Table of Contents

MainWP Dashboard – Child Synchronization Process Explained

To communicate with a child site, the MainWP Dashboard plugin will execute an HTTPS request using cURL.

Basic sync (HTTPS) request contains three basic parameters as required:

  • Username – Administrator user username that is used for establishing a secure connection between MainWP Dashboard and Child Sites
  • Function – Name of the function to execute on Child Site
  • MainWP Signature – Authentication signature required for the HTTPS request authentication. If the Auth key doesn’t match, the HTTPS request won’t be executed.

Here is an example of a basic sync request:

If we break it down, after authentication, the stats function (check the last paragraph) will be executed.

The sync request is used to pass data from the Dashboard to the Child site.

For example, the sync request is used to set the Abandoned Plugins / Themes tolerance &numberdaysOutdatePluginTheme=365 and similar settings to child sites.

If you ever wondered why some options require sync after saving changes in your MainWP Dashboard, now you know. For example, the Abandoned Plugins / Themes tolerance feature. The sync request sets the value on child sites.

Along with default settings, MainWP provides the mainwp-sync-others-data hook which is used to include any data that needs to be passed from MainWP Dashboard to Child sites. For example:


If we break down this sequence


you will notice that this request contains encrypted data for plugins such as BackWPup, BackupWordPress, BacupBuddy, Client Reports data, WP Staging, WP Time Capsule, UpdraftPlus, Page Speed, WP Rocket,…

The sync process is also used to fetch certain information from Child Sites to your MainWP Dashboard. The sync request will execute the get_site_stats() function in MainWP Child plugin (remember the &function=stats part in the sync request, if you check the $callableFunctions array in the /mainwp-child/class-mainwp-child.php on line 121, you will see that ‘stats’ is used to call the get_site_stats() function) which will get the information (for example information about available updates, or potentially abandoned plugins/themes) from the child sites and pass it to your MainWP Dashboard.

Please note that synchronizing with the child site is somewhat CPU intensive process, so you may see a brief spike in CPU usage of the server where the Dashboard is hosted.
If this is causing issues with the availability of other sites hosted on that server, please consider increasing the server resources.
You may also try decreasing the number of Maximum simultaneous sync requests your Dashboard makes (on Dashboard > Settings > Advanced Settings page). This will increase the sync time but may help with the CPU resources.


Sync Request Security

When MainWP Dashboard connects to a child site for the first time, it generates Public and Private key pairs (2048 bits length) by using the openssl_pkey_new() OpenSSL function. The public key gets saved on the child site, and the Private key gets saved on MainWP Dashboard.

When syncing with the child site, MainWP will use the openssl_sign() function to generate the request signature. openssl_sign() computes a signature for the specified data by generating a cryptographic digital signature using the private key associated with priv_key_id. When the request gets to the child site, the MainWP Child plugin will use the openssl_verify() function to authenticate the request. openssl_verify() verifies that the signature is correct for the specified data using the public key associated with pub_key_id. This must be the public key corresponding to the private key used for signing.

How Asymmetric Cryptography Works
For example, John wants to send some sensitive data to his partner Alice and wants to be sure that only Alice can read it. John will use Alice’s Public Key to encrypt the data. Only Alice has access to the corresponding Private Key and as a result, is the only person who can decrypt the encrypted data back into its original form. Since only Alice has access to the Private Key, even if someone else gains access to the encrypted data, it will remain confidential as they don’t have access to Alice’s Private Key so they can’t decrypt it.
Still Have a Questions?
Search for additional solutions in the MainWP Community or start your own discussion