Where to securely store API keys and passwords in WordPress?

There is no absolutely safe way to store such information permanently.
You have two options to increase security a little bit:

  1. Use the options table and encrypt the data

    Use a strong encryption method, and bind it to either:

    • your password when you want to use the API call only when you are logged in, or
    • a secret key stored in your wp-config.php – then an attacker needs both, the PHP code and the database

  2. Store the access information outside of WordPress

    If you are using a system for automatic deployment, for example based on Composer and wpstarter, you have probably some kind of deployment server like Envoyer that creates a file with important configuration variables that is stored outside of the site server’s document root.
    Then you can use the deployment server’s backend instead of the WordPress backend to change these data.

Both options are not completely safe. You still have to monitor the actual API usage to detect unintended activities. Make sure there is a log that cannot be compromised from someone with full access to your website.

Related Posts:

  1. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  2. Why are passwords exportable as plain text in WordPress?
  3. How is password strength calculated?
  4. Make password invalid once logged out of password-protected page
  5. Can’t reset WordPress password
  6. Is the “lost password” feature truly a vulnerability?
  7. Frontend Password change
  8. Is it possible to reduce the minimum character length for passwords?
  9. No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
  10. Securing wp-config leads to sensitive information leak on wp-settings
  11. Is there any point setting the keys and salts in wp-config.php?
  12. When is wp_set_password() called or how to capture a password
  13. Moving away from MD5: Where to declare the custom global $wp_hasher?
  14. Would it be dangerous to send all the wp_options to javascript file?
  15. How to get WordPress to send Password Reset Link Email instead of New Password?
  16. Basic password protection without using users and roles
  17. How can I force a specific password?
  18. Can a WordPress administrator see other users’ passwords?
  19. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  20. Password-protect feed and make it usable in major aggregators
  21. Could a user account with a stolen password compromised entire WP site?
  22. How to set custom validation for WordPress Passwords?
  23. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  24. Is my WP site being hacked?
  25. How to get real password (before encrypt) when register a user?
  26. Directory to store secure file
  27. Can you alter the default wordpress strong password requirements?
  28. what is a auth_user_file.txt?
  29. How to view PHP on live site
  30. Is moving wp-config outside the web root really beneficial?
  31. Hide the fact a site is using WordPress?
  32. Verifying that I have fully removed a WordPress hack?
  33. Best way to eliminate xmlrpc.php?
  34. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  35. Are Nonces Useless?
  36. What is the difference between esc_html filter vs attribute_escape filter?
  37. How do I technically prove that WordPress is secure?
  38. multi page password protection
  39. WordPress it’s cleaning a custom query_var to avoid sql injections?
  40. How do WordPress Nonces Work?
  41. Tips for finding SPAM links injected into the_content
  42. How can I easily verify a core or plugin update has not broken anything?
  43. Vanilla WordPress install, what can/should I put in disable_functions?
  44. Secure my “add_settings_field” translation?
  45. Is there a security risk giving someone temporary access to my blog’s code?
  46. WordPress Logout Only If User Click Logout or If User Delete Browser History
  47. How brute-forcer knows that the password is cracked for target username?
  48. wp_insert_post disable HTML filter
  49. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  50. Completely remove the author url
  51. Restricting access to content
  52. About WordPress site security
  53. password protected post policy
  54. Relative security of different releases of WordPress
  55. Using HTACCESS for Secret Access
  56. Definitive wordpress directory ownership and permissions on linux
  57. Changing Table Prefixes – once done, am I good to go going forward?
  58. Force user to change their password on the frontend at the first login and password policy
  59. How do I protect user_activation_key?
  60. wordpress website host price and security [closed]
  61. Are there security risks in working directly in the themes folder that builds into a theme folder?
  62. How to control who can view certain pages in BuddyPress? [closed]
  63. how much information can we hide when using wordpress cms?
  64. Is it safe to use a global wp nonce per user instead of a nonce per action?
  65. System setting changed by system user
  66. Password minimum length in personal subscription [closed]
  67. Does meta-data need to be sanitized?
  68. Need help for WordPress User Session Management?
  69. Specific way to allow WordPress users to view their current password? And edit it?
  70. WordPress custom admin functions security
  71. Any known bugs that could cause disappearance of the wp_users table?
  72. How to prevent plugins from sniffing/stealing other plugins’ options?
  73. 404/500 error on content images if Referer header is from another domain [closed]
  74. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  75. Switching between security plugins is a risk?
  76. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  77. How to prevent to direct access of my custom plugin folder/files
  78. Checking for origin of a xmlrpc request
  79. RESTRICT EDIT of PHP files?
  80. wp-content – permissions for files/folders created by apache
  81. How can I restrict access to specific parts of a page, not just the page itself?
  82. Using password protection to load different page elements?
  83. User generated content and security
  84. Monitor wordpress all external calls
  85. Securing WordPress running on Azure platform
  86. Spam Registrations
  87. How can I have more confidence that WP plugins aren’t getting and storing user data?
  88. Standard Method for Securing a WordPress Site
  89. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  90. Any way to disable /wp-login.php redirecting to the site folder?
  91. Secure a WordPress website in 2019: one plugin or a combinations of them?
  92. What are the different types of firewall protections available for a WordPress website?
  93. Is this a WordPress security bug?
  94. Competitor is somehow accessing MetaData on a hidden WordPress site
  95. WordPress Hacks/Defacing [closed]
  96. How to delete Password Protected posts cookies when a user logged out from the site
  97. Move data from wp-config to another file
  98. Heartbleed: What is it and what are options to mitigate it?
  99. OpenVPN vs. IPsec – Pros and cons, what to use?
  100. How to test if my server is vulnerable to the ShellShock bug?

Leave a Comment