Synchronise WordPress Users across Multiple Sites.
If you run multiple websites and want to keep users separated, but synchronise them automatically and securely for specific user operations, then WP Remote Users Sync is the plugin to use.
This plugin adds the following major features to WordPress:
Please read the plugin FAQ, there is a lot that may help you there!
WP Remote Users Sync is regularly updated for compatibility, and bug reports are welcome, preferably on Github. Pull Requests from developers following the WordPress Coding Standards (WordPress-Extra
ruleset) are highly appreciated and will be credited upon merge.
In case the plugin has not been updated for a while, no panic: it simply means the compatibility flag has not been changed, and it very likely remains compatible with the latest version of WordPress. This is because it was designed with long-term compatibility in mind from the ground up.
Each bug report will be addressed in a timely manner if properly documented – previously unanswered general inquiries and issues reported on the WordPress forum may take significantly longer to receive a response (if any).
Only issues occurring with included plugin features mentioned in “Synchronise all user data”, core WordPress and default WordPress themes (incl. WooCommerce Storefront) will be considered.
Troubleshooting involving 3rd-party plugins or themes will not be addressed on the WordPress support forum.
Although WP Remote Users Sync works out of the box with most combinations of WordPress plugins and themes, there are some edge cases necessitating integration, with code included in the core files of WP Remote Users Sync executing under certain conditions.
Integrations added to core are limited to popular plugins and themes: any extra code specific to a handful of installations require a separate custom plugin not shared with the community (created and maintained by a third-party developer).
A typical example necessitating custom integration includes plugins or themes relying on their own custom tables, directly updating the database with SQL queries instead of using WordPress built-in functions, destroying sessions with low-level functions instead of using the built-in WordPress method, etc.
If such need for plugin integration arises, website administrators MUST contact a third-party developer. The plugin author currently does not have the bandwidth to take on custom work for WPRUS.
This section describes how to install the plugin and get it working.
/wp-content/plugins/wprus
directory, or install the plugin through the WordPress plugins screen directly for all websites to connect togetherRemote Sites tab upon installation
Remote Sites tab with remote sites collapsed
Remote Sites tab with a remote site actions settings opened
Security tab - token, encryption, signature and IP settings
User Import/Export tab
Activity Logs tabs with example of communication activity to and from a remote site
Help tab
WP Remote Users Sync “listens” to changes related to WordPress users, and fires outgoing “actions” to registered remote sites. The registered remote sites with WP Remote Users Sync installed then catch incoming actions and react accordingly.
There is no “Master Website”: each site is working independently, firing and receiving actions depending on each site’s configuration.
Before opening a new issue on Github or contacting the author, please check the following:
https
vs. https
) and the subdomain (www vs. non-www) must be the same across the board. It is also worth checking the home
option in the wp_options
table of the WordPress databases, because in some cases the content of Settings > General > WordPress Address (URL) gets abusively overwritten by plugins or themes.Only then should you open a support thread, with as much information as possible, including logs (with critical information obfuscated if necessary).
Also please note this plugin is provided for free to the community and being maintained during the author’s free time: unless there is a prior arrangement with deadlines and financial compensation, the author will work on it at their own discretion. Insisting to contact the author multiple times via multiple channels in a short amount of time will simply result in the response being delayed further or even completely ignored.
Because these browsers prevent cross-domain third-party cookie manipulation by default, explicit redirections to log in users and destroying all the user sessions when logging out are necessary. With this method, only first-party cookies are manipulated. This is akin to logging in Youtube with a Google account.
Please note that the Login User Action takes a significantly longer time to process when using explicit redirections, particularly if many remote sites are connected.
Login and Logout User Actions need to output some code in the browser to have an effect on the remote website because of the cookies used for authentication.
What this means in practice is that if your theme or a third-party plugin allows users to login/logout without page reload, WP Remote Users Sync cannot output its code on the page, and without extra change to your website code base, the synchronisation can only happen after the page where the user logged in or logged out is actually reloaded.
Please also note that unless “Force Login Redirects & Logout Everywhere” is active, or if “Force Disable Login Redirects & Logout Everywhere” options is active in the “Browser Support” section of the “Miscellaneous” tab, Login and Logout User Actions will not work in browsers preventing cross-domain third-party cookie manipulation when the connected websites are on different domains.
Existing users remain untouched, until an enabled incoming action is received from a remote site.
Users existing on one site and not the other will not be synchronised unless the user is actually updated AND both Create and Update actions are enabled on the site where the user does not exist.
For existing user databases in need of immediate synchronisation, WP Remote Users Sync provides its own user import/export tool.
Multiple layers of security are in place to protect the privacy, integrity and authenticity of communications between connected sites:
Despite these strong security measures, administrators use this plugin at their own risk ; the author will not be held liable for any damages resulting from the use of WP Remote Users Sync.
