OpenSSL Encryption
FreshMainWP uses OpenSSL to secure all communication between your Dashboard and child sites.
How It Works
Key Generation
During MainWP Dashboard activation, the plugin generates:
- Private Key — stored in Dashboard database (never transmitted)
- Public Key — distributed to each child site during connection
Key Specifications
| Property | Value |
|---|---|
| Algorithm | RSA |
| Key Size | 2048 bits (minimum) |
| Padding | OPENSSL_PKCS1_OAEP_PADDING |
| Digest | SHA-256 |
| Storage | WordPress options table (base64 encoded) |
Request Signing
Every request from Dashboard to child site is signed:
- Payload assembly — Action + parameters + timestamp + nonce
- Signature generation — HMAC-SHA256 with private key
- Transmission — Payload + signature sent via HTTP POST
- Verification — Child verifies signature with public key
- Replay protection — Nonce + timestamp window prevents replay attacks
Encryption Modes
AES-256-GCM (Default since MainWP 5.0)
| Property | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key derivation | HKDF from shared secret |
| IV length | 12 bytes |
| Tag length | 16 bytes |
| Authentication | Built-in (GCM provides AEAD) |
Legacy AES-256-CBC
| Property | Value |
|---|---|
| Algorithm | AES-256-CBC |
| IV length | 16 bytes |
| Padding | PKCS7 |
| Authentication | Separate HMAC-SHA256 |
Reconnection / Key Rotation
If encryption keys become mismatched:
- Go to MainWP Dashboard → Sites → site → Reconnect
- Dashboard generates new key pair
- New public key is sent to child site
- Child replaces stored public key
- All future requests use new keys
Via API
bash
# Reconnect a site (rotates keys)
curl -X POST -u "admin:xxxx" \
-H "Content-Type: application/json" \
-d '{"input":{"site_id": 123}}' \
"https://your-dashboard.com/wp-json/wp-abilities/v1/abilities/mainwp/reconnect-site-v1/run"Security Considerations
Best Practices
- Use HTTPS on both Dashboard and child sites
- Keep OpenSSL updated to latest stable version
- Use PHP 8.1+ for strongest cipher support
- Enable
allow_url_fopenfor outbound connections - Ensure child sites allow incoming POST requests from Dashboard IP
Common Issues
| Issue | Cause | Fix |
|---|---|---|
| "OpenSSL not found" | PHP missing OpenSSL extension | Install php-openssl |
| "Key mismatch" | Keys out of sync | Reconnect the site |
| "Signature verification failed" | Corrupted key | Reconnect the site |
| "Cipher not available" | Old OpenSSL version | Upgrade OpenSSL to 1.1+ |
| "Connection timeout" | Firewall blocking | Allow Dashboard IP |
Verifying OpenSSL Installation
php
// Check in PHP
echo OPENSSL_VERSION_TEXT;
echo PHP_EOL;
echo 'AES-256-GCM: ' . (in_array('aes-256-gcm', openssl_get_cipher_methods()) ? 'Yes' : 'No');bash
# Check from CLI
php -r "echo OPENSSL_VERSION_TEXT;"
openssl version