Building WordPress plugins that work flawlessly across multisite networks can feel like navigating a labyrinth. The difference between site-specific and network-wide functionality, managing options per site versus network-wide, and understanding the nuances of plugin activation—these are critical considerations that separate production-ready plugins from those that stumble in multisite environments.
WordPress multisite plugin compatibility isn't just about making code work; it's about architecting solutions that respect the unique topology of multisite networks while maintaining security and performance standards. Whether you're developing for enterprise WordPress installations managing hundreds of sites or smaller educational networks, understanding multisite mechanics is essential.
Table of Contents
- Understanding WordPress Multisite Architecture
- Detecting and Handling Multisite Environments
- Network Activation vs Site Activation
- Managing Site-Specific and Network-Wide Options
- Common Multisite Plugin Pitfalls
- Best Practices for Multisite Compatibility
- Testing Your Plugin Across Multisite Networks
- Frequently Asked Questions
Understanding WordPress Multisite Architecture
WordPress multisite fundamentally changes how your plugin behaves in the system. Instead of a single WordPress installation, you're now working with multiple sites sharing the same codebase but maintaining separate content databases. This architecture introduces concepts that single-site plugins never encounter: network administrators, site administrators, shared tables, and site-specific tables.
When you install WordPress multisite, WordPress creates a network of sites that all share the same core WordPress files. However, each site has its own set of posts, pages, users (with roles), and options. Some tables remain shared across the network, while others are duplicated for each site. This distinction is crucial for plugin development because your code needs to understand which tables it's querying and whether an option should be stored globally or per-site.
The complexity comes from the fact that "users" and "options" behave differently in multisite. A user can be a member of multiple sites with different roles on each site. An option can be stored network-wide (affecting all sites) or site-specific (affecting only the current site). Your plugin must make conscious decisions about which approach to use for each piece of data. Store network settings network-wide, site settings site-specifically, and your plugin will be coherent and maintainable.
The multisite topology introduces a hierarchical permission structure. A Super Admin has control over the entire network, while site administrators control individual sites. Your plugin must respect these permission boundaries. A plugin setting that makes sense network-wide—like API credentials or license keys—should never be configurable by individual site admins, and vice versa. This respect for the permission hierarchy builds trust with network admins and makes your plugin enterprise-ready.
Multisite introduces new challenges for plugin developers, but it also opens opportunities. Plugins that work seamlessly in multisite environments have access to a large market of enterprise WordPress users. Educational institutions, SaaS platforms, and large organizations all rely on WordPress multisite.
Detecting and Handling Multisite Environments
The foundation of multisite compatibility is the is_multisite() function. This simple conditional check tells you whether the current WordPress installation is running multisite mode. It's one of the most important functions you'll use when building multisite-aware plugins.
if ( is_multisite() ) {
// This is a multisite network
// Handle multisite-specific logic
} else {
// This is a single-site installation
// Handle single-site logic
}
However, simply knowing whether you're in multisite mode isn't enough. You often need context about which site is currently active, especially when your plugin performs background tasks or processes data across multiple sites. The get_current_blog_id() function retrieves the ID of the currently active site in the network.
$current_site_id = get_current_blog_id();
echo "Currently processing site ID: " . intval( $current_site_id );
The most powerful function for multisite navigation is switch_to_blog(). This function temporarily switches the WordPress context to a different site within the network. When you switch to a blog, all subsequent calls to get options, posts, and other site-specific data will reference that site instead of the current site. When you're finished, always call restore_current_blog() to return to the original site context.
// Store the current blog ID
$original_blog_id = get_current_blog_id();
// Switch to site ID 3
switch_to_blog( 3 );
// This gets options from site ID 3
$site_3_option = get_option( 'my_plugin_setting' );
// Process data for site 3
update_option( 'my_plugin_processed_date', current_time( 'mysql' ) );
// Always restore
restore_current_blog();
// Now we're back to the original site
$original_option = get_option( 'my_plugin_setting' );
This pattern is essential when you need to process data across multiple sites. For example, if your plugin generates reports or aggregates data from all sites, you'd loop through site IDs and switch context for each one. WP HealthKit uses similar patterns when scanning plugins across an entire network—switching context ensures security audits are site-specific and accurate.
Network Activation vs Site Activation
When a plugin is activated in a multisite network, you can activate it in two ways: for an individual site or network-wide. This distinction dramatically affects how your plugin's activation hooks fire and where your initial data should be stored.
