How to secure WordPress

Don’t host multiple WordPress installations under one hosting account.

Today I am going to talk about clients hosting multiple WordPress installations under one hosting account.

We have many clients who are developers, and they have a habit of create sub-domains and develop new sites on them.  There is nothing wrong with doing this, providing they move the sites to its own hosting account once development has been completed.  I will list a few reason why it is not a good idea to host multiple WordPress under sub-domains or even addon domains:

  1. Firstly, we see many WordPress installations getting exploited on a daily basis.  This can be due to insecure theme and plugins.  The more plugins are installed, the more chances it will be exploited.  If multiple WordPress are installed under one hosting account, it will mean if only one of those installations has been exploited, the hacker have access to all the installations.  So now the threat of being exploited is multiplied by the number of plugins, plus all the installations.  Even if all installations use the same theme and plugins, it will mean if you forget to update the plugin for just one installation, it can affect all other installations even if they are up to date.
  2. If one of your installation has been exploited, not only mean all your installations are affected, but it will also make it very hard to clean all the files, and to find the point of exploitation.
    For example, the hacker could have gain entry to your site through domain1.com, but put all the exploit files on domain2.com, making it seem they have gained entry through domain2.com.  They can also put backdoors on other installations, and only activate them at a late date.
  3. A lot of times when a site has been exploited, the only thing that can be done will be to delete it and reinstall it from scratch, and import the data from a backup.  If multiple WordPress installations are in one hosting account, it will mean you need to do this for all domains under this hosting account.  The restoration process is already tedious for one domain, imagine having have to do this for all domains under this one hosting account.
  4. Very often when restoring from backups, you will lose data for time between the last backup, and the restoration time.  This will be made worse when you have to lose data for multiple websites.
  5. Similarly, if the hacker has access to one site on this hosting account, it will also mean it will have access to all the data in all the domains.  Depending how sensitive your data are, this can do a lot of damage.
  6. If you have multiple WordPress installations as addon, this can also mean that you set up email accounts for them under the same hosting account.  If  just one of your WordPress has been exploited, it will mean the hacker will have access to emails for ALL the domains.  Yes, this is bad, as they can use this to do social engineering to further hack your domains and businesses.

As you can see, there are many disadvantages when trying turn multiple sites under one hosting account.  We recommend that sub-domains and addon domains should only be used during development, and move to their own hosting account once live.  Don’t forget to delete all the old development content once the domains have been moved.