Can my multi-site end users have FTP access to their sites?

I'm setting up a local http://9thsites.com/ type business to have managed Wordpress hosting. I've got it almost completely set up. One question I haven't been able to find the answer to, though, is whether my end users will have FTP access to upload themes and plugins. Will that be possible, or must they only used approved plugins and themes that I've uploaded?

Thank you!

  • Timothy Bowers

    Hey chucklasker.

    Sure it is possible to give them folder restricted FTP access, you might even find a plugin. But I wouldn't even attempt that. The security implications would be huge.

    First thing to consider is intentional damage, deleting files, uploading dodgy themes and scripts which could take your site down and give people access to the database. Just a few worrying things to consider.

    Some might say, "Well I trust all my users, thanks!" but that could still be a problem, who will keep an eye on security issues and bad coding in plugins by third party developers. Take for example the excellent Timthumb script which was used in many WP themes and plugins. Last year there was a huge security exploit found and many sites got hacked. The fix was forthcoming, but would sort that if your member uploaded them, could you trust them to keep an eye on security issues and updates?

    So, in my opinion..... This would be an extreamly dangerous thing to do in case you has malicious users or users whom are not familiar with bad code and security issues in old code.

    Take care.

  • Timothy Bowers

    Hey again.

    So is a Multi-site system less secure than a regular hosting account?

    That would depend on your server setup really.

    Users in a multisite are all on one hosting account, the same one. Letting them use their themes, plugins or own code could give them or someone else the same access as your server. What if a security issue in some third party theme let me upload some php which then let me do a dump of your sites DB, or just log in and do anything I wanted?

    Would you trust them with keys to your house, your business?

    The issue might not be them, but if they upload a third party plugin or theme what if a security issue is found and they don't update it. Like the Timthumb issue?

    With separate WP installs, its one site. With a multisite setup, it could be your whole empire or a large chunk of it.

    If they want to upload their own themes and plugins, then I would sell them hosting and let them do it themselves.

    Take care.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.