This is my guide for setting up a secure multisite WordPress installation. It is mostly a collection of useful links to sites and pages that walk through the different parts.
Step 1: Install the latest version of WordPress
Step 2: Create the network
In the WordPress codex you’ll find a guide to creating a network in an existing WordPress installation.
After completing the steps in the guide you should have a functioning multisite WordPress installation.
Step 3: Setup Domain Mapping
Typically you’ll want the ability to setup domain mapping for some of the sites in the network. There’s a plugin for that:
A key part is placing
wp-contents folder. This allows the plugin to intercept the typical WordPress start-up logic and serve up mapped domains. See Nacin’s explanation:
Check out wp-includes/ms-settings.php. Sunrise gets included early. If
$current_site and $current_blog are set by sunrise, then nearly all of the
logic in that file gets skipped.
In there, you’ll find a lot of logic to determine exactly which network and
blog you’re trying to reach. The purpose of sunrise is to optionally
override all of that. Domain mapping is one such use case, for sure.
From a forum question: Use case for sunrise.php?
Step 4: Securing the Admin with SSL
Honestly, Admin over SSL seems to me like an absolute must. Otherwise you have serious security concerns for users logging in from insecure networks. For this step you’ll need to have already setup a secure certificate for the domain of your network. It works best if you either have a wildcard secure certificate or are using sub-directories instead of sub-domains for sites in your network.
Step 5: Security
The WP Codex has an article, Hardening WordPress, that has a lot of great ideas and tips. I always do at least the following ones:
- Setup File Permissions correctly.
- In Step 4, above, we already setup the admin over SSL.
- Secure wp-includes so that those files cannot be accessed directly through HTTP.
- Block direct access to wp-config.php and set file permissions so that only owner and web server can read file.
- Disable file editing in the WordPress admin.
- Use a non-standard table prefix. No, I’m not telling you what I used!
Obviously this is not an exhaustive list of all possible security measures, but should close the door a little. There are number of ongoing checks, measures and trip wires you should think about installing. Google can give you a whole bunch of resources to get to the next level.