Title: Drawbacks on multisite
Last modified: August 30, 2016

---

# Drawbacks on multisite

 *  Resolved [Axel13](https://wordpress.org/support/users/axel13/)
 * (@axel13)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/drawbacks-on-multisite/)
 * I just tried All In One WP Security & Firewall on a WordPress multisite. While
   I like most features and would tend to trust it in a single install, I must say
   it seems to me that there is a whole lot that needs to change before it can be
   useful for multisites. So, here are my findings. I hope it’s helpful.
 * **Settings per site**
 * One of the advantages of multisite is that a lot can be dealt with simultaneously
   for all sites, which makes it easier and it’s useful for site admins, since they
   do not need to worry about it. So, on a multisite there is hardly any need to
   have settings for every site separately. It could be useful for a few settings,
   like to change the login URL, but it’s not a necessity and the disadvantages 
   heavily outweigh the advantages.
 * Also, in most scenarios there is no need to share security info with all site
   admins. This counts double, in fact, it’s a security issue when anyone can create
   a new site. F.ex. the WP table prefix is made public through system info, backups
   and the AIOWPS log (which has info on all sites). I do think the backups per 
   site can be useful, but since it’s the network admin who needs to repair sites
   when something goes wrong, there is no need for site admins to take a backup.
   There is no reason why they should see the log either.
 * Another important reason why I feel the settings should move to the network admin
   area is that site admins do not know what security measures have been taken, 
   without the All In One WP Security & Firewall. F.ex. I use a different plugin
   to prevent spam, so this should not be activated. I also have X-Frame-Options
   SAMEORIGIN in .htaccess, so they do not need to enable it.
 * **Disable all settings**
 * Except upon uninstalling perhaps, I’m not sure how _“Disable Security Features”_
   and _“Disable All Firewall Rules”_ can be useful, because it doesn’t make it 
   clear what exactly may cause a problem, but the weirdest and worst part is that
   site admins do not have access to the firewall rules, yet they do see the button
   to clear the rules and when they press on it, they see _“All firewall rules have
   been disabled successfully!”_, yet on the main site nothing seems changed. **
   Looking in .htaccess, however, all settings are indeed gone.** This is terrible.
   Besides the fact that, obviously the site admins should not be able to erase 
   the firewall settings, the settings do not reflect the real content in .htaccess.
 * **Security Strength Meter**
 * I like visual, so I like the security strength meter, but the score doesn’t reflect
   the real security measures. It only looks at the settings. Especially on a multisite,
   where site admins don’t know about other security settings, it is then better
   not to have a score at all. Moreover, the score does not reflect the network 
   wide settings. F.ex. on the WP Security dashboard the basic firewall looks as
   if it’s turned off. It’s better to give a false sense of insecurity than the 
   other way around, but it gives a poor impression.
 * **Display Name Security**
 * Any bit of a hacker would look at the author URL, not at the screen name, so 
   I don’t see how this is useful.
 * Also, when using login via Social networks, the username gets generated automatically.
   Even if it were somewhat useful for admins to use a different username, it doesn’t
   matter for members.
    Smarter would be to check whether the admin or network admin
   have posts and to recommend to change the author of these posts to someone with
   only author rights.
 * The list with user accounts does not stick to only the site’s users. Instead 
   it shows all users on the multisite, in every site. Besides being confusing for
   site owners that they do not see those users in their user list, it’s also a 
   privacy issue.
 * **Password Strength Tool**
 * From a password strength tool I would hope to get an idea of the password strength
   of users on the site. It would be useful to force strong passwords and a password
   change. The worst part however is a sense of false security. According to the
   tool it would take approximately 1931 years, 9 months to crack “fd4fd46fdf54d”.
   Yet in 2013 hackers already [cracked 16-character passwords in less than an hour](http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html).
 * **Re-insert the security rules in your .htaccess**
 * Upon activation the plugin asks: _“Would you like All In One WP Security & Firewall
   to re-insert the security rules in your .htaccess file which were cleared when
   you deactivated the plugin?”_ I didn’t try the plugin before, so this was confusing.
   My thought was to do that after changing the setting, yet by doing so all settings
   got removed.
 * Moreover, the question is shown to all members of the site. I’m not sure what
   would have happened when someone else would have clicked it, but I would guess
   the same, so it shouldn’t be visible to anyone other than the network admin.
 * **Account activity log**
 * This tab is said to display the login activity for WordPress admin accounts, 
   but on the main site a regular user, who has a site on the multisite, is shown
   in the list on the main site. On the subsite where this user is admin, the list
   was empty.
 * **Logged in users**
 * On subsites the list seems to show all users on the network. Possibly it is only
   the users who are members of this site. I didn’t verify, but kind of doubt it.
 * **PHP File Editing**
 * Removing the ability to edit PHP files via the WP dashboard can be useful, yet
   if someone has access to the editor in WordPress, they also have access to the
   settings where they can enable it. So there is no point in having that setting,
   unless the setting screen is protected.
 * **404 Detection Options**
 * It’s useful to track repeated 404 errors and to be able to block related IP’s,
   but it makes little sense to do this manually. This means you have to catch the
   attacker in the act. Blocking the IP afterwards makes little sense, because attackers
   most likely use different/dynamic IP’s. This feature would be a lot more useful
   if it worked like limiting login attempts: when X number of 404 errors are produced
   within X seconds then the IP gets banned for X minutes.
 * **Prevent Image Hotlinking**
 * This feature doesn’t work on multisite, at least not in combination with domain
   mapping, when backends use the subdomain and frontends use the mapped domain.
   I didn’t try without. Weirdly, the images are shown when logged in, but not when
   logged out. It would be useful if it were possible to hotlink images on all sites
   on the server (verify IP instead of domain?).
 * —
    I could add a lot of positive feedback about the plugin too though. In fact,
   I wouldn’t write this if I didn’t think highly of it. So, as said, I hope it 
   helps.
 * [https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/)
 * (@mbrsolution)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/drawbacks-on-multisite/#post-6427417)
 * Hi Axel13, thank you for the extensive report and findings on a Multisite.
 * I am sure a lot of your time has gone into checking all areas of the plugin while
   setting up the plugin in a Multisite environment. This definitely will help the
   developers investigate further all the above.
 * One of the plugin developers will reply back to your findings and suggestions
   above.
 * Once again thank you for the extensive report.
 * Kind regards
 *  Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/)
 * (@mbrsolution)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/drawbacks-on-multisite/#post-6427633)
 * Hi, have you tested the latest version? If you have does it address all or some
   of your questions above?
 *  Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/)
 * (@mbrsolution)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/drawbacks-on-multisite/#post-6427634)
 * I am marking this thread as resolved. No replies in 6 months.
 * Thank you

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Drawbacks on multisite’ is closed to new replies.

 * ![](https://ps.w.org/all-in-one-wp-security-and-firewall/assets/icon-256x256.
   png?rev=2798307)
 * [All-In-One Security (AIOS) – Security and Firewall](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/)
 * [Active Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/reviews/)

## Tags

 * [multisite](https://wordpress.org/support/topic-tag/multisite/)

 * 3 replies
 * 2 participants
 * Last reply from: [mbrsolution](https://wordpress.org/support/users/mbrsolution/)
 * Last activity: [10 years, 2 months ago](https://wordpress.org/support/topic/drawbacks-on-multisite/#post-6427634)
 * Status: resolved