To communicate with a child site, the MainWP Dashboard plugin will execute an HTTPS request using cURL.
Basic sync (HTTPS) request contains three basic parameters as required:
- Username – Administrator user username that is used for establishing a secure connection between MainWP Dashboard and Child Sites
- Function – Name of the function to execute on Child Site
- MainWP Signature – Authentication signature required for the HTTPS request authentication. If the Auth key doesn’t match, the HTTPS request won’t be executed.
Here is an example of a basic sync request:
https://childsite.com/wp-admin/admin-ajax.php?user=demouser&function=stats&mainwpsignature=dgTOIUbQyBWvCh0pNhnwmxmHoeayfg34PCBJxhszRFASTfFwRqrJaMk%2F%2FLJSQvDKlQ8A2Wf4cwowG1PaL9f%2FdG2DzBDucu9GRMi%2Bq18iauk9JgXR%2FaPd9jSvAzoxc5GSJrDmBOLLZEFe8M0VWJ2VVdRm3Bq%2BPyD4p4AtB0%2BphMRXnP99PVMXkwMJKVnf1OT7jjAYATBuSkkccsZ5bRyZDHuJw78L%2BsGhhvKxoz0IwRNqnV4e09LuPW8CKe6DtyPc9SRD9ojc69NQxZBDa2Zyr%2FvH%2BypFvFxsw0Eh0Tnoiq9giVUSDNlEtR7RLJbtGOEKr4%2BBMtmIb1M9ODy72N9%2Ftg%3D%3D
If we break it down, after authentication, the stats function (check the last paragraph) will be executed.
The sync request is used to pass data from the Dashboard to the Child site.
For example, the sync request is used to set the Abandoned Plugins / Themes tolerance &numberdaysOutdatePluginTheme=365 and similar settings to child sites.
Along with default settings, MainWP provides the mainwp-sync-others-data hook which is used to include any data that needs to be passed from MainWP Dashboard to Child sites. For example:
&othersData={%22syncBackwpupData%22%3A1%2C%22syncBackUpWordPress%22%3A1%2C%22syncBackupBuddy%22%3A1%2C%22syncClientReportData%22%3A1%2C%22syncWPStaging%22%3A1%2C%22syncWPTimeCapsule%22%3A1%2C%22sync_Updraftvault_quota_text%22%3A1%2C%22wpvulndbToken%22%3A%22ylfit7SCePaOSxiaiLyfKOPLFi0YmyGKQlx47jJHEp0%22%2C%22syncBrokenLinksCheckerData%22%3A1%2C%22syncPageSpeedData%22%3A1%2C%22ithemeExtActivated%22%3A%22yes%22%2C%22syncWPRocketData%22%3A%22yes%22}
If we break down this sequence
&othersData={%22syncBackwpupData%22%3A1%2C%22syncBackUpWordPress%22%3A1%2C%22syncBackupBuddy%22%3A1%2C%22syncClientReportData%22%3A1%2C%22syncWPStaging%22%3A1%2C%22syncWPTimeCapsule%22%3A1%2C%22sync_Updraftvault_quota_text%22%3A1%2C%22wpvulndbToken%22%3A%22ylfkt7SCePaOSxiaiLyfKOPLFi0YmyGKQlx47jJHEp0%22%2C%22syncBrokenLinksCheckerData%22%3A1%2C%22syncPageSpeedData%22%3A1%2C%22ithemeExtActivated%22%3A%22yes%22%2C%22syncWPRocketData%22%3A%22yes%22}
you will notice that this request contains encrypted data for plugins such as BackWPup, BackupWordPress, BacupBuddy, Client Reports data, WP Staging, WP Time Capsule, UpdraftPlus, Page Speed, WP Rocket,…
The sync process is also used to fetch certain information from Child Sites to your MainWP Dashboard. The sync request will execute the get_site_stats() function in MainWP Child plugin (remember the &function=stats part in the sync request, if you check the $callableFunctions array in the /mainwp-child/class-mainwp-child.php on line 121, you will see that ‘stats’ is used to call the get_site_stats() function) which will get the information (for example information about available updates, or potentially abandoned plugins/themes) from the child sites and pass it to your MainWP Dashboard.
If this is causing issues with the availability of other sites hosted on that server, please consider increasing the server resources.
You may also try decreasing the number of Maximum simultaneous sync requests your Dashboard makes (on Dashboard > Settings > Advanced Settings page). This will increase the sync time but may help with the CPU resources.
Sync Request Security
When MainWP Dashboard connects to a child site for the first time, it generates Public and Private key pairs (2048 bits length) by using the openssl_pkey_new() OpenSSL function. The public key gets saved on the child site, and the Private key gets saved on MainWP Dashboard.
When syncing with the child site, MainWP will use the openssl_sign() function to generate the request signature. openssl_sign() computes a signature for the specified data by generating a cryptographic digital signature using the private key associated with priv_key_id. When the request gets to the child site, the MainWP Child plugin will use the openssl_verify() function to authenticate the request. openssl_verify() verifies that the signature is correct for the specified data using the public key associated with pub_key_id. This must be the public key corresponding to the private key used for signing.
