Best Practices for MU/BuddyPress Sites?

I'm new to Wordpress.

My first project is a Multiuser/BuddyPress site. I've been very impressed with how easy it's been to set up as well as the resources from this site. However I'm concerned that I'm about to start hosting blogs for people on a platform I have very little experience with as a user.

Would love to hear best practices from others regarding how you're:

- Keeping your multiuser site safe and secure
- Keeping malicious users off
- Providing value add to your users
- Providing users plugins and templates
- How you're monetizing plugins and templates (what your offer, charge, etc)

Specific Questions:

One core need I have is to let bbPress users upload/download files. How are you scanning uploads for virus/malware to keep end users (and the server) safe? My environment is a VPS running CentOS/cPanel.

There is a popular (non-WPMU Dev) Premium Theme Framework that I've been told my future users would like. It appears their licensing will allow me to distribute it on a multiuser site (and I think monetize it). Is there any reason why I wouldn't want to do this (other then paying for it)? Are other MU sites doing this?

Am I asking for problems if I provide users access to popular free plugins and templates from Wordpress.org? I want to provide the kind of resources that I myself would like to use but when I see how locked down Wordpress.com's environment is (no plugins, etc) I'm concerned that I might be asking for trouble.

Thanks in advance for your advice.
Sid

  • Timothy
    • Chief Pigeon

    Hey all.

    Here is some general advise I posted about a year ago:

    https://premium.wpmudev.org/forums/topic/workflow-for-setting-up-an-online-service-like-edublogs#post-86111

    This is general advise for setting up a network, or any WP site in fact.

    One core need I have is to let bbPress users upload/download files. How are you scanning uploads for virus/malware to keep end users (and the server) safe? My environment is a VPS running CentOS/cPanel.

    Simply not allowing them to upload anything they like will help the most. This is what we allow:

    Allowed uploads: gif (5000 KB), gz (5000 KB), jpeg (5000 KB), jpg (5000 KB), pdf (5000 KB), png (5000 KB), txt (5000 KB), zip (5000 KB)

    Don't allow php files, exe files, or anything really which could be executed from the browser (inc Javascript) or downloaded and run unless those downloads are something you provide. The contradiction would be if you are running a download service. :slight_smile:

    There is a popular (non-WPMU Dev) Premium Theme Framework that I've been told my future users would like. It appears their licensing will allow me to distribute it on a multiuser site (and I think monetize it). Is there any reason why I wouldn't want to do this (other then paying for it)? Are other MU sites doing this?

    I don't see a reason why you wouldn't but refer back to that link I just provided. try not to bloat out your install.

    Make sure it's a decent framework. Some have lots of issues with various plugins for WP.

    I know for example that we had a number of issues recently when members used OptimizePress with our plugins and because of how it works with WP. Another theme which causes issues with many plugins including ours is Salutation, it doesn't work so well with custom post types through query.

    Both of those are premium products.

    Am I asking for problems if I provide users access to popular free plugins and templates from Wordpress.org? I want to provide the kind of resources that I myself would like to use but when I see how locked down Wordpress.com's environment is (no plugins, etc) I'm concerned that I might be asking for trouble.

    WP.com lock it down for a specific reason, its about code control for security reasons.

    It's for that reason you shouldn't let your members upload their own themes, plugins, code, etc. Even when trusted they could upload insecure code inadvertently.

    Less code = Less potential to go wrong.

    So if you wanted to change something simple, often it's not only more efficient to code the change direct, it could potentially be safer than using another plugin to handle the task no matter how big or small.

    As for free themes, WP.org is ok but because when searching on the net:

    https://premium.wpmudev.org/blog/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

    I hope this helps.

  • sidcam
    • Flash Drive

    Awesome, thanks!

    My business model isn't drastically different than Edublogs (just a different audience). However the main site will be more Facebook-like and my customers will mostly be creating blogs for business reasons -- so I perceive they'll have a need to extend functionality with plugins and something like a Genesis or Woo Themes.

    With bbPress, I need my users to be able to upload/download common desktop file formats like Word, Excel, PDF, etc without zipping them (they're just not that savvy).

    Even though I have a need to secure the server, my biggest concern is getting sued by a user who downloaded a virus another member accidentally uploaded.

    I was looking at ClamAV as a possible solution for this but if there is something better (even a paid product) then I'd welcome recommendations.

    I really wish every piece of this was as simple and straight forward as the WPMU Dev components! :wink:

    Again, thanks so much for your advice.

    Sid

  • Timothy
    • Chief Pigeon

    Even though I have a need to secure the server, my biggest concern is getting sued by a user who downloaded a virus another member accidentally uploaded.

    Does that sort of thing happen in your part of the world?

    I've not heard of it in the UK unless I missed it.

    Would something in your terms of service not cover you, stating that all uploads are the responsibility of the uploader and it's also the responsibility of the downloader to run a virus check first?

    For Malware, monitoring and clean up I hear these guys are good:

    http://sucuri.net/

    I use their site scanning and haven't been disappointed. If you use their other premium services then I'd love to see a review of what you think to them.

    Again, thanks so much for your advice.

    You're most welcome!!!

    Take care.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.