The Dangers of Cross-Site Contamination and How to Prevent It

The Dangers of Cross-Site Contamination and How to Prevent It

One of the worst things about flu season is the inevitability that you’re going to get sick. You might work in an office environment where coworkers come in with runny noses.

Or maybe you take the bus to a co-work space where other commuters cough and touch the same railing you’re holding onto.

Or perhaps you work from the “safety” of your home where your kids are likely to share some nasty germ they picked up at school with you.

No matter where you go or who you’re surrounded by, sometimes it feels like nowhere is safe.

But that’s what happens when you work and live in close proximity to others. If one person is infected, it’s only a matter of time before it spreads.

And that’s exactly how cross-site contaminations happen.

Security is obviously a major concern for everyone who comes into contact with a website, be that the owner of the site, the person shopping on it, or the developer who built it.

That’s because there seems to be danger at every turn.

But let’s say you decide to make the economical and efficient decision to put multiple websites on a single network (whether that’s from using WordPress Multisite or simply running them from the same hosting account).

An insecurity within just one of those websites could put the entire network in danger.

Abiding by WordPress security best practices is a good place to start, but it might not be enough. If you’re running a network of WordPress sites all from one place, then this post is for you.

I’m going to briefly cover who these cross-site contamination concerns pertain to and then give you a special checklist of tips to use when running a network of websites.

Security camera with patch

Who Should Be Concerned About Cross-Site Contaminations in WordPress?

Let’s face it: hackers are needing to get more creative about how they crack into websites these days.

WordPress may be an easy target because of its popularity, but it’s not an easy platform to break into if the people who build and manage websites abide by security best practices.

Of course, that logic starts to waver a bit when the number of websites on your network increases.

Here are some of ways in which you might consolidate your web properties, unintentionally putting them at risk for cross-site contamination:

WordPress Multisite

You’ve created a Multisite network within WordPress.

While it’s a great feature for web developers who want to easily manage a network of sites all from one WordPress installation, this also means that one bad apple could easily poison the whole batch.

In essence, with all these shared resources, files, plugins, logins, and so on stored in the same place, this increases the risk that one website harmed could lead to all sites on the network being compromised.

Multi-Domain Hosting Account

The same goes for websites that share a hosting account (not necessarily those on shared hosting; just those that share one account).

All it takes is one website that’s not properly secured (through a bad plugin or a weak password) and hackers can wreak havoc through the entire network of sites.

There are a number of parties who could potentially be affected by this:

  • Agencies that want to manage all their clients’ sites on one hosting account.
  • Developers who want to do the same.
  • Developers who use their hosting account for testing and staging websites.
  • Businesses that have a number of web properties under their main brand umbrella and want to keep them all together.

Re-selling Web Hosting

Web developers who sell hosting either as a full-time or side gig may find this to be a lucrative way to make extra money with WordPress.

That said, if you don’t accurately configure your hosting platform, you could put all your clients’ sites at risk in the process.

I can’t stress this enough: all it takes is one website to get infected to take down your entire network.

Imagine how devastating that would be to your business.

You assured clients that you’d take care of their website and you honestly believed that everything would be okay.

But you left a seemingly harmless staging site unattended or you trusted that your hosting clients would properly secure their individual sites… and something went wrong. So, now what?

Well, you need to not wait until the “now”.

You need to take action now to properly secure your network of WordPress sites from cross-site contaminations.

Checklist: 8 Things You Need to Do to Fend Off Cross-Site Contaminations

Obviously, this checklist is not meant to replace the WordPress security checklist you already work off of. Those tips hold true whether you’re running one WordPress site or an entire network.

The following checklist, however, should be added to that list if you intend on managing a network of websites.

1. Scan Every Site

Cross-Site Contaminations - Defender Security Plugin
The WPMU DEV Defender plugin.

The whole point in bringing together various websites into a single shared hosting account or WordPress Multisite is so you can more conveniently and effectively manage them all at once.

Nevertheless, those websites are still unique web properties that need to be treated as such.

So, rather than assume that the security procedures used by your hosting provider are enough, use a security scanning plugin for every single one of your WordPress sites.

Defender, of course, does a great job of regularly scanning your site, enforcing stringent security practices, and documenting all activity, so I’d suggest starting there.

2. Add Separate Firewalls

Cloudflare can be used to add more protection to your websites
A firewall is needed for each and every site on your network.

You know that when you sign up with a trusted hosting source they usually tout the secure firewall placed on their servers to keep intruders out.

However, if you’re running your WordPress sites from the same hosting account, that means your network is secured by only one firewall and that there is no separate barrier standing between each of your sites.

Since this is why cross-contaminations happen, it’s important to add a firewall to every website. Cloudflare have you covered in this department.

Their web application firewall comes with built-in rulesets, including rules that mitigate WordPress specific threats and vulnerabilities.

Once the WAF is enabled, you can rest easy knowing your site is protected from the latest threats.

