Plugin Source code on Multisite

Hi there,

I have a plugin I am developing for use on a multisite - I do not intend to distribute this plugin and so do not want the source code to be publicly available.

If the plugin is made available to end users on my multisite, is there ANY way for them to retrieve or download the source code of any of the plugins they are able to use?


  • Adam Czajczyk

    Hey @Cirrus123,

    I hope you're well today and thank you for your question!

    By default, users are not able to see the source code of any plugin installed. The same applies to both single and multisite WordPress installs. The plugin code is mostly interpreted and executed on a server side so only the results produced (such as images or HTML code) is accessible with the browser, thus visible to end user. The only parts that might be visible - and you can't really do much about it - is JS code. This however is usually a small part of the plugin, most likely not even usable outside the context (rest of the code - like plugin's PHP engine).

    The only way for someone to gain access to your plugin's source code then is to get access to your FTP account (or, for example, servers admin panel with a file manager installed).

    One last, extremely rare, condition would be a combination of a poorly secured server and a hacker attack. This shouldn't be however a case here. So, the ultimate answer to your question is: no, unless given an access to your FTP account or server's admin panel, your WP users won't be able to retrieve your plugin's source code :slight_smile:

    Have a good day!

  • Cirrus123

    One final (but urgent) question Adam -

    I've configured it so the user's home directory is somewhere within the uploads/sites/<theirsiteid>/ directory. Now, my question is this - I have tried to be a user and upload an .htaccess file, upload a PHP file, and no matter what I do, I cannot access that file from the web. It does not execute and I keep getting a forbidden result. However, when I go into uploads/sites/<theirsiteid>/ <year>/<month>/ I can easily access any files in that directory.

    My question is, what files/instructions, and where can I find them, within wordpress sets these security rules?

  • Adam Czajczyk

    Hey Cirrus123,

    I hope you're doing fine!

    You won't see the .htaccess file from the web browser's level. At least you shouldn't, otherwise it would be a serious security glitch! Those files are not intended to be seen by users.

    A php file however should execute but not from inside the WP uploads folder. This are the WP rules and I seriously suggest not to try to change it. I am more than convinced that your site would get hacked in no time!

    If you wan't to allow your users to upload files such as .php files or .htaccess files then the question is what's the point? If it's only for sharing then the best way would be to either force users to upload .zip archives containing these files or point them to a separate folders outside the WP install and set strict rules for those folder not letting any code to be executed.

    On the other hand: if you want them to be able to put .php and .htaccess files on your server (which is a way to let them create some kind of websites, I guess) then again - letting them do this inside WP install is a) the best way to get hacked soon b) most likely will never work as expected.

    Having said that, please feel free to describe your goals and resources and I'll do my best to suggest the safest and/or most reasonable solution :slight_smile:

    Have a great day!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.