Network Activation happens when a Super Admin activates a plugin for the entire network. The activate_plugin() function or the network admin plugins page triggers the network_activate_plugin hook, not the regular activate_PLUGIN hook. You should create your plugin with a network activation hook:
register_activation_hook( __FILE__, 'my_plugin_network_activate' );
function my_plugin_network_activate( $network_wide ) {
if ( ! function_exists( 'is_plugin_active_for_network' ) ) {
require_once ABSPATH . '/wp-admin/includes/plugin.php';
}
if ( $network_wide ) {
// Create network-wide options
add_site_option( 'my_plugin_license_key', '' );
add_site_option( 'my_plugin_api_endpoint', 'https://api.example.com' );
// If you need to set up data on every site
global $wpdb;
$blog_ids = $wpdb->get_col( "SELECT blog_id FROM $wpdb->blogs" );
foreach ( $blog_ids as $blog_id ) {
switch_to_blog( $blog_id );
// Initialize per-site tables or options
add_option( 'my_plugin_site_initialized', current_time( 'mysql' ) );
restore_current_blog();
}
} else {
// Single site activation
add_option( 'my_plugin_site_initialized', current_time( 'mysql' ) );
}
}
Site Activation happens when an individual site admin activates a plugin for just their site. The $network_wide parameter passed to your activation hook indicates whether activation is network-wide. When false, you should only initialize site-specific options and tables.
The $network_wide parameter is crucial for handling both scenarios gracefully:
register_activation_hook( __FILE__, 'my_plugin_activate' );
function my_plugin_activate( $network_wide ) {
if ( true === $network_wide ) {
// Handle network-wide activation
} else {
// Handle single-site activation
}
}
Managing Site-Specific and Network-Wide Options
This is where many developers struggle with multisite. WordPress provides two option functions for multisite: get_option() / update_option() for site-specific data, and get_site_option() / update_site_option() for network-wide data.
Site-specific options are stored in each site's wp_options table (or wp_X_options where X is the site ID for additional sites). They're only accessible within that site's context:
// These only affect the current site
update_option( 'my_plugin_color_scheme', 'dark' );
$color = get_option( 'my_plugin_color_scheme' ); // Returns 'dark'
Network-wide options are stored in the main site's wp_sitemeta table and are accessible across the entire network:
// These affect the entire network
update_site_option( 'my_plugin_license_key', 'ABC123XYZ' );
$license = get_site_option( 'my_plugin_license_key' ); // Same value on all sites
A common mistake is using site options for settings that should be network-wide or vice versa. If you have a license key or API endpoint that applies to the entire network, use get_site_option(). If individual sites should be able to customize their experience, use get_option().
Here's a practical pattern that handles both:
function my_plugin_get_api_endpoint() {
// Check for network-wide setting first
if ( is_multisite() ) {
$endpoint = get_site_option( 'my_plugin_api_endpoint' );
if ( ! empty( $endpoint ) ) {
return $endpoint;
}
}
// Fall back to site-specific setting
return get_option( 'my_plugin_api_endpoint', 'https://api.example.com' );
}
Common Multisite Plugin Pitfalls
Forgetting to check is_multisite() before switch_to_blog(): This causes fatal errors in single-site installations. Always guard multisite functions:
if ( is_multisite() ) {
switch_to_blog( 5 );
// ... do work
restore_current_blog();
}
Not restoring blog context: If you forget restore_current_blog(), all subsequent code runs in the switched context. This is particularly dangerous in hooks:
// Bad: blog context not restored
add_action( 'wp_footer', function() {
switch_to_blog( 2 );
echo get_option( 'blogname' );
// Missing restore_current_blog()!
} );
// Good: always restore
add_action( 'wp_footer', function() {
if ( is_multisite() ) {
$original_blog_id = get_current_blog_id();
switch_to_blog( 2 );
echo get_option( 'blogname' );
switch_to_blog( $original_blog_id );
}
} );
Using site options when site-specific options are needed: If you store everything network-wide, individual site admins can't customize settings. Conversely, storing everything site-specific means duplicating configuration across dozens of sites. Think carefully about the scope of each setting.
Not handling the wp_initialize_site hook: When new sites are added to the network, you should initialize your plugin's data. This hook fires whenever a site is created:
add_action( 'wp_initialize_site', function( $site, $args ) {
switch_to_blog( $site->id );
// Initialize plugin tables, options, etc.
add_option( 'my_plugin_site_setup_date', current_time( 'mysql' ) );
restore_current_blog();
}, 10, 2 );
Ignoring permission checks: Super Admins and site admins have different capabilities. Always verify permissions before allowing modifications. WP HealthKit audits plugins for these permission checks—plugins that allow unauthorized modifications are major security risks.
// Always check capabilities
if ( ! current_user_can( 'manage_network' ) ) {
wp_die( 'Unauthorized' );
}
// Or for site-specific actions
if ( ! current_user_can( 'manage_options' ) ) {
wp_die( 'Unauthorized' );
}
Best Practices for Multisite Compatibility
1. Use Meaningful Database Prefixes: When storing tables specific to your plugin, use a clear naming convention that indicates whether they're site-specific or network-wide.
global $wpdb;
// Site-specific table
$table_name = $wpdb->get_blog_prefix() . 'my_plugin_logs';
// Network-wide table
$network_table = $wpdb->prefix . 'my_plugin_network_config';
2. Document Your Multisite Behavior: In your plugin's README.md, clearly state whether your plugin supports multisite, what settings are network-wide vs site-specific, and any special activation considerations.