3. Use a Trustworthy Multisite Plugin

WP Ultimo is a great plugin for managing multisite

If your network vulnerability stems from using WordPress Multisite, then the best thing you can do is get a reliable Multisite management plugin like WP Ultimo.

This way, you know you’ll have more control over what your clients do with their websites while you get to use a plugin you know is safe and secure, too.

4. Block Multisite Spam

Akismet is a great plugin for fighting spam
Use a plugin like Akismet to fight spam

Of course, don’t forget about comment spam.

It’s one of the reasons why many blogs decide to turn comments off completely.

When you’re running a large network of sites—especially when you have little to no control over blog content or the comments popping up on it—you’ll want the Akismet plugin to keep your sites safe from spam and other harmful injections.

5. Clean Out Old Domains

The larger your network of sites grows, the easier it becomes to lose track of them.

That’s why you should schedule time—ideally, at least once a month or quarter—to review your hosting or Multisite account.

  • Any old or unused domains should be tossed out.
  • The same goes for testing and staging sites. Once the WordPress site goes live, you have no need for those.
  • If you encounter any sites that haven’t been updated in a year’s time, inquire with the site owner to see if it still needs to be hosted.

By keeping your server clear of old domains, you’ll cut down on the possibility that hackers stumble upon them and take advantage of the perfect breeding ground of unmonitored activity, un-updated core and plugins, and so on.

6. Keep Plugins and Themes Updated

Cross-Site Contaminations - Outdated Plugin
Spend a lot of time in the WordPress repository? Then you’ll recognize this.

If you’re bringing websites together into the same WordPress installation or hosting account, you’re hopefully using the same set of reliable plugins and themes for them as well.

While WordPress Multisite simplifies the process of keeping “shared” plugins and themes updated across all sites, it’s still important to regularly review each third-party integration.

You never know when a developer has decided to stop supporting them, a plugin has been flagged by WordPress, or a new security flaw is introduced into one of them.

However, sometimes it can be a hassle to keep up with all of the WP updates, as well as the countless plugins and themes.

That’s when a plugin or a piece of software that automatically updates for you would come in real handy…

For example, WPMU DEV members have the luxury of having Automate on their side, which automatically runs updates and backups for them.

A look at WPMU DEV'S Automate
Automate makes tedious WordPress updates a thing of the past.

7. Properly Configure Server

It doesn’t matter if we’re talking about WordPress Multisite or a shared hosting account. To keep sites safe, you need to be smart about configuring your network.

Here are some simple tips to help you do this:

Create separate accounts for website platforms: If you build websites using platforms other than WordPress, then you should have separate accounts for WordPress sites, Drupal sites, Joomla sites, etc.

Avoid mixing and matching host functions: This refers to type of hosting. So, if you’re in the business of selling web hosting, you may also be providing clients with email hosting. Never mix and match hosting functions. These need to remain separate.

Keep test websites and live websites separate: While you may be inclined to put your websites in development and testing phases on the same account as those that are live, don’t do it.

It’s much safer if you keep them separate, especially if you’re not good about remembering to delete the old dev or staging sites once you’re done.

Better yet, just use separate testing and staging environment tools for that part of your process so you can avoid this problem altogether.

8. Use a Trusted Host

Ultimately, the security of your websites comes down to how well you secure each and every one of them.

However, if you’re not starting with a trusted host that provides you with secure and properly configured servers, then you may still run into trouble in the long run.

This most commonly happens by not following best practices to secure each site and keeping users contained to their respective sites.

Of course, if you’re still worried about cross-site contaminations in your network, you can always host each website separately using something more secure and isolated like VPS or dedicated server hosting.

While that defeats the purpose of creating a multi-site network, it does avoid the potential for cross-website contamination.

Wrapping Up

All it takes is one bad apple to ruin it for the rest—and sometimes it’s hard to see that rotten apple when you have too many others to keep an eye on.

That’s why every website in your network needs to be protected.

If you don’t care enough about that website to protect it, then it does not belong in WordPress Multisite or sharing space on a hosting account with your other websites.

It’s as simple as that. Abide by the tips above and you’ll be able to harden your network’s security enough to where you won’t have to worry about cross-site contaminations anymore.

What do you see as the greatest weakness in WordPress security and what do you do to put a stop to it?

Suzanne Scacca

Suzanne Scacca Suzanne is a former WordPress implementer, trainer, and agency manager who works as a freelance copywriter. Suzanne writes about WordPress, SEO, web design, and marketing. She is Also a creator of website-building and SEO courses on Skillshare. You can follow her on Twitter.

Rick Crawshaw

Rick Crawshaw Rick Crawshaw is a writer at WPMU DEV. Before joining the company and learning the ins and outs of WordPress web development, he worked as a freelance copywriter and marketer. You might also recognize his punny style from our weekly WordPress newsletter The WhiP. Follow Rick on Twitter.