3

I want to store an API key for a service that the WordPress plugin I am developing needs to get information from an API. There are two options that I am aware of:

1) WordPress's options mechanism

2) Create a new database table

As far as I can tell, at the end of the day both are the same in that they are storing the information in a MySQL table and that data could potentially be accessed by another plugin.

Is there any way to store data so that it cannot be read by other plugins?

Is this even a concern I should be worried about?

thatidiotguy
  • 8,701
  • 13
  • 60
  • 105

1 Answers1

1

A plugin can potentially dump your entire database and send it to it's authors through email, so one way or other to store it's pretty much useless.

This boils down essentially to 2 things, store it in an external database, where just your plugin have access to that or just do a two-way encode/decode with a salted key so your plugin it's the only thing can decrypt it.

If database access from other plugins is still a concern then store the API key within your PHP file. It won't be replaceable but you can take MySQL off the list.

On a personal opinion unless you are installing the worst and least known plugins on Wordpress you probably should be quite confident about the security of your website. To be fair probably caring about an API key to be stolen is the least concerning thing when you have someone that could access all your user details and passwords and potentially FTP access to your server.

Community
  • 1
  • 1
MacK
  • 2,132
  • 21
  • 29