Wordpress - Where to securely store API keys and passwords in WordPress?
There is no absolutely safe way to store such information permanently.
You have two options to increase security a little bit:
Use the options table and encrypt the data
Use a strong encryption method, and bind it to either:
- your password when you want to use the API call only when you are logged in, or
- a secret key stored in your
wp-config.php– then an attacker needs both, the PHP code and the database
Store the access information outside of WordPress
If you are using a system for automatic deployment, for example based on Composer and wpstarter, you have probably some kind of deployment server like Envoyer that creates a file with important configuration variables that is stored outside of the site server’s document root.
Then you can use the deployment server’s backend instead of the WordPress backend to change these data.
Both options are not completely safe. You still have to monitor the actual API usage to detect unintended activities. Make sure there is a log that cannot be compromised from someone with full access to your website.
The answer is NO. If your DB can be spied on, your code probably can be as well so even if you encrypt data it can be decrypted.
If you are going to store sensitive data there are no low level solution to help you with it and you just need to make your whole application secure to make the question of storage irrelevant.
I actually ran into a requirement to encrypt data so if the app security is breached and you get access only to the DB you can not use that data, but in real life you are more likely to be hacked at the wordpress level than the DB level.