Title: Security Problem with post_meta fields Last modified: September 1, 2016 --- # Security Problem with post_meta fields * [bezborodov](https://wordpress.org/support/users/bezborodov/) * (@bezborodov) * [9 years, 10 months ago](https://wordpress.org/support/topic/security-problem-with-post_meta-fields/) * Hello. I sell some content and store URL download links in custom field. This URLs saves in database in wp_postmeta. It is ok, but some people hacked the site and have access to wp_postmeta. So, they can view that URLs, because they not encrypted like passwords. * Is there any way to encrypt custom field data before save to database and decrypt it when user buy access to view link? * Could you please help me? * [https://wordpress.org/plugins/types/](https://wordpress.org/plugins/types/) Viewing 3 replies - 1 through 3 (of 3 total) * Anonymous User 14808221 * (@anonymized-14808221) * [9 years, 10 months ago](https://wordpress.org/support/topic/security-problem-with-post_meta-fields/#post-7603642) * No, not with types. Data is stored as defined in the Plugin, and you can not change that with a Custom approach, as other functions need the format to read it after. * I suggest you make sure the Database is safe. * No one should be able to hack your Database. * Please contact your Server Admin as soon as possible and inform him / her. * Thread Starter [bezborodov](https://wordpress.org/support/users/bezborodov/) * (@bezborodov) * [9 years, 10 months ago](https://wordpress.org/support/topic/security-problem-with-post_meta-fields/#post-7603643) * Really I think it is backdoor or etc. Or MySQL injection, but hacker can read wp_postmeta files in Database. I resolved the problem with openssl_encrypt / decrypt function and save_post add_action: * require dirname( __FILE__ ) . ‘/../../../wp-admin/encrypt-decrypt.php’; * /* Шифрование ссылки при обновлении записи */ function update_my_post( $post_id){ * if (defined(‘DOING_AUTOSAVE’) && DOING_AUTOSAVE) return; * if (wp_is_post_revision($postID)) return; * if (get_post_type ($post_id) == ‘post’) { $download_url = get_post_meta($post_id,‘ wpcf-post-download-url’, true); * /* Encrypt link with AES-256 */ if (substr( $download_url, 0, 4 ) == ‘http’){ $download_url = encrypt_decrypt(‘encrypt’, $download_url); } * else { * } * /* Write link to postmeta */ update_post_meta($post_id, ‘wpcf-post-download- url’, $download_url); update_post_meta($post_id, ‘wpcf-post-key’, 1); } } add_action(‘ save_post’, ‘update_my_post’, 20, 2 ); * /* Decrypt link */ function wpv_get_link( $attr ) { /* extract(shortcode_atts( array( ‘id’ => ”, ), $atts));*/ * $id = do_shortcode(‘[wpv-post-id]’); * $download_url = get_post_meta($id, ‘wpcf-post-download-url’, true); $post_key = get_post_meta($id, ‘wpcf-post-key’, true); * /* Если ссылка зашифрована, то расшифровать её */ if (($post_key == 1) && is_user_logged_in()&&! current_user_can(‘administrator’)) { $download_url = encrypt_decrypt(‘decrypt’, $download_url); } return $download_url; } add_shortcode( ‘wpv_link’, ‘wpv_get_link’); * /*encrypt-decrypt.php */ function encrypt_decrypt($action, $string) { $output = false; * $encrypt_method = “AES-256-CBC”; $secret_key = ‘Secret Key’; $secret_iv = ‘ Secret IV’; * /* HASH */ $key = hash(‘sha256’, $secret_key); * // iv – encrypt method AES-256-CBC expects 16 bytes $iv = substr(hash(‘sha256’, $secret_iv), 0, 16); * if( $action == ‘encrypt’ ) { $output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv); $output = base64_encode($output); } else if( $action == ‘decrypt’){ $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $ iv); } * return $output; } * Anonymous User 14808221 * (@anonymized-14808221) * [9 years, 10 months ago](https://wordpress.org/support/topic/security-problem-with-post_meta-fields/#post-7603651) * If hackers can read wp_postmeta on your install it will affect ALL post meta you ever stored and will store, and it has nothing to do with Types Plugin. * It is very nice that you were able to encrypt your URL, but believe me, if your Database or whatever is hacked or accessible you WANT to immediately inform your server admins about this. On shared servers, such an attack can also affect other systems/sites * This is not a security issue in Toolset, but in your System. Please ensure that your Webiste and Database are safe. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Security Problem with post_meta fields’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/types_ced1d3.svg) * [Toolset Types - Custom Post Types, Custom Fields and Taxonomies](https://wordpress.org/plugins/types/) * [Frequently Asked Questions](https://wordpress.org/plugins/types/#faq) * [Support Threads](https://wordpress.org/support/plugin/types/) * [Active Topics](https://wordpress.org/support/plugin/types/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/types/unresolved/) * [Reviews](https://wordpress.org/support/plugin/types/reviews/) * 3 replies * 2 participants * Last reply from: Anonymous User 14808221 * Last activity: [9 years, 10 months ago](https://wordpress.org/support/topic/security-problem-with-post_meta-fields/#post-7603651) * Status: not resolved