To communicate with a child site, the MainWP Dashboard plugin will execute an HTTPS request using cURL.
Basic sync (HTTPS) request contains three basic parameters as required:
- Username – Administrator user username that is used for establishing a secure connection between MainWP Dashboard and Child Sites
- Function – Name of the function to execute on Child Site
- MainWP Signature – Authentication signature required for the HTTPS request authentication. If the Auth key doesn’t match, the HTTPS request won’t be executed.
Here is an example of a basic sync request:
If we break it down, after authentication, the stats function (check the last paragraph) will be executed.
The sync request is used to pass data from the Dashboard to the Child site.
For example, the sync request is used to set the Abandoned Plugins / Themes tolerance
&numberdaysOutdatePluginTheme=365 and similar settings to child sites.
Along with default settings, MainWP provides the
mainwp-sync-others-data hook which is used to include any data that needs to be passed from MainWP Dashboard to Child sites. For example:
If we break down this sequence
you will notice that this request contains encrypted data for plugins such as BackWPup, BackupWordPress, BacupBuddy, Client Reports data, WP Staging, WP Time Capsule, UpdraftPlus, Broken Links Checker, Page Speed, WP Rocket,…
The sync process is also used to fetch certain information from Child Sites to your MainWP Dashboard. The sync request will execute the
getSiteStats() function in MainWP Child plugin (remember the
&function=stats part in the sync request, if you check the
$callableFunctions array in the /mainwp-child/class-mainwp-child.php on line 121, you will see that ‘stats’ is used to call the
getSiteStats() function) which will get the information (for example information about available updates, or potentially abandoned plugins/themes) from the child sites and pass it to your MainWP Dashboard.
Sync Request Security
When MainWP Dashboard connects to a child site for the first time, it generates Public and Private key pairs (2048 bits length) by using the
openssl_pkey_new() OpenSSL function. The public key gets saved on the child site, and the Private key gets saved on MainWP Dashboard.
When syncing with the child site, MainWP will use the
openssl_sign() function to generate the request signature.
openssl_sign() computes a signature for the specified data by generating a cryptographic digital signature using the private key associated with
priv_key_id. When the request gets to the child site, the MainWP Child plugin will use the
openssl_verify() function to authenticate the request.
openssl_verify() verifies that the signature is correct for the specified data using the public key associated with
pub_key_id. This must be the public key corresponding to the private key used for signing.