I’m looking to use a few APIs and many come with keys, secret keys and passwords required to work. Where in WordPress can you store that information? Assuming anyone can hack your DB is there anyway for WordPress to make saving that information more secure? Also, consider the ability to change these keys ever so often so I would need to update the keys on an options page.
UPDATE
- Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause
- Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
There is no absolutely safe way to store such information permanently.
You have two options to increase security a little bit:
-
Use the options table and encrypt the data
Use a strong encryption method, and bind it to either:
- your password when you want to use the API call only when you are logged in, or
- a secret key stored in your
wp-config.php– then an attacker needs both, the PHP code and the database
-
Store the access information outside of WordPress
If you are using a system for automatic deployment, for example based on Composer and wpstarter, you have probably some kind of deployment server like Envoyer that creates a file with important configuration variables that is stored outside of the site server’s document root.
Then you can use the deployment server’s backend instead of the WordPress backend to change these data.
Both options are not completely safe. You still have to monitor the actual API usage to detect unintended activities. Make sure there is a log that cannot be compromised from someone with full access to your website.
Method 2
The answer is NO. If your DB can be spied on, your code probably can be as well so even if you encrypt data it can be decrypted.
If you are going to store sensitive data there are no low level solution to help you with it and you just need to make your whole application secure to make the question of storage irrelevant.
I actually ran into a requirement to encrypt data so if the app security is breached and you get access only to the DB you can not use that data, but in real life you are more likely to be hacked at the wordpress level than the DB level.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0