($user_id, $prefixed_key, true);
}
// Usage
set_user_site_meta($user_id, 'preferences', ['theme' => 'dark']);
$prefs = get_user_site_meta($user_id, 'preferences');
Best Practices Summary
Building secure Multisite plugins requires discipline across many areas. The following practices, applied consistently, prevent most security issues. They become habits through repetition and code review, eventually becoming automatic parts of your development process.
First, always think in terms of site isolation. Every query, every option, every piece of data you access should be explicitly scoped to the current site unless you have a specific reason to access network-wide data. When you implement a feature, ask: would this feature accidentally leak data between sites? Could a site admin see another site's data? Could a user escalate privileges? These questions guide secure design.
Second, use context switching explicitly and safely. When switching sites, immediately wrap it in error handling. Better yet, refactor code to avoid switching when possible. Design your plugin's architecture so context switching is rare and obvious, not scattered throughout your codebase.
Third, audit all queries for site isolation. Every SQL query that accesses site-specific data should have a blog_id filter. If your plugin uses custom tables, ensure they have a blog_id column and always filter by it. Regular code reviews should specifically look for missing site isolation filters.
Fourth, test on actual Multisite installations. Local Multisite testing catches data leakage issues, permission problems, and context switching bugs that single-site testing misses. Running your plugin on a real Multisite network before releasing is essential quality assurance. Test with multiple sites, multiple users with different roles, and verify data doesn't leak between sites. Simulate real Multisite scenarios where administrators manage multiple sites and super admins manage the network.
Fifth, document Multisite support clearly. If your plugin supports Multisite, document what features work and what don't. Document whether network-wide activation is supported. Document any special configuration needed for Multisite. Users deserve to know what they're getting. A plugin that claims Multisite support but has subtle data leakage issues violates user trust. Better to be honest about limitations than to claim support you haven't fully tested.
Additional Resources
Frequently Asked Questions
Multisite development creates questions about architecture, permissions, and testing. Understanding answers to common questions helps you avoid security pitfalls and build plugins that work reliably in Multisite environments.
How do I test multisite functionality?
Run local Multisite installation:
# Enable multisite in wp-config.php
define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', false);
define('DOMAIN_CURRENT_SITE', 'localhost');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);
# Or use Docker for easier setup
docker run -d -p 8080:80 \
-e WORDPRESS_DB_HOST=db \
-e WORDPRESS_DB_NAME=wp \
-e WORDPRESS_MULTISITE=1 \
wordpress
Can single-site plugins work on Multisite?
Yes, but they may leak data between sites. Audit plugins for:
- Queries missing
blog_idfilters - Data stored in network options when site-specific
- User meta not prefixed by site
Should I use get_site_option() or get_option()?
get_option(): Current site onlyget_site_option(): Network-wide (all sites share)
Use carefully—network options are global:
// Site-specific
update_option('site_name', 'Site A'); // Stored with prefix wp_1_
switch_to_blog(2);
update_option('site_name', 'Site B'); // Stored with prefix wp_2_
// Network-wide
update_site_option('network_setting', 'value'); // Shared across all sites
switch_to_blog(2);
get_site_option('network_setting'); // Same value as site 1
How do I handle plugin updates in Multisite?
Updates apply network-wide. Users on all sites get updates simultaneously. Test updates thoroughly in staging Multisite before releasing.
What are common Multisite security mistakes?
- Forgetting to restore blog context after switching
- Querying without blog_id filter in custom tables
- Mixing site and network options
- Checking is_admin() instead of is_network_admin()
- Not checking user permissions for other sites
Does WP HealthKit support Multisite plugins?
WP HealthKit audits Multisite plugins to identify security issues. When you upload a Multisite plugin, WP HealthKit checks for:
- Missing site isolation checks
- Improper capability validation
- Data leakage between sites
- Context switching errors
- Multisite-unsafe queries
Get specific recommendations for making your plugin Multisite-secure.
How do I migrate a single-site plugin to Multisite?
- Add Multisite detection and graceful degradation
- Prefix custom tables with site ID
- Add blog_id to all queries
- Review permission checks for super admin/site admin
- Test on Multisite installation
- Document Multisite support in readme
Conclusion
WordPress Multisite security requires understanding shared infrastructure and site isolation. Multisite shares code but isolates data—plugins must respect this boundary. This distinction is fundamental. WordPress core, plugins, and themes are shared across the network, but data is isolated by site. Building Multisite-aware plugins means respecting this data isolation consistently.
Master capability checks to prevent privilege escalation. Understand super admin vs site admin permissions. Implement proper data isolation in custom tables. Escape cross-site content carefully. Manage network plugins with caution. These practices aren't just security best practices—they're essential for responsible plugin development in Multisite environments where a single vulnerability can impact dozens or thousands of sites.
Multisite powers networks from educational institutions to enterprise deployments running hundreds of sites. Building security-aware plugins ensures networks remain safe. Proper design allows single-site and Multisite installations to coexist, expanding your plugin's market. A plugin that works safely on both architectures reaches more users and builds trust with site owners.
Upload your plugin to WP HealthKit to audit Multisite security. WP HealthKit identifies data isolation issues, improper capability checks, and Multisite incompatibilities. Get specific recommendations for making your plugin safe in Multisite environments. WP HealthKit checks for context switching errors, blog_id filters, and cross-site vulnerabilities to ensure your plugin protects network integrity.
Multisite security is an ongoing practice, not a one-time checklist. New vulnerabilities emerge, best practices evolve, and your understanding deepens over time. Invest in learning Multisite architecture thoroughly. Review other Multisite plugins to see how experienced developers solve these problems. Participate in WordPress security discussions and stay informed about Multisite-specific issues. This knowledge compounds over time, making Multisite development faster and more secure.