Thread: Maybe you should HIDE the API in the next update of the plug in?

Maybe you should HIDE the API in the next update of the plug in?

Sometimes the Wordpress will be hacked, switch owners or you have a freelance webmaster working on the site. Why not make ******************************** after you put in the API why show it in the Admin? I hate to change all of my sites if one of my sites would be hacked. Keep it secret keep it safe....

Thank you thesyndicate, i passed your suggestion to the devs.

We don't hide it because it's not a password. It also shows up in the URL, when you perform an automatic update of a theme.

If your site gets hacked, the atacker will already have access to your database, so they can read the key anyway.

If the freelancer can edit php files on your site, then they also effectively have access to your database.

In conclusion, hiding it in the UI only provides a false sense of security.

Wrong, and i tell you why

An encrypted password would work M5
Most of the times a wordpress is hacked they hack the theme or just wordpress never database. I had some of my Wordpress hacked few years back and they never came into database just WP admin.
I do not give out Database access to freelancers i give away FTP or Wordpress Admin they can edit the theme from there.

But really it is not my script theme i am just giving you advice.

I don't understand what you mean here.

If they can edit the theme, they can insert this code in there:

which will show the key in plain text, so they don't need to access the database directly.

Yes, I appreciate that, and I'm trying to make you understand why it's not effective advice.

To reiterate,

If they can edit your active theme's files, they can do anything: steal your API key, insert malware, change your passwords, wipe out your entire database... a-ny-thing!

Trust your freelancer, or don't give them edit access to PHP files on your site.

One thing we could do is add a "Generate new key" button on http://appthemes.com/api-key/ which you could use to invalidate the old key, in case it's compromised.

Update: Done.

Nice idea! Thanks Scribu

Good to see an AppThemes developer taking care of matters directly on the forum!

Well thats great that i made some improvements