I’m looking to use a few APIs and many come with keys, secret keys and passwords required to work. Where in WordPress can you store that information? Assuming anyone can hack your DB is there anyway for WordPress to make saving that information more secure? Also, consider the ability to change these keys ever so often so I would need to update the keys on an options page.
UPDATE
- Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause
- Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal
There is no absolutely safe way to store such information permanently.
You have two options to increase security a little bit:
-
Use the options table and encrypt the data
Use a strong encryption method, and bind it to either:
- your password when you want to use the API call only when you are logged in, or
- a secret key stored in your
wp-config.php– then an attacker needs both, the PHP code and the database
-
Store the access information outside of WordPress
If you are using a system for automatic deployment, for example based on Composer and wpstarter, you have probably some kind of deployment server like Envoyer that creates a file with important configuration variables that is stored outside of the site server’s document root.
Then you can use the deployment server’s backend instead of the WordPress backend to change these data.
Both options are not completely safe. You still have to monitor the actual API usage to detect unintended activities. Make sure there is a log that cannot be compromised from someone with full access to your website.
