WordPress.org

Ready to get started?Download WordPress

Forums

6Scan Security
Multisite (13 posts)

  1. EllsWeb
    Member
    Posted 1 year ago #

    Is there any update on when this plugin will work with multisite?
    I work with multisite almost exclusively and multisite users are left out of security enhancements like this.
    Great plugin, if I could use it.

    http://wordpress.org/extend/plugins/6scan-protection/

  2. Grace n Ease
    Member
    Posted 1 year ago #

    I agree. When trying to install this plugin, always get the incompatible with multisite message saying it is coming soon, but never hear anything about it.

  3. 6Scan
    Member
    Plugin Author

    Posted 1 year ago #

    Hi all,

    We are very excited to get the plugin working with multisite, but we want to make sure we do it the right way. We're still working on it - we'll make sure to update as soon as it's ready.

    Thanks!

  4. csigncsign
    Member
    Posted 1 year ago #

    any updates concerning multisite??

  5. EllsWeb
    Member
    Posted 1 year ago #

    A plugin like this, with all the knowledge required to take care of security, I'm surprised, especially as long as multisite has been out, that they drag their feet on implementing such compatibility.

    I'm not sure I would want it on my site if it's that hard for them to make it multisite compatible.

    In most configurations, all of the files are accessible from the base site. All other sites use the same files it's just handled differently with the database. So, it shouldn't really be that hard. Activate on the base site and scan, all sites (but the coding checks for multisite and if multisite is found, it just echos out that it's not multisite compatible).. Of course, I don't have a clue what I'm talking about... lol

  6. 6Scan
    Member
    Plugin Author

    Posted 1 year ago #

    Hey ellsweb,

    While I wish it was that simple, adding multisite raises a slew of issues we're battling with. Here are a few example questions we need to answer:

    • Who administers 6Scan, the super administrator or the sites' adminstrators? In order to comply with some sites' management policies, we might need to actually have two different dashboards, one for each.
    • What happens if a site administrator wants to fix a vulnerability in a plugin that's been installed on all sites by the super administrator? This would entail modifying files for other sites, which they should not be able to do, but we can't apply a fix only for a specific site on such plugins. Conversely, what happens if the super administrator fixes a vulnerability (manually or automatically) but then the site administrator wants to undo that fix?
    • What if a site administrator wants 6Scan to scan their site, but the super administrator does not? We can't scan only a single site, because much of the files are common to all sites. We'd end up getting complaints from the super administrator for scanning his files without his permission -- something we take very seriously.

    So far it seems that no matter which answers we chose, we'd be working against policies of many other users. We're still trying to figure out what's right -- any input we could get from the community on these questions would be much appreciated!

  7. EllsWeb
    Member
    Posted 1 year ago #

    Hi 6Scan,

    Taking points as presented.

    Only Super Administrators can modify plugins. Subsites do not have that functionality. I don't believe there are any configurations of multisite that allow for subsites to have access to files. Attempting to produce a plugin that allows for that, would actually override the functionality of WP Multisite and would create massive security issues no matter how it is applied.

    If a site admin wants to fix a vulnerability in a plugin, they would have to communicate with the Super Admin to accomplish such a task. The Super Admin runs the network. The Super Admin is responsible for such changes and if a fix was something relating to security, and the site admin didn't like it, well... then maybe the site admin might want to consider creating their own network. Can you imagine what would happen at wordpress.com if site admins had the ability to determine which changes were to be made to plugins? I will tell you.. They would be reminded that self hosting is an option.

    Last, it seems you are attempting to factor in things that are completely outside the scope of multisite configurations. If you put all your "if's" aside and deal with WP Codex and that alone, that would be a major step in the right direction.

    Why try to put in all of those "if's" into consideration, when we all know they don't apply to WP Multisite?

    Super Admins have that control, nobody else. And nobody else should have that control. If there is a security issue with a setup, your software should handle that at the Super Admin level, not any other level.

    Let the Super Admins administer the network.
    The way it is now, even Super Admins don't have the ability to scan their sites with your software. IF there is a way to do what all of your "if's" suggest as possibilities, then I would understand your argument. But, the reality is, you attempting to create all the roadblocks that do not exist, only makes your job harder.

    If a site admin wants to come to you and ask for a functionality that WP doesn't allow, you can just as easily tell them that isn't possible and that they should talk with their Network Admin regarding such things. And if they don't want to do that, then they can administer their own network.

    Multisite is not that difficult to understand. There is a Network Admin (which is the Super Administrator). The responsibility for the network rests with that administrator. It's that simple. And that's the way WP has set it up. Until they change it, let's just go with their program and work with the new way of doing things "IF" that ever happens.

    [edit]

    You might consider looking at Wordfence and the way they set up their plugin. Their plugin is a network activated plugin. It creates a network admin menu item (nowhere else) and when a scan is done, it is done from the network dashboard, nowhere else.

