MainWP Security
FreshSource: MainWP Security Documentation
Encryption & Communication
- Dashboard and child sites communicate using OpenSSL encryption
- If OpenSSL is unavailable, MainWP uses PHPSecLib as a fallback
- v5.3+ adds AES GCM database encryption for private keys
Connection Security
- Single-dashboard lock prevents a child site from connecting to multiple dashboards
- Breaking a connection requires WordPress admin access to deactivate and reactivate the Child plugin
- WordPress passwords are not stored on the MainWP Dashboard
Testing & Development
- Penetration testing through PatchStack and HackerOne programs
- All features undergo in-house development
- Self-hosted software on your server - no external data transmission
Unique Security ID (Optional)
Additional verification step where IDs must match between child sites and dashboards:
- Available since version 0.1.0
- Optional - default connection security suffices for standard installations
- Configure in Child Plugin Settings on each site
OpenSSL Key Encryption (v5.3+)
Dashboard v5.3 introduces database encryption for private keys using AES GCM (Galois Counter Mode).
Encryption Process
| Step | Component | Function |
|---|---|---|
| 1 | Key Generation | 32-char random key via PHPSecLib Random |
| 2 | IV Creation | Unique 16-char Initialization Vector |
| 3 | Encryption | AES GCM produces cipher text + auth tag |
| 4 | Storage | Base64-encoded data (IV + cipher + tag) in DB |
| 5 | Key File | Encryption key stored separately on filesystem |
Architecture
Requires access to both the Key File and encrypted components. Database access alone cannot expose private keys.
Post-Upgrade Steps
- Look for encryption notification after upgrading to v5.3+
- Select Encrypt Keys Now
- System handles encryption automatically
- Future child site additions receive automatic key encryption
If notification was dismissed: MainWP Dashboard > Settings > Tools > Restore Info Messages