One of the worst things about flu season is the inevitability that you’re going to get sick. You might work in an office environment where coworkers come in with runny noses.
Or maybe you take the bus to a co-work space where other commuters cough and touch the same railing you’re holding onto. Or perhaps you work from the “safety” of your home where your kids are likely to share some nasty germ they picked up at school with you.
No matter where you go or who you’re surrounded by, sometimes it feels like nowhere is safe. But that’s what happens when you work and live in close proximity to others. If one person is infected, it’s only a matter of time before it spreads.
And that’s exactly how cross-site contaminations happen.
Security is obviously a major concern for everyone who comes into contact with a website, be that the owner of the site, the person shopping on it, or the developer who built it. That’s because there seems to be danger at every turn.
But let’s say you decide to make the economical and efficient decision to put multiple websites on a single network (whether that’s from using WordPress Multisite or simply running them from the same hosting account). An insecurity within just one of those websites could put the entire network in danger.
Abiding by WordPress security best practices is a good place to start, but it might not be enough. If you’re running a network of WordPress sites all from one place, then this post is for you.
I’m going to briefly cover who these cross-site contamination concerns pertain to and then give you a special checklist of tips to use when running a network of websites.
Let’s face it: hackers are needing to get more creative about how they crack into websites these days. WordPress may be an easy target because of its popularity, but it’s not an easy platform to break into if the people who build and manage websites abide by security best practices.
Of course, that logic starts to waver a bit when the number of websites on your network increases.
Here are some of ways in which you might consolidate your web properties, unintentionally putting them at risk for cross-site contamination:
You’ve created a multi-site network within WordPress. While it’s a great feature for web developers who want to easily manage a network of sites all from one WordPress installation, this also means that one bad apple could easily poison the whole batch. In essence, with all these shared resources, files, plugins, logins, and so on stored in the same place, this increases the risk that one website harmed could lead to all sites on the network being compromised.
The same goes for websites that share a hosting account (not necessarily those on shared hosting; just those that share one account). All it takes is one website that’s not properly secured (through a bad plugin or a weak password) and hackers can wreak havoc through the entire network of sites.
There are a number of parties who could potentially be affected by this:
Web developers who sell hosting either as a full-time or side gig may find this to be a lucrative way to make extra money with WordPress. That said, if you don’t accurately configure your hosting platform, you could put all your clients’ sites at risk in the process.
Again, all it takes is one infected site for all the others to be compromised. According to Sucuri, the biggest culprits of cross-site contaminations come from:
I can’t stress this enough: all it takes is one website to get infected to take down your entire network. Imagine how devastating that would be to your business. You assured clients that you’d take care of their website and you honestly believed that everything would be okay. But you left a seemingly harmless staging site unattended or you trusted that your hosting clients would properly secure their individual sites… and something went wrong. So, now what?
Well, you need to not wait until the “now”. You need to take action now to properly secure your network of WordPress sites from cross-site contaminations.
Obviously, this checklist is not meant to replace the WordPress security checklist you already work off of. Those tips hold true whether you’re running one WordPress site or an entire network.
The following checklist, however, should be added to that list if you intend on managing a network of websites.
The whole point in bringing together various websites into a single shared hosting account or WordPress Multisite is so you can more conveniently and effectively manage them all at once. Nevertheless, those websites are still unique web properties that need to be treated as such.
So, rather than assume that the security procedures used by your hosting provider are enough, use a security scanning plugin for every single one of your WordPress sites.
Defender, of course, does a great job of regularly scanning your site, enforcing stringent security practices, and documenting all activity, so I’d suggest starting there.
You know that when you sign up with a trusted hosting source they usually tout the secure firewall placed on their servers to keep intruders out. However, if you’re running your WordPress sites from the same hosting account, that means your network is secured by only one firewall and that there is no separate barrier standing between each of your sites.
Since this is why cross-contaminations happen, it’s important to add a firewall to every website.
Sucuri Firewall has a number of plans you can choose from based on what you need the firewall for and how many websites you intend on applying it to. You can then use their plugin to add it to each of your network’s sites.
If your network vulnerability stems from using WordPress Multisite, then the best thing you can do is get a reliable Multisite management plugin like Pro Sites. This way, you know you’ll have more control over what your clients do with their websites while you get to use a plugin you know is safe and secure, too.
Of course, don’t forget about comment spam. It’s one of the reasons why many blogs decide to turn comments off completely. When you’re running a large network of sites—especially when you have little to no control over blog content or the comments popping up on it—you’ll want the Anti-Splog plugin to keep your sites safe from spam and other harmful injections.
The larger your network of sites grows, the easier it becomes to lose track of them. That’s why you should schedule time—ideally, at least once a month or quarter—to review your hosting or Multisite account.
By keeping your server clear of old domains, you’ll cut down on the possibility that hackers stumble upon them and take advantage of the perfect breeding ground of unmonitored activity, un-updated core and plugins, and so on.
If you’re bringing websites together into the same WordPress installation or hosting account, you’re hopefully using the same set of reliable plugins and themes for them as well.
While WordPress Multisite simplifies the process of keeping “shared” plugins and themes updated across all sites, it’s still important to regularly review each third-party integration. You never know when a developer has decided to stop supporting them, a plugin has been flagged by WordPress, or a new security flaw is introduced into one of them.
Sucuri refers to this term “functional isolation” often when discussing the dangers of cross-site contaminations. Essentially, this is the process by which you create a well-organized server environment for your websites. It doesn’t matter if we’re talking about WordPress Multisite or a shared hosting account. To keep sites safe, you need to be smart about configuring your network.
Sucuri advises that you separate your server and network based on the following:
Technology: If you build websites using platforms other than WordPress, then you should have separate accounts for WordPress sites, Drupal sites, Joomla sites, etc.
Function: This refers to type of hosting. So, if you’re in the business of selling web hosting, you may also be providing clients with email hosting. Never mix and match hosting functions. These need to remain separate.
Stage: While you may be inclined to put your websites in development and testing phases on the same account as those that are live, don’t do it. It’s much safer if you keep them separate, especially if you’re not good about remembering to delete the old dev or staging sites once you’re done. Better yet, just use separate testing and staging environment tools for that part of your process so you can avoid this problem altogether.
Ultimately, the security of your websites comes down to how well you secure each and every one of them. However, if you’re not starting with a trusted host that provides you with secure and properly configured servers, then you may still run into trouble in the long run.
That said, Sucuri doesn’t believe web hosts are generally the problem when it comes to most cross-site contaminations. According to them, “In these configurations, the attacks we’re seeing are not those that are moving laterally between accounts on the shared host, but rather those that are moving laterally within the same account.” This most commonly happens by not following best practices to secure each site and keeping users contained to their respective sites.
Of course, if you’re still worried about cross-site contaminations in your network, you can always host each website separately using something more secure and isolated like VPS or dedicated server hosting. While that defeats the purpose of creating a multi-site network, it does avoid the potential for cross-website contamination.
All it takes is one bad apple to ruin it for the rest—and sometimes it’s hard to see that rotten apple when you have too many others to keep an eye on.
That’s why every website in your network needs to be protected. If you don’t care enough about that website to protect it, then it does not belong in WordPress Multisite or sharing space on a hosting account with your other websites. It’s as simple as that. Abide by the tips above and you’ll be able to harden your network’s security enough to where you won’t have to worry about cross-site contaminations anymore.