Skip to content

Practical Guide to Securing Your WordPress Multisite Network

Alejandro Frades
Consejos de seguridad para administradores de multisitios de WordPress
Managing a WordPress multisite network is like being the janitor of an apartment building: a problem on any floor affects the entire building. Only here we’re talking about websites, and the consequences can be much more serious.

Why Multisite Security Requires a Different Approach

With several sites sharing the same WordPress installation, any vulnerability is multiplied. An outdated plugin on the Marketing site can also compromise Sales, Support and HR. That digital domino effect is every administrator’s biggest fear.

Tip 1: Be Stingy with Super-Administrator Permissions

The super-administrator role is like holding the master keys to the building: it can install plugins, activate themes and change settings that affect the entire network. Limit it to no more than two or three absolutely trusted people.

How to apply it: From Dashboard → Network Admin, review the user list and downgrade unnecessary roles. If someone only needs to manage a specific site, assign them the Administrator role on that site only.

Tip 2: Enforce Two-Factor Authentication

Passwords, no matter how strong, are just one barrier. 2FA adds a second lock: even if someone gets the first key, they’ll still need the second.

How to apply it: Install a plugin like WP 2FA or miniOrange 2FA. Enable it and tick “Required for administrators and super-administrators.” Users will be prompted to set up their second factor the next time they log in.

Tip 3: Automate Critical Updates

Trying to keep 50 sites up to date by hand is a recipe for forgetfulness—and that forgotten site is exactly what attackers will find.

How to apply it: Add to wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );

For critical plugins, use WP-CLI and schedule a cron job that runs:

wp plugin update --all

every Sunday at dawn.

Check out this list of the best WordPress security plugins to choose reliable options.

Tip 4: Practice Digital Hygiene

Unused plugins and themes are like abandoned rooms: nobody watches them, yet they remain entry points.

How to apply it: Spend an hour each month reviewing your plugins and themes list. If something hasn’t been used on any site in three months, delete it (don’t just disable it).

Tip 5: Block Brute-Force Attacks

WordPress allows unlimited login attempts by default, inviting bots to guess passwords.

How to apply it: Install Limit Login Attempts Reloaded and configure:

  • 3 allowed attempts
  • 20-minute lockout after 3 failures
  • 24-hour lockout after 3 consecutive lockouts

Add your office IP to the whitelist to avoid locking yourself out.

Tip 6: Set Up Smart Automatic Backups

In multisite, a backup is your insurance policy against chaos.

How to apply it: With UpdraftPlus or BackWPup schedule daily backups and send them to Google Drive, Dropbox or Amazon S3. Never keep backups only on the same server.

Extra tip: Perform a test restore every quarter; an untested backup is just a hope.

Tip 7: Monitor Without Becoming Paranoid

You need visibility, but you don’t want to spy on every click.

How to apply it: With WP Activity Log, log only critical events: plugin installs/removals, user changes, failed logins, modifications to critical files. Review the logs weekly and look for unusual patterns.

Tip 8: Force HTTPS Across the Network

In 2025, not using HTTPS is like mailing letters without an envelope.

How to apply it: If your host doesn’t include automatic SSL certificates, install Really Simple SSL to redirect all HTTP traffic to HTTPS and fix mixed-content issues.

Tip 9: Disable XML-RPC Unless You Need It

XML-RPC is a back door WordPress keeps open for mobile apps and external services. If you’re not actively using it, close it.

How to apply it:

  • Install Disable XML-RPC API  or
  • Add to .htaccess: 
    <Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

If you need XML-RPC for a specific integration, use a plugin that restricts only the functions you actually need.

The Reality of Managing Multiple Sites

Applying all these tips manually on 10, 20 or 50 sites can turn into a full-time job. For large networks, tools like Modular DS let you apply bulk updates, monitor security and manage automatic backups from a centralized panel. They’re not essential, but they can cut two days of work down to two hours.

Conclusion: Practical, Sustainable Security

Securing a WordPress multisite network isn’t about implementing every measure possible, but about applying the right ones consistently. These tips give you a solid foundation you can maintain long term without losing your mind.

Remember: security is an ongoing process; a site that’s well protected today can be vulnerable tomorrow if you drop your guard.

Autor
Alejandro Frades
Marketing Specialist
The mind behind Modular DS' social content. Always on top of the latest trends to leverage them and make the digital world more engaging and enjoyable.
LinkedIn

Stay in the loop

Be the first to hear about new features, product updates, and everything we’re building at Modular DS.

    Artículos relacionados