Skip to content

OpenSSL Encryption

Fresh

MainWP uses OpenSSL to secure all communication between your Dashboard and child sites.

How It Works

Key Generation

During MainWP Dashboard activation, the plugin generates:

  • Private Key — stored in Dashboard database (never transmitted)
  • Public Key — distributed to each child site during connection

Key Specifications

PropertyValue
AlgorithmRSA
Key Size2048 bits (minimum)
PaddingOPENSSL_PKCS1_OAEP_PADDING
DigestSHA-256
StorageWordPress options table (base64 encoded)

Request Signing

Every request from Dashboard to child site is signed:

  1. Payload assembly — Action + parameters + timestamp + nonce
  2. Signature generation — HMAC-SHA256 with private key
  3. Transmission — Payload + signature sent via HTTP POST
  4. Verification — Child verifies signature with public key
  5. Replay protection — Nonce + timestamp window prevents replay attacks

Encryption Modes

AES-256-GCM (Default since MainWP 5.0)

PropertyValue
AlgorithmAES-256-GCM
Key derivationHKDF from shared secret
IV length12 bytes
Tag length16 bytes
AuthenticationBuilt-in (GCM provides AEAD)

Legacy AES-256-CBC

PropertyValue
AlgorithmAES-256-CBC
IV length16 bytes
PaddingPKCS7
AuthenticationSeparate HMAC-SHA256

Reconnection / Key Rotation

If encryption keys become mismatched:

  1. Go to MainWP Dashboard → Sites → site → Reconnect
  2. Dashboard generates new key pair
  3. New public key is sent to child site
  4. Child replaces stored public key
  5. All future requests use new keys

Via API

bash
# Reconnect a site (rotates keys)
curl -X POST -u "admin:xxxx" \
  -H "Content-Type: application/json" \
  -d '{"input":{"site_id": 123}}' \
  "https://your-dashboard.com/wp-json/wp-abilities/v1/abilities/mainwp/reconnect-site-v1/run"

Security Considerations

Best Practices

  • Use HTTPS on both Dashboard and child sites
  • Keep OpenSSL updated to latest stable version
  • Use PHP 8.1+ for strongest cipher support
  • Enable allow_url_fopen for outbound connections
  • Ensure child sites allow incoming POST requests from Dashboard IP

Common Issues

IssueCauseFix
"OpenSSL not found"PHP missing OpenSSL extensionInstall php-openssl
"Key mismatch"Keys out of syncReconnect the site
"Signature verification failed"Corrupted keyReconnect the site
"Cipher not available"Old OpenSSL versionUpgrade OpenSSL to 1.1+
"Connection timeout"Firewall blockingAllow Dashboard IP

Verifying OpenSSL Installation

php
// Check in PHP
echo OPENSSL_VERSION_TEXT;
echo PHP_EOL;
echo 'AES-256-GCM: ' . (in_array('aes-256-gcm', openssl_get_cipher_methods()) ? 'Yes' : 'No');
bash
# Check from CLI
php -r "echo OPENSSL_VERSION_TEXT;"
openssl version