— this article was updated on 4 April 2014 after a fix was identified–

I have spent the whole day trying to understand WordPress users in a multisite environment. I’m not sure if it is very buggy, or I am thick or a bit of both.

A multisite instance, henceforth called the “network” has its own domain of users. Every member of a blog on the network is automatically a member of the network.

  • Users register with the network not an individual blog
  • A single email address can only be associated with one network username

It is impossible to operate the network without the users knowing that you are operating a network. For example, this blog is presently hosted by WordPress.com. A user cannot register directly with this blog; they must be invited to register with WordPress.com whereupon the Network Administrator (Mr WordPress) or the Site Administrator (me) can give them permissions on this blog.

The network admin can create users in the network administration dashboard but by default users must be added to each blog by hand. However by installing the Multisite User Management plug-in it is possible to add a user to the network and for them to receive default a default role on each blog.

Gotcha for plugin authors and others

In a non-multisite install if a user is authenticated then they will have the role “Subscriber” or greater on the blog. This is not true on a multisite install. They may be authenticated to the network but have the role “none” on the blog that they are trying to access. Authors of security related plugins and themes need to be aware of this.

Bugs in WordPress 3.8.1 BuddyPress 1.9.2

In my scenario I do not allow self-registration but users must be created by either the site administrator or the network administrator.  (Network settings option ” allow site administrators to add users via their own site users at new page” is enabled).

  • Users created by site administrators using the option ” do not send confirmation email” skip the activation step but their welcome email does not include their password, rather the characters [user set]. This makes registration by site administrators pointless.