Free WordPress Multisite Security Scanner
Audit your WordPress Multisite network for subsite isolation failures, super admin exposure, dangling subdomains, and network-wide plugin vulnerabilities that affect every site simultaneously.
Scan My WP Network — FreeNo signup · No credit card · Results in 30 seconds
What the scanner checks
Network-wide plugin vulnerabilities
Plugins activated network-wide affect every subsite. We scan the main site for vulnerable plugins that impact the entire network at once.
Super admin exposure
Tests /wp-admin/network/ accessibility and enumerates super admin accounts via /?author=1 and REST API endpoints.
Subsite isolation
Checks if subsite users can access other subsites' admin areas through URL manipulation or broken capability checks.
Dangling subdomain takeover
Scans DNS records for subsite subdomains that point to deprovisioned hosting — a common risk in large multisite networks with abandoned sites.
wp-config.php network keys
Tests for exposed wp-config.php backups and .sql dumps that leak the network-wide AUTH_KEY and SECURE_AUTH_KEY used for session cookies.
Network-wide SSL/TLS
Audits the SSL certificate for the main domain and wildcard coverage. Checks for mixed content across the network.
Multisite Amplifies Every Vulnerability
WordPress Multisite lets you run dozens, hundreds, or thousands of WordPress sites from one codebase. It's powerful for agencies, universities, and multi-brand networks — but every security issue is multiplied by the number of subsites on the network.
A single vulnerable plugin activated network-wide compromises every site simultaneously. A leaked AUTH_KEY in a wp-config.php backup forges session cookies across the entire network. An exposed super admin account has god-mode access to every subsite. Our scanner tests the specific misconfigurations that matter in a multisite context, including subsite isolation and dangling subdomain takeovers.
Frequently Asked Questions
What's different about securing a WordPress Multisite?
Multisite shares a filesystem, database, and core WordPress install across all subsites. A single vulnerability or compromised account can affect the entire network. Plugin activation decisions become network-wide, and super admin accounts have cross-site privileges that regular admins don't.
How do I prevent subsite takeover in Multisite?
Monitor all subsite subdomains in DNS, remove CNAMEs for deleted subsites immediately, disable user registration on the network level unless needed, restrict the /wp-signup.php and /wp-activate.php endpoints, and audit super admin accounts quarterly.
Are network-activated plugins more dangerous?
Yes. A network-activated plugin runs on every subsite simultaneously. A single vulnerable plugin compromises the entire network. Prefer activating plugins per-site when possible, and keep network-wide plugins to a minimal, well-maintained set.
What happens if a subsite admin goes rogue?
By default, subsite admins cannot access other subsites' data or files. However, the 'unfiltered_html' and 'edit_files' capabilities can be exploited for privilege escalation. Restrict these capabilities and monitor for cross-site access attempts via your access logs.
Can the scanner test individual subsites in my network?
Yes. Run the scan against any subsite URL (e.g., subsite.example.com or example.com/subsite). For comprehensive network coverage, scan the main site and several representative subsites to catch both network-wide and per-site issues.
Protect your entire WordPress network
Free, instant, no signup. Detailed vulnerability report with fix instructions.
Run Free Multisite Scan