Skip to content

MainWP Security

Fresh

Source: MainWP Security Documentation

Encryption & Communication

  • Dashboard and child sites communicate using OpenSSL encryption
  • If OpenSSL is unavailable, MainWP uses PHPSecLib as a fallback
  • v5.3+ adds AES GCM database encryption for private keys

Connection Security

  • Single-dashboard lock prevents a child site from connecting to multiple dashboards
  • Breaking a connection requires WordPress admin access to deactivate and reactivate the Child plugin
  • WordPress passwords are not stored on the MainWP Dashboard

Testing & Development

  • Penetration testing through PatchStack and HackerOne programs
  • All features undergo in-house development
  • Self-hosted software on your server - no external data transmission

Unique Security ID (Optional)

Additional verification step where IDs must match between child sites and dashboards:

  • Available since version 0.1.0
  • Optional - default connection security suffices for standard installations
  • Configure in Child Plugin Settings on each site

OpenSSL Key Encryption (v5.3+)

Dashboard v5.3 introduces database encryption for private keys using AES GCM (Galois Counter Mode).

Encryption Process

StepComponentFunction
1Key Generation32-char random key via PHPSecLib Random
2IV CreationUnique 16-char Initialization Vector
3EncryptionAES GCM produces cipher text + auth tag
4StorageBase64-encoded data (IV + cipher + tag) in DB
5Key FileEncryption key stored separately on filesystem

Architecture

Requires access to both the Key File and encrypted components. Database access alone cannot expose private keys.

Post-Upgrade Steps

  1. Look for encryption notification after upgrading to v5.3+
  2. Select Encrypt Keys Now
  3. System handles encryption automatically
  4. Future child site additions receive automatic key encryption

If notification was dismissed: MainWP Dashboard > Settings > Tools > Restore Info Messages