database for every blog

Hi,
i have a website that give users a Blogs
i have think a little about giving every user permission to upload there own theme and there own Plugin

i guess this need a database for every user to allow him to do what ever he want
but i should have permission as a network administrator to stay on control for them

so the question is can i give a database for every user

OR
can i give users permission to upload there own themes and plugins ?

Thanks !

  • Erik

    You could do these things. But despite a separate database, a user could still wreck havoc on your system. For instance, they could upload a php shell and ssh directly into your server.. You should reconsider this, or possibly use separate wp installs provisioned by something like whmcs. This would create separate cpanels and ftp credentials for each client..

    But if you do want to continue doing this, I can think of few cases (trusted network etc etc) where you would want to, you theoretically could do this BUT you would need to create the databases via a hook on blog creation triggering a script to interact with your servers dbs and then you'd have to update your db architecture information, then use a hook to move the blog to that db. It would probably be easier to just setup 256 or higher dbs at install, then move blogs manually afterwards. considering writing something that updates your architecture for a dynamic number of dbs gives me the willies..

    I would go with separate cpanel/wp provisioning via whmcs for ease, security, & your requirements. WPMU Premiums Dev group offers a nice plugin to do that..

  • Erik

    wordpress multisite doesn't allow lower level users to upload there own themes or plugins because it is a giant security risk. If you allowed someone to upload their own php they could easily take control of your server. Most of the current hacks going on out there right now are almost all variants/different-ways of getting a php script onto your server..

    For example, if i signed up for your service and you allowed me to upload a plugin or run php, I could do all sorts of malicious things. I could empty your database, delete all your files, send emails via your machine, all kinds of things. I could even innocently forget a semi-colon somewhere and give you a white screen of death.. You wont find a cms out there that allows untrusted users to run their own php.

    If you trust the user that they wont hack you or hurt you via maliciousness or stupidity, then set their user level to super-admin and they can do whatever they want to whichever blog they want, which they can do anyway if you allow them to upload php..
    make sense?

    blog provisioning is the way to go, that way if someone tanks a site, they only kill everything on that cpanel. Although someone dedicated enough could still probably get at the rest of the information on your machine.. So you should really consider why you want this...
    -E

  • Timothy Bowers

    Hey there, it seems Erik has provided some excellent and sound advice here!

    it's silly that users don't have permission to upload there own theme and plugins

    Its not silly, its sensible.

    Allowing people to upload anything or alter code could ruin your site, anyone could exploit your trust pillage the services you offer not to mention the rick to data which by law you are required to protect under the data protection act.

    But still even if you trust your users can you trust them to update the code they use and fix vulnerabilities they inadvertently create with their own plugins and themes?

    So you might trust them explicitly but mistakes happen.

    Anyway, to echo Erik here, let them have their own cPanels if they need to upload plugins and themes.

    Softaculous for cPanel could automate that for you. I believe there might be other WHMCS Automatic Installers, I seem to recall them but you'd have to check over there.

    Take care.

  • usf_ahmed_subehi

    @Timothy
    i mean Wordpress Huge script it is sensible to have this rules BUT in another hand it's not i mean why not to have a function that check the template if it's a good one or it's a bad one have bad codes

    OR

    i have another suggestion that every user could had a Database that he use for his own i mean every user have a database so if he mess with codes, templates, plugins
    he will mess up his website :slight_smile:

    im just suggest this

  • Timothy Bowers

    Hey again.

    A sperate DB wouldn't really help here. You see its the code which could be the problem, if someone gained access to your server and site then regardless of which DB a site is in, it could be compromised.

    If something like this could be secured totally then it would be fantastic, I know I would love it.

    But because there are so many security issues involved I wouldn't personally want to go there.

    Take care.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.