Don’t let an injury to one become an injury to all: Strategies for safely managing multiple sites

If you’re adept at building websites, chances are excellent that you have more than one of them in your care, whether you own them yourself or whether you simply manage them on behalf of a friend or a business/nonprofit/community group that you have a relationship with.

Ensuring that all the sites you’re responsible for are well maintained is no easy task, especially when it’s a large number.

But it’s really important, because maintenance and administration go hand in hand with security. A neglected site can become a serious liability — and not just to the entity that it’s associated with. Since a hosting account is only as strong as its weakest link, it’s very important to ensure that no site gets left behind when it comes to regular maintenance and administration.

Here are three strategies you can use to minimize your risk of an injury to one site becoming an injury to all sites in your hosting account.

Strategy #1: Isolate your sites from each other

The first strategy you should consider to protect multiple sites that are sharing a hosting account is to isolate them from each other to the fullest extent possible. This way, if one site gets infected, the ability for the infection to spread is minimized. This strategy only works for sites that reside at different domains or subdomains (for example, mysite.tld and subsite.mysite.tld, or mybusiness.tld and hobbysite.tld).

You need to do several things to effectively wall off sites from one another:

  • Use unique, strong passwords for each site’s WordPress accounts
  • Associate each site with its own unique database and database user
  • Run each site under a separate shell or FTP/SFTP user (be aware that some hosts will not allow this) 
  • Make sure your shell/FTP/SFTP users do not have access to each others’ files (check with your host to ensure this is the case)

Again, to properly compartmentalize your sites, make sure you do all of the above. If you’ve got sites that “live together” in your hosting account and are not compartmentalized, they will all need to be cleaned in the event that one of them gets hacked.

Strategy #2: Use a manager to collectively administer your WordPress sites

If you are responsible for more than one WordPress site, you can greatly simplify your administrative workload by using a site manager to keep an eye on all of your sites at once.

Perhaps the biggest benefit of a site manager is that it will allow you to install updates in tandem without having to log in to each and every site you’re responsible for separately.

For example, suppose the WordPress development team releases a new version of Akismet, the spam catching plugin that ships with WordPress, as they did a few weeks ago. With a site manager, you can install that update across all the sites you have with just a couple of clicks, saving a lot of time and ensuring that no site gets left behind.

Connecting your sites to a site manager is as simple as installing a plugin and completing the pairing process by providing the site URL and a key to the manager.

When it comes to site managers, you’ve got choices. Two of the most popular managers currently available are InfiniteWP and MainWP. Both of these managers integrate with Wordfence, the best security suite available for WordPress (learn more about InfiniteWP’s integration here, and MainWP’s integration here). And both can be installed in your existing hosting account at no cost to you. (Like your client sites, run your manager under a separate shell/FTP/SFTP user as described above.)

Do note, though, that many advanced capabilities you may want, like scheduled backups or Wordfence integration, will require the purchase of an add-on.

Since your manager will be connected to all of your sites, you’ll want to log in often to ensure the manager itself is up to date, and protect it with a strong password. It’s also best to run all of your sites — your manager included — over HTTPS only.

Strategy #3: Convert dormant WordPress sites to static sites

If you’ve got a WordPress site in your hosting account that is no longer being updated with new content, but that you don’t want to take offline, consider giving it a proper retirement by converting it to a static site.

It’ll load faster, and there will be one fewer application in your web hosting account that you need to worry about updating and securing. This is a great alternative to deleting a site altogether and having the content disappear from the Web.

To convert your site, you can use the Simply Static plugin. It will generate a snapshot of everything you’ve got — posts, pages, images, scripts, and all — preserving your permalink structure in the process. Pretty cool!

Once your archive has been successfully created by Simply Static, move it out of your web root. Then, take the WordPress site offline by making a backup of the site and deleting the filesystem.

Keep in mind that depending on the size of your website, the archive could take a while to build, and be quite large.

Unpack the archive file you created in place of the filesystem you deleted, and verify that your posts and pages are still accessible at the URLs they had when the site was a WordPress site.

Note that when you retire a WordPress site by converting it using the process described above, comment threads, forms, and other interactive functionality will no longer work. You may wish to edit your now-static contact page and other pages where forms were present to remove them and make it clear to site visitors that they are viewing an archived site which isn’t accepting new form submissions. You can always put in a link to a currently-maintained site where they can reach out to you.