    That is where your plugin should reside, since all files are scanned from one place and should only be scanned from one place. If code exists on a subsite that was allowed by a site admin, the alert would show up in the scan available to the Network Administrator. And the correction process would then be initiated based upon the Network Administrator's own discretion.

  8. Grace n Ease
    Member
    Posted 1 year ago #

    Wow Ellsweb,

    That was pretty comprehensive. You forgot to mention that Site Admins don't have access to upload plugins or themes. And they aren't able to edit any files. They only have access to plugins that are not network activated, according to the way WordPress works. I don't know if there are plugins that change that, but I would think that would be something not allowed, unless the Super Admin made a Site Admin a "Super Admin", which is possible with WordPress.

    I use "WordFence" and you are right, it is a network activated plugin that scans from the network dashboard.

    I have a question though, does "6scan" scan the database? The reason I ask that is because if something is allowed on a Sub Site by a Site Admin (that was a security issue) would "6scan" catch it if it doesn't scan the database? Or does "6scan" only scan files for vulnerabilities?

  9. EllsWeb
    Member
    Posted 1 year ago #

    I don't know all of what 6scan does. I can't use it on my multisites so I didn't get really deep into it. I usually read as much as I can about those things, but I haven't with 6scan.

    The description says it is more in line with protecting sites from hackers and exploits, so I would think it is more for protection from someone trying to do something to your site or network.

    What I do know is 6scan would have to be able to scan the database to determine how many sites there are and what they are so that it can protect the static login pages from malicious attempts to access and damage the network.

    However, it is my understanding that a breach in one subsite wouldn't give a hacker access to the network unless the network admin account is hacked. They might damage a subsite, but not the network. In that case, the Network Admin should have something set up to require harder passwords and encourage usernames that aren't easy to guess.

    Although, some bots can find usernames by scanning the source of some sites.. It all gives me a headache trying to figure out all of what security has to do to protect a site.

    But, multisite isn't as fluid a configuration as what the questions raised above imply. There are different configurations, but they all pretty much function the same way. Even the difference between subdirectory subsites and subdomain subsites is still a manipulation of the database, it's just knowing how that manipulation works. The structure is still basically the same. WordPress creates the illusion of a subdomain install and it creates an illusion of subdirectory installs (based on the choice made at initial configuration of the network). It's all still the same files. No extra directories full of seperate installs.. it's all one install.

    Of course, I could be way out in left field in my understanding, but that is what I have been able to figure out.. lol

  10. Grace n Ease
    Member
    Posted 1 year ago #

    mhmmm..

    that made it clear as mud.. lol

  11. EllsWeb
    Member
    Posted 1 year ago #

    Thinking about what might be considered individual site control such as maybe a site dashboard menu item, one could consider placing a dashboard item to give the individual site certain amounts of control over their site.

    One item I would consider of value would be allowing a site admin the option to protect the login area or the dashboard area using 6scan. A couple or a few check boxes would accomplish that if you want to give that option. I wouldn't concern myself with whether or not a site admin should have the ability to scan files, UNLESS some sites might offer frontend uploading of files or even backend uploading of files on an individual site. In those cases, I would presume it wise (if files are scanned) to allow a site admin the option to scan uploaded files.

    But other than that, I don't see where there is a need for any site admin to need to scan files relating to the installation of any plugin, theme or core files of the network. I hope I said that so that it is understandable.

    But I would reiterate the fact that site admins do not upload plugins or themes, there is no allowance for that in WordPress. All theme and plugin uploads as well as installations are done in the network admin section (as are the editing of plugin and theme files) via the network admin "editing" menus respectively to themes and plugins.

    If there are multiple networks allowed on a multisite install, there is still the fact that only the Super Admin uploads and installs themes and plugins. All options for selection of plugins and themes available on a network are under the control of Super Admin (or Network Admin) and unless the Super Admin makes another user a Super Admin of the network there is only one Super Admin.

    That's my understanding anyway. I hope that helps.

  12. 6Scan
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks ellsweb! We'll take a look at how the other plugins work, and look at your suggestions as well to see if maybe it's simpler than we thought. Thanks again for your help!

  13. Dan & Jennifer
    Member
    Posted 1 year ago #

    Hi there. We too would love to see the plugin support multisite, as our sites run multisite.

    I'd like to agree completely with ellweb's first answer above:

    Super Admins have that control, nobody else. And nobody else should have that control. If there is a security issue with a setup, your software should handle that at the Super Admin level, not any other level.
    Let the Super Admins administer the network.

    Absolutely right on. The network administrator is the only one with the control in multisite, the only one who can install/update plugins, etc.

    For us, even if you guys added any admin visibility into the security stuff at the sub-site level (which I still don't think is necessary at all) - but if you did, I'd like to see a checkbox at the network level to hide any visibility of this plugin from the sub-sites. :-)

    What's really important is providing this security to multisite installs, and the only true administrator of a wordpress multisite is the network admin.

    Hopefully this makes implementing the plugin for multisite easier - as it takes quite a few of the other considerations off the table. :-)

    Thanks!!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags