A WordPress MultiSite is served by one code base, each site within the MultiSite uses the same database, the tables are numbered by the site which allows the separation of a site if you need to remove tables. The user tables are still shared.
User files are stored with the blog.dir directories. These URLs are rewritten on the user end. Users can not see the original file structure in a multi-site and can not be accessed from the backend.
Only Super Admin on a multi-site can install plugins and themes, and make them available to site administrators. Site administrators do not have the privileges to edit themes or plugins.
Super Admins should take precautions when installing themes and plugins before adding them to a site. Issues that can bring down a WordPress site are related to change to a theme or plugin code, not the database.
But that’s more dealing with things like “don’t edit production code unless you know what you’re doing”. 😉
The first line of defense is always securing the server running the multi-site, make sure that the server OS is up to date. Don’t use FTP, but use sftp instead. Keep secure passwords to the server (never log in as root, log in as a user, then su).
The biggest change to security between the WordPress standalone and multi-site modes is the use of filters. This strips out things like embeds, iframes, scripts, etc that are the primary problem with compromised sites.
Another potential security issue is upload files, this can be controlled by a super admin who has the ability to define allowed file types. So for instance, this can prevent users from uploading PHP scripts that can give them backdoor access to a server.
Another difference is that the theme editor isn’t available to users, so they can’t write custom PHP code into the themes. And along with this, themes and plugins can only be installed by the super admins. Malicious code hidden in themes is one of the other most common problems of a compromised WordPress install.
When a multi-site grows all that are needed going forward will be around how to scale the multi-site database. There are a few plugins available for scaling the database.
If this topic interest you, please feel free to comment below.