The problem
A not-for-profit runs a network of local chapter websites. Each chapter needs its own identity, but they all share the same hosting platform, plugin stack, security posture, and operations team. The easy starting point for an organisation in that position is a separate WordPress install per site — which works until it doesn’t. As the number of chapters grows, so does the maintenance overhead and the security exposure.
Two things needed to happen. First, the fleet of separate sites had to be brought onto a single WordPress multisite installation, consolidating everything under one structure with the organisation’s main domain running as a first-class site in the network rather than a redirect. Second, the network had to be genuinely defensible — managed actively against the constant background of credential-stuffing, brute-force, and plugin-vulnerability scanning that any public WordPress site attracts.
Our approach
We moved the sites onto a single WordPress multisite installation on our own cPanel-based hosting, consolidating themes and content as we went and mapping the organisation’s primary domain in as a first-class site rather than redirecting it away. The result is one network, one platform, one operations team — while each chapter keeps its own identity and content.
Security runs across the whole network through Wordfence, with alerts investigated and remediated as they fire. That sits on top of our standard hosting controls: login lockout and 404 lockout via WP Defender, mandatory two-factor authentication, ModSecurity with the OWASP Core Rule Set at the web server, and Cloudflare’s WAF in front of everything. AutoSSL handles certificate lifecycle; LiteSpeed Cache handles performance.
This is what we mean when we say we treat hosting as managed-service work, not a sold-and-forgotten product. Certificate renewal failures get caught and resolved before anything expires. Security alerts get investigated, not auto-dismissed. And when a genuinely awkward problem surfaced — a login flow that broke because of how WordPress scopes cookies for domain-mapped sites in a multisite network — we diagnosed it properly, fixed the configuration so logins were scoped correctly per site, and walked the customer through the options so they could make an informed call. That depth is the point: one team that actually owns the platform and understands it end to end.
The outcome
The organisation now runs as a single WordPress multisite network — one platform to upgrade, one stack to harden, one security control plane to operate — with the main domain sitting inside it as a domain-mapped site, ready for any further custom domains added later. Security operations run continuously across the network, with alerts investigated and remediated rather than queued or ignored.
This is hosting as a managed service: the unglamorous work of certificate renewals, security alerts, and careful configuration done properly, so the organisation can spend its time on the work that actually matters to it — and not on its websites.