MainWP Dashboard – Child Synchronization Process Explained

To communicate with a child site, the MainWP Dashboard plugin will execute an HTTPS request using cURL.

Basic sync (HTTPS) request contains three basic parameters as required:

  • Username – Administrator user username that is used for establishing a secure connection between MainWP Dashboard and Child Sites
  • Function – Name of the function to execute on Child Site
  • MainWP Signature – Authentication signature required for the HTTPS request authentication. If the Auth key doesn’t match, the HTTPS request won’t be executed.

Here is an example of a basic sync request:

https://childsite.com/wp-admin/admin-ajax.php?user=demouser&function=stats&mainwpsignature=dgTOIUbQyBWvCh0pNhnwmxmHoeayfg34PCBJxhszRFASTfFwRqrJaMk%2F%2FLJSQvDKlQ8A2Wf4cwowG1PaL9f%2FdG2DzBDucu9GRMi%2Bq18iauk9JgXR%2FaPd9jSvAzoxc5GSJrDmBOLLZEFe8M0VWJ2VVdRm3Bq%2BPyD4p4AtB0%2BphMRXnP99PVMXkwMJKVnf1OT7jjAYATBuSkkccsZ5bRyZDHuJw78L%2BsGhhvKxoz0IwRNqnV4e09LuPW8CKe6DtyPc9SRD9ojc69NQxZBDa2Zyr%2FvH%2BypFvFxsw0Eh0Tnoiq9giVUSDNlEtR7RLJbtGOEKr4%2BBMtmIb1M9ODy72N9%2Ftg%3D%3D

If we break it down, after authentication, the stats function (check the last paragraph) will be executed.

The sync request is used to pass data from the Dashboard to the Child site.

For example, the sync request is used to set the Abandoned Plugins / Themes tolerance &numberdaysOutdatePluginTheme=365 and similar settings to child sites.

If you ever wondered why some options require sync after saving changes in your MainWP Dashboard, now you know. For example, the Abandoned Plugins / Themes tolerance feature. The sync request sets the value on child sites.

Along with default settings, MainWP provides the mainwp-sync-others-data hook which is used to include any data that needs to be passed from MainWP Dashboard to Child sites. For example:

&othersData={%22syncBackwpupData%22%3A1%2C%22syncBackUpWordPress%22%3A1%2C%22syncBackupBuddy%22%3A1%2C%22syncClientReportData%22%3A1%2C%22syncWPStaging%22%3A1%2C%22syncWPTimeCapsule%22%3A1%2C%22sync_Updraftvault_quota_text%22%3A1%2C%22wpvulndbToken%22%3A%22ylfit7SCePaOSxiaiLyfKOPLFi0YmyGKQlx47jJHEp0%22%2C%22syncBrokenLinksCheckerData%22%3A1%2C%22syncPageSpeedData%22%3A1%2C%22ithemeExtActivated%22%3A%22yes%22%2C%22syncWPRocketData%22%3A%22yes%22}

If we break down this sequence

&othersData={%22syncBackwpupData%22%3A1%2C%22syncBackUpWordPress%22%3A1%2C%22syncBackupBuddy%22%3A1%2C%22syncClientReportData%22%3A1%2C%22syncWPStaging%22%3A1%2C%22syncWPTimeCapsule%22%3A1%2C%22sync_Updraftvault_quota_text%22%3A1%2C%22wpvulndbToken%22%3A%22ylfkt7SCePaOSxiaiLyfKOPLFi0YmyGKQlx47jJHEp0%22%2C%22syncBrokenLinksCheckerData%22%3A1%2C%22syncPageSpeedData%22%3A1%2C%22ithemeExtActivated%22%3A%22yes%22%2C%22syncWPRocketData%22%3A%22yes%22}

you will notice that this request contains encrypted data for plugins such as BackWPup, BackupWordPress, BacupBuddy, Client Reports data, WP Staging, WP Time Capsule, UpdraftPlus, Broken Links Checker, Page Speed, WP Rocket,…

The sync process is also used to fetch certain information from Child Sites to your MainWP Dashboard. The sync request will execute the getSiteStats() function in MainWP Child plugin (remember the &function=stats part in the sync request, if you check the $callableFunctions array in the /mainwp-child/class-mainwp-child.php on line 121, you will see that ‘stats’ is used to call the getSiteStats() function) which will get the information (for example information about available updates, or potentially abandoned plugins/themes) from the child sites and pass it to your MainWP Dashboard.

Sync Request Security

When MainWP Dashboard connects to a child site for the first time, it generates Public and Private key pair (2048 bits length) by using the openssl_pkey_new() OpenSSL function. The public key gets saved on the child site, and the Private key gets saved on MainWP Dashboard.

When syncing with the child site, MainWP will use the openssl_sign() function to generate the request signature. openssl_sign() computes a signature for the specified data by generating a cryptographic digital signature using the private key associated with priv_key_id. When the request gets to the child site, the MainWP Child plugin will use the openssl_verify() function to authenticate the request. openssl_verify() verifies that the signature is correct for the specified data using the public key associated with pub_key_id. This must be the public key corresponding to the private key used for signing.

How Asymmetric Cryptography Works
For example, John wants to send some sensitive data to his partner Alice and wants to be sure that only Alice can read it. John will use Alice’s Public Key to encrypt the data. Only Alice has access to the corresponding Private Key and as a result, is the only person who can decrypt the encrypted data back into its original form. Since only Alice has access to the Private Key, even if someone else gains access to the encrypted data, it will remain confidential as they don’t have access to Alice’s Private Key so they can’t decrypt it.