3. Implement Proper Capability Checks: Different administrators should have different permissions. Always use the appropriate current_user_can() check for the context.
4. Test With Actual Multisite: You can't fully verify multisite compatibility without actually running WordPress in multisite mode. Set up a local WordPress multisite installation and test thoroughly.
5. Use WP HealthKit for Security Audits: Security vulnerabilities in multisite plugins are especially dangerous because they can affect the entire network. Use WP HealthKit to scan your plugin for common security issues before publishing.
Testing Your Plugin Across Multisite Networks
Setting up a local multisite environment is straightforward. Enable multisite in your wp-config.php:
/* Multisite */
define( 'WP_ALLOW_MULTISITE', true );
Then navigate to Tools > Network Setup in your WordPress admin. After setup, WordPress adds additional code to wp-config.php and creates .htaccess rules for your network.
Once you have multisite enabled, test these scenarios:
- Network activation: Activate your plugin network-wide and verify all sites have correct options initialized
- Single-site activation: Activate on one site, verify it doesn't affect others
- Site creation: Add a new site and verify your plugin initializes properly
- Data isolation: Change settings on one site and verify other sites aren't affected
- Permission boundaries: Verify site admins can't access network settings and vice versa
Throughout testing, use WP HealthKit to audit your plugin. It scans for multisite-specific security issues like improper capability checks and database query problems.
Broader Context and Best Practices
Step-by-step tutorials for WordPress plugin development serve a critical role in the ecosystem by bridging the gap between documentation and practical implementation. WordPress.org documentation explains what functions are available, but tutorials show how to combine them into working solutions. This practical knowledge is especially valuable for patterns that span multiple WordPress subsystems, such as building a custom REST API endpoint that validates input, checks permissions, queries the database, and returns properly formatted responses. Each step involves different WordPress APIs that must work together correctly.
The most effective WordPress development tutorials teach not just the how but the why behind each decision. Understanding why WordPress uses nonces instead of simpler tokens, why capability checks should test specific capabilities rather than roles, or why prepared statements matter more than escaping for SQL queries gives developers the foundation to make good decisions when they encounter situations that tutorials haven't covered. This deeper understanding is what separates developers who can follow instructions from developers who can architect secure, maintainable solutions.
Testing and validation are often the most overlooked aspects of WordPress plugin tutorials, yet they are arguably the most important. A tutorial that shows how to build a feature without showing how to verify it works correctly and handles edge cases teaches only half the lesson. Modern WordPress development tutorials should include PHPUnit test examples, WP-CLI test commands, and browser testing strategies alongside the implementation code. This testing-first mindset helps developers build confidence in their code and catch regressions before they reach production.
The WordPress developer community's shift toward more professional development practices has elevated the expectations for plugin quality significantly. Practices like dependency management with Composer, automated testing with PHPUnit, continuous integration with GitHub Actions, and static analysis with PHPStan were once considered optional extras. They are now expected baseline practices for serious plugin development. Understanding these tools and how they integrate into the WordPress development workflow is essential knowledge for any developer building plugins that others will rely on.
Frequently Asked Questions
What's the difference between get_option() and get_site_option()?
get_option() retrieves values from the current site's options. get_site_option() retrieves values from the network's sitemeta table. Use get_option() for site-specific settings and get_site_option() for network-wide settings that apply to all sites.
Can I use switch_to_blog() in single-site WordPress?
No, switch_to_blog() is a multisite-only function and will cause fatal errors in single-site installations. Always wrap it with is_multisite() first.
How do I determine if a plugin is activated network-wide?
Use is_plugin_active_for_network( $plugin_file ) to check if a plugin is network-activated. Compare this with is_plugin_active( $plugin_file ) for single-site activation.
What's the best way to store API credentials in multisite?
Store API credentials as network options using update_site_option(), as they typically apply to the entire network. Only use site-specific options if different sites need different credentials.
How do I handle plugin deletion in multisite?
Register a deactivation hook that cleans up both network-wide and site-specific data. If you have per-site tables, loop through all blogs using switch_to_blog() and delete each site's data.
Should my admin menu appear in the network admin or site admin?
This depends on your use case. Network settings belong in /network/admin.php pages, site settings in regular admin pages. Some plugins need both—network configuration and site-specific options.
Conclusion
WordPress multisite plugin compatibility requires thoughtful architecture and careful attention to detail. Understanding the distinction between network-wide and site-specific data, properly managing blog context switching, and implementing robust capability checks are non-negotiable requirements for production-ready multisite plugins.
The complexity of multisite development means security is paramount. Before deploying to production, use WP HealthKit to audit your plugin for security vulnerabilities, improper capability checks, and data validation issues. Upload your plugin to WP HealthKit to get a comprehensive security audit that covers multisite-specific vulnerabilities.
For deeper technical guidance, refer to the WordPress Multisite documentation and the WordPress Plugin Handbook, and explore WP HealthKit's ecosystem of plugin security resources. You might also be interested in our guide on WordPress Options API Security for managing option autoloading across sites.