WordPress Multisite: Lessons from Managing 50+ Sites

A Decade of Network Management

I've been managing WordPress Multisite networks since 2012. The largest has over 50 active sites serving a university with hundreds of content editors. Along the way, I've made every mistake possible—and developed practices that make large networks not just manageable, but enjoyable to maintain.

These lessons come from real production networks, not theory. Some I learned the hard way. Hopefully you won't have to.

Lesson 1: Standardize Before You Scale

The biggest regret I hear from Multisite admins: "I wish we'd standardized earlier."

What to Standardize

• Theme framework: One parent theme, child themes for variations
• Plugin set: Approved plugins only, no exceptions
• Content types: Standard post types, taxonomies, and fields
• User roles: Clear permissions at network and site levels
• Naming conventions: Site slugs, user naming, file organization

Why It Matters

With 5 sites, you can manage diversity. With 50, inconsistency becomes unmanageable:

• Different themes mean training every site differently
• Different plugins mean testing updates across configurations
• Different structures mean custom solutions for every site

Lesson 2: Curate Plugins Ruthlessly

In a Multisite network, one vulnerable or poorly-coded plugin affects every site. Plugin curation isn't optional—it's essential.

Plugin Approval Process

1. Request and justification

   What problem does this solve? Is there an approved alternative?

2. Security review

   Check plugin history, developer reputation, last update date.

3. Performance testing

   Test on staging. Does it add significant load?

4. Compatibility check

   Does it conflict with existing plugins or theme?

5. Maintenance assessment

   Will this plugin be maintained? Is there an exit strategy?

Red Flags

• Not updated in 12+ months
• Low active installations with poor ratings
• Developer doesn't respond to support requests
• Requires disabling security features
• Adds database tables without cleanup on deactivation

Network-Activated vs. Site-Activated

• Network-activate: Security plugins, performance plugins, required functionality
• Site-activate (admin choice): Optional features from your approved list
• Never allow: Unapproved plugins, even "just to try"

Lesson 3: Invest in Deployment Workflows

With a single site, you might get away with editing in production. With 50 sites depending on the same codebase, you need proper workflows.

Essential Infrastructure

• Version control: All custom code in Git, no exceptions
• Staging environment: Mirror of production for testing
• Deployment automation: Scripted deployments, not manual FTP
• Rollback capability: Ability to quickly undo bad deployments

Update Strategy

• WordPress core: Test on staging, deploy during low-traffic window
• Plugins: Review changelogs, test critical plugins individually
• Themes: Test thoroughly; theme updates can break layouts
• PHP version: Major project, extensive testing required

Deployment Checklist

1. Test change on local development
2. Deploy to staging
3. Test affected functionality
4. Check multiple sites on staging
5. Schedule production deployment
6. Deploy to production
7. Verify on production
8. Monitor for 24 hours

Lesson 4: User Management at Scale

50 sites might mean 200+ users with varying permissions. User management becomes a significant task.

Permission Strategy

• Super Admins: Minimal—only those who truly need network access
• Site Admins: Can manage their site, can't break the network
• Editors: Content only, no settings changes
• Authors/Contributors: Limited content creation

Role Customization

Default WordPress roles rarely fit organizational needs. Customize them:

• Remove dangerous capabilities from Site Admin (like plugin installation)
• Create custom roles matching your organization's structure
• Use plugins like Members or User Role Editor for granular control

User Lifecycle

• Onboarding: Standard process with training requirement
• Regular audits: Quarterly review of who has access to what
• Offboarding: Immediate access removal when people leave

Lesson 5: Performance at Scale

A 50-site network has different performance characteristics than 50 individual sites.

Database Considerations

• All sites share one database (with prefixed tables)
• Large networks can have thousands of tables
• Some hosts struggle with high table counts
• Database optimization becomes critical

Caching Strategy

• Object caching (Redis/Memcached) is essential, not optional
• Page caching per-site with network-aware configuration
• CDN for static assets
• Be careful with caching plugins—some don't handle Multisite well

Hosting Requirements

• Shared hosting won't cut it for large networks
• VPS minimum, dedicated or cloud preferred
• Ensure host supports Multisite (not all do well)
• Plan for growth—easier to scale down than up in an emergency

Lesson 6: Documentation Is Not Optional

With complex networks, documentation is the difference between manageable and chaotic.

What to Document

• Architecture decisions: Why things are configured as they are
• Custom code: What it does, why it exists, how to modify
• Plugin configurations: Non-obvious settings and their purposes
• User procedures: How to do common tasks
• Emergency procedures: What to do when things break
• Site inventory: What each site is for, who owns it

Documentation Tools

• Internal wiki or knowledge base
• README files in code repositories
• Inline code comments for complex logic
• Runbooks for operational procedures

Lesson 7: Plan for Site Lifecycle

Sites aren't permanent. Plan for creation, maintenance, and retirement.

Site Creation Process

• Request and approval workflow
• Standard site setup (theme, plugins, initial content)
• User account creation and training
• Documentation of site purpose and ownership

Site Maintenance

• Regular content audits—is the site still active?
• Ownership verification—does the owner still work here?
• Technical review—any site-specific issues?

Site Retirement

• Archive content before deletion
• Set up redirects if URLs were shared
• Notify stakeholders
• Document what was removed and why

Lesson 8: Security Is Network-Wide

In Multisite, security is only as strong as the weakest site. A compromise on one site can affect the entire network.

Network Security Essentials

• Web Application Firewall (WAF) at network level
• Strong password policies enforced
• Two-factor authentication, especially for admins
• Regular security scanning
• Limited Super Admin accounts
• Activity logging and monitoring

Site-Level Concerns

• Site admins can't install arbitrary plugins (enforce this)
• File upload restrictions
• Form security (spam prevention, input validation)

Making It Work Long-Term

Managing a large WordPress Multisite network is challenging but rewarding. The efficiency gains from centralized management are substantial—when done right.

Key Takeaways

• Invest in standardization and governance early
• Treat plugin and theme management as critical security functions
• Build proper deployment and testing workflows
• Document obsessively
• Plan for the full site lifecycle
• Never compromise on security

The practices that feel like overhead with 5 sites become essential with 50. Start building good habits early, and scaling becomes manageable rather than overwhelming.

After a decade of Multisite management, I still find it the most efficient way to manage large numbers of related sites. The key is respecting its complexity and investing in proper processes from the beginning.