All communication between MainWP Dashboard and Child Sites is performed over the OpenSSL encrypted connection.
When MainWP Dashboard connects to a child site for the first time, it generates Public and Private key pairs (2048 bits length) by using the openssl_pkey_new() OpenSSL function. The public key gets saved on the child site, and the Private key gets saved on MainWP Dashboard.
When communicating with the child site, MainWP will use the openssl_sign() function to generate the request signature. openssl_sign() computes a signature for the specified data by generating a cryptographic digital signature using the private key associated with priv_key_id.
When the request gets to the child site, the MainWP Child plugin will use the openssl_verify() function to authenticate the request. openssl_verify() verifies that the signature is correct for the specified data using the public key associated with pub_key_id. This must be the public key corresponding to the private key used for signing.
To communicate with a child site, the MainWP Dashboard plugin will execute an HTTPS request using cURL.
For example, basic sync (HTTPS) request contains three basic parameters as required:
- Username – Administrator user username that is used for establishing a secure connection between MainWP Dashboard and Child Sites
- Function – Name of the function to execute on Child Site
- MainWP Signature – Authentication signature required for the HTTPS request authentication. If the Auth key doesnât match, the HTTPS request wonât be executed.
Here is an example of a basic sync request:
https://childsite.com/wp-admin/admin-ajax.php?user=demouser&function=stats&mainwpsignature=dgTOIUbQyBWvCh0pNhnwmxmHoeayfg34PCBJxhszRFASTfFwRqrJaMk%2F%2FLJSQvDKlQ8A2Wf4cwowG1PaL9f%2FdG2DzBDucu9GRMi%2Bq18iauk9JgXR%2FaPd9jSvAzoxc5GSJrDmBOLLZEFe8M0VWJ2VVdRm3Bq%2BPyD4p4AtB0%2BphMRXnP99PVMXkwMJKVnf1OT7jjAYATBuSkkccsZ5bRyZDHuJw78L%2BsGhhvKxoz0IwRNqnV4e09LuPW8CKe6DtyPc9SRD9ojc69NQxZBDa2Zyr%2FvH%2BypFvFxsw0Eh0Tnoiq9giVUSDNlEtR7RLJbtGOEKr4%2BBMtmIb1M9ODy72N9%2Ftg%3D%3D
In that sync request, the mainwpsignature is used as a form of authentication and after that, the data is passed from the Dashboard to the Child site.
But what happens before a request is sent to the child site?
When certain functions that send requests to child sites are triggered, before the request ever gets sent to the child site, MainWP Dashboard will use escape all parameter values in order to make sure that there is no malicious code injected in the request. If we take the Go to WP Admin feature, we can see that the name and value attributes are escaped by using the esc_attr() functions.
How does this make your setup more secure?
In normal use, all values that would be used in requests are generated by MainWP Dashboard, and there are no security issues, but if someone would trick you to click a link that looks like a request from your MainWP Dashboard (with the assumption that the attacker knows your dashboard URL) if the attributes would not be escaped, potentially malicious code would be passed to child site where it could be executed. But since MainWP Dashboard will escape attributes, potentially malicious code that was placed by the attacker will be escaped and harmless for the child site.
So, how the whole system works?
- First, MainWP Dashboard will prepare requests by escaping all attributes, making sure there is nothing harmful sent to child sites.
- Once this is done, an HTTP request that includes the “MainWP Signature” unique for your Dashboard and the Child site, along with other parameters, will be sent to the Child Site.
- When the request finally hits the child site, MainWP Child will detect the MainWP Signature to make sure that the request is really sent from your MainWP Dashboard to authorize the request.
