FireHost and WordPress Multi-site… how well do they play together?

Recently, one of my clients purchased a server with  We’d been on the search for a new web host for some time now to serve as the infrastructure supporting upcoming web applications we have in the works.  We needed a company who is well recommended, and will help us scale and scale quickly.

You pay a more for a host like this  but it’s part of the investment costs you need to make if you want to be positioned well for solid growth as a business.

Anyways, the purpose of this post is NOT to discredit or gripe about yet another hosting company that fails to live up to expectations. We actually really like the setup we have at FireHost. Although getting things setup were a bit of a pain – their support has been very prompt and generally okay.  No, this post is more of a fyi for folks who are in a similar situation as us.  I couldn’t find any information on this subject on the nets so thought I’d post my own findings.

One of the major components of some projects we are working on this year involves the use of WordPress multisite.  It will provide the backbone of what we are building and is crucial that we have a server environment that supports this.  FireHost does except for one niggling problem.  They have a super awesome “Web Application Protection” firewall that works really well, too well, and prevents normal usage of WordPress multisite.

At issue is that any subsites created on WordPress multisite will fully function as long as those subsites don’t post any images or certain html in their posts.  Cause if they do,  BAM, the firewall sees that as a xss attack and shuts her down.

That’s no good is it?  No.  But wait, FireHost has the solution.  All you have to do, is whenever this happens you just send them the path for the sites that the firewall does its thing on and they’ll add an exception.  Greeatt!  Except that we’re planning on using WordPress multisite to well actually make it easy for people to signup and get started on a new site right away (you know kind of like how people expect things to work? right?).  So yeah, major pain to have to send a block of paths every time the firewall acts up.

I’m not going to tell you the solution we worked out but let’s just say not ideal.

Silly?  Yeah.  I get it. But obviously someone at FireHost needs to do some thinking about how this firewall is setup and put something in place to allow for easier management of WordPress multisite while keeping the firewall working on things that it should work on, or at least be clear about the side affect of the WAP for those using WP multisite, would have saved a lot of back and forth with tech staff.  At the very least, create some sort of API or secure service for automating the firewall exceptions in cases like this where sites are being created dynamically via an application like WordPress multisite.

Anyways, again we do like what we have so far with FireHost except for this firewall experience, but I just wanted to post this up in case anyone else is thinking of using multi-site with FireHost and wondering why its not working as expected.

(I also have another reason for posting…secretly hoping some server guru out there will be able to explain how I’m either an idiot for expecting the firewall to be set up so multi-site works, or how FireHost can do things so multisite will work fine).

Update: December 2014

Just posting an update for anyone who visits this post via search engines (there are a few of you its seems.  Besides the fact that Firehost did contact us within the 30 day window that was put forward by their CEO/founder in the comments to this post, we never did get on any “beta” program.  The solution they are proposing for clients needing their own managed WAF is a $1500+/mo cost solution, which is not startup friendly.  They did offer to help get us up on ModSecurity as an alternative to their WAF solution but in the end my client and I just decided to fire Firehost (yeah pun intended) as our hosting provider and we joined the cool cats over at Digital Ocean.  We figured if we’re going to be doing most of the server setup/managing ourselves then no sense in paying a “managed” hosting provider to do it for us.  We’ve been on Digital Ocean for about 5 months now and absolutely LOVE it.

  1. Darren,

    Thank you for the thoughtful blog post and I understand your pain. Our WAF security layer only allows one level of multi-tenancy and we use that level to handle our customers individually. What you’re needing is another layer of multi-tenancy (our customer’s customers) which as you’ve experienced isn’t supported properly. We’ve had past WP hosters also experienced pain in this setup so you’re not alone.

    We are soon announcing support for an advanced WAF offering that provides customers with their own WAF delivered virtually. This offering has APIs and GUI abilities to do exactly as you described / need.

    Feel free to reach out to me directly and I can put you on the beta list to start trying it out. We can get this going for you within 30-days.

    Thank you for your trust and support in our business.

    Chris Drake
    CEO & Founder | FireHost

    1. Thanks Chris, appreciate your response to my post. You might want to send out a company memo about this offering. We repeatedly asked via the tickets if FireHost was going to be offering any form of API etc and got a “no” as a response.

      Glad to hear that it’s something in the works.

      1. Darren,

        Our team was saying exactly what they knew. We’re a month out out on our timeline to educated our employees internally on it and then we were going to move into our BETA customer stage. After reading your post, I decided to accelerate the timeline.

        Let me know if you want to BETA the offering so you can provide us pro/con feedback.


        1. Ahh okay… Well thanks again for responding here and letting me know you have this coming down the pipelines – it will be a GREAT solution. You already are aware I contacted you so looking forward to checking it out.

Leave a Reply

Up Next:

WP 3.7 drops with an interesting surprise...

WP 3.7 drops with an interesting surprise...