WP Remote Users Sync needs to communicate with the remote sites to actually synchronise users. This means the impact on performances depends on the response time between the connected websites.
Performance degradations are mitigated by the fact that Action Tokens (blocking request) are saved for a period of time, and by the fact that actions are fired ONLY when an operation has been performed on users (not on every page load).
Asynchronous actions (Login & Logout by default) are the most costly: the operations themselves are not blocking, but their Action Tokens have to be renewed beforehand each time: true nonces, single-use tokens, are necessary for security reasons when firing actions from the browser.
Asynchronous actions are also potentially more susceptible to failure in case of network issues, such as if the page load is interrupted or the enqueued script call failed in the browser ; this is a necessary trade-off as these actions require authentication cookie manipulations.
Overall, performances should be marginally impacted.
The main takeaway is this:
Roles can be synchronised when the Create and Update actions are fired, with the Role action enabled, and matching transferred and accepted role settings.
Extra user information can be synchronised too out of the box as long as they are stored in the user metadata.
For example, it means all the address and profile information in WooCommerce can be synchronised, but not the orders status or subscription status.
Passwords are automatically synchronised as long as the Password action is enabled (outgoing and incoming respectively).
Communications are encrypted, signed, token-validated and IP-validated to make the process as secure as possible.
Passwords are NEVER communicated or stored in plain text.
WP Remote User Sync integrates with any plugin updating passwords provided they do so respecting WordPress standards.
If the incoming Create action is enabled along with the incoming Update action, the user will be synchronised on the remote website upon user update.
If other actions for this user are fired before that (Login, Logout, Delete, Password, Metadata), nothing will happen, and an action failure log entry will be recorded if the “Enable Logs” box is checked.
Yes – as long as the websites can reach each other, WP Remote User Sync will work.
This means that two websites in localhost (behind virtual hosts, for example) can communicate. However, if one of the websites is on localhost and the other is not, token exchange cannot happen and the websites will not be able to communicate.
WP Remote Users Sync provides its own user import/export tool.
With it, administrators can:
Once downloaded, the files are automatically deleted. In case some files were not downloaded and remained on the server, the containing directory is also cleaned daily.
Exported files are not directly accessible by URL: only administrators can access them.
User passwords cannot be and are NOT exported.
More help can be found on the WordPress support forum for general inquiries and on Github for advanced troubleshooting.
Help is provided for previously unanswered general enquiries and bug fixes only: feature requests, extra integration or conflict resolution with third-party themes or plugins, and specific setup troubleshooting requests will not be addressed (Website administrators must contact a third-party developer).
wprus_template_*
hooks ; added wprus_get_admin_template_name
, wprus_get_admin_template_args
, wprus_get_template_name
, wprus_get_template_args
, wprus_locate_template
, wprus_locate_template_paths
and wprus_locate_admin_template
instead.‘); document.close();
issue on Safari browser – use of backticks, better error handling in browser consolewp_safe_remote_post
instead of wp_remote_post
readme.txt
HTTP_USER_AGENT
is set before testing it'wp-includes/pluggable.php'
load orderwprus_fire_action_timeout
filter hookremote_async_action
with async_action
, affecting method names ; action and filter hooks not affected, classes inheriting Wprus_Api_Abstract
need refactor.fire_async_actions
method of Wprus_Api_Abstract
(formerly fire_remote_async_actions
)wprus_action_data
filter hookwait.css
, wait.min.css
, wait.js
, wait.min.js
, wprus-wait.php
wprus-async-processing.php
and wprus-async-processing-script.php
Wprus_Api_Abstract
$key
parameter to wprus_option
filtermain-setting-page.php
to main-settings-page.php
init
action hooks to PHP_INT_MIN - 10
to maximize compatibility with third-party pluginswprus_integration
filter ; add wprus_integration
action instead.wprus_init
action.readme.txt
wprus_before_init_notification_hooks
and wprus_after_init_notification_hooks
action hooksWprus_Crypto
class inclusion (no direct access)wprus_integration
filterJSON_UNESCAPED_UNICODE
flag to support a wider range of characters (Chinese, Greek, etc)Wprus_Api_Abstract
class for developers of custom User Actionswprus_is_authorized_remote
filterplugins/wp-remote-users-sync/languages
wp_redirect()
or wp_safe_redirect()
without calling exit
afterwards do not interfere with asynchronous actions ; exit
should be called after these 2 functions unless there is a documented good reason not to, but some plugins (like Gravity Forms User Registration Add-On) or themes may not follow the WordPress best practices.get_option( 'home' )
instead of home_url
to get the homepage URL to avoid conflicts with plugins (in particular translation plugins) and themes filtering the value.