Where to securely store API keys and passwords in WordPress?

Posted by Prem Tiwari | Updated on

There is no absolutely safe way to store such information permanently.
You have two options to increase security a little bit:

  1. Use the options table and encrypt the data

    Use a strong encryption method, and bind it to either:

    • your password when you want to use the API call only when you are logged in, or
    • a secret key stored in your wp-config.php – then an attacker needs both, the PHP code and the database
  2. Store the access information outside of WordPress

    If you are using a system for automatic deployment, for example based on Composer and wpstarter, you have probably some kind of deployment server like Envoyer that creates a file with important configuration variables that is stored outside of the site server’s document root.
    Then you can use the deployment server’s backend instead of the WordPress backend to change these data.

Both options are not completely safe. You still have to monitor the actual API usage to detect unintended activities. Make sure there is a log that cannot be compromised from someone with full access to your website.


If you like this question & answer and want to contribute, then write your question & answer and email to freewebmentor[@]gmail.com. Your question and answer will appear on FreeWebMentor.com and help other developers.

Related Questions & Answers