WordPress Multisite Compatibility

[stevesearer]

Hi Alexandre,

We run a WordPress Multisite network of 5 sites and have been having some issues getting it working properly.

While I know this is not advertised as being Multisite compatible and syncing user data isn't specifically necessary, the Login/Logout Sync would be VERY useful to prevent users from having to login to each site on your network.

One specific issue I noted was that when on the WP Remote Users Sync plugins page, the plugin looks for usermeta in the table of the current site when the only usermeta is stored on the main site's table wp_mywebsite.wp_usermeta:

Table 'wp_mywebsite.wp_2_usermeta' doesn't exist

From an administrative point of view, it would be interesting if it were possible to automatically populate Remote Sites using the sites in a Multisite install with the option to add more that are not in an install.

Happy to answer questions too :)

[froger-me]

Hi @stevesearer !

When you mention Login/Logout Sync, I assume you mean on a Multisite Network with multiple domains, am I correct? I'd like to confirm because unless that's the case, there are easier ways to make it happen (changing the cookie domain so that it is recognized by subdomains, and add some filters maybe, but in any case treating the action as local, not as a remote call like with WPRUS).

Now, assuming you're using domain mapping: Login/out sync on a multisite network won't scale. It's the same issue I've came across with WPML and languages on separate domains (basically, many "sites" - domains - to be reached). Multisite is useful for setups needing a lot of sites - if yours need only a few, then you should use separate sites (and WPRUS to bind them all, that's actually the goal ;) - and maybe something like MainWP to administer updates etc...). However, in the case of multisite, because a blocking remote call is made for each website to get a security token on login/out, the impact on performances would be catastrophic (and if not, it means one shouldn't have used multisite in the first place, because it's not meant to be used for only a handful of sites). And I don't even want to imagine the number of redirects done on Safari... That's why I haven't even considered supporting Multisite so far.

Above is a limitation of the Internet - authentication in WordPress and many other platforms is done via cookies, which means the browser needs to actually reach each site for authentication, and a distributed system like WPRUS can only do so much to mitigate performance degradations while remaining secure. If your network is using multiple top level domains and you need to Single Sign-On, I'd recommend you to search for a plugin relying on a centralized system instead (searching for "WordPress SSO" would give you several results, none of which I actually tested personally).

Now, I can see something that would be interesting - get 1 site from a Multisite network to sync with a separate site (or a separate network, for what matters). If that is something you need, we can talk fees by email.

[stevesearer]

Thanks for the detailed explanation @froger-me !

This is very helpful as I had some incorrect assumptions about how all of this works.

You are correct that we are using domain mapping and multiple domains.

We actually used separate sites up until about 6 months ago and I was lured to multisite by the idea of having a single shared set of users across all 5 sites. Other than basic user information, we are saving post ids which users bookmark on our sites to a unified set of boards saved as user meta (think Pinterest across our 5 sites).

Until now, I didn't understand the realities involved with syncing login/logout as you mentioned (blocking auth requests) and had been thinking that syncing every user save across 5 sites every time they save an itemusing a plugin like WPRUS would not be scaleable (and might not be).

Perhaps I am overthinking the problem and just setting the cookie expiration on each of the 5 sites quite a bit longer would be fine for my needs 🤔

[froger-me]

Hi @stevesearer - saving the meta and syncing it doesn't need to renew the auth token each time (only every 1800 secs by default) because it's something happening on the servers, without interaction with the browser ; IP validation, encryption and tokens that expire are sufficient in this situation. When involving the browser though (cookie operations), it leaves many areas open to manipulation by third parties, so the approach in terms of security must be stricter, and browser support also becomes a challenge. In the case of 5 sites, logging in with Safari would result in 8 redirects upon login, for example.

Since it doesn't seem like the network is designed to spawn new iterations, I do believe you'd be better off having separate installations. I understand you may have become somehow boxed in the current architecture, but I think this article is worth a read for your long term strategy.

[froger-me]

Closing the issue as the discussion is getting somehow off-topic.