In my plugins, I always use the options table for this. So simply use https://developer.ww.wp.xz.cn/reference/functions/update_option/ to save it. If you want to secure the value in some way, you can also encrypt it in a format that can be used for your plugin.
The solution depends on who you are securing the access key from. If from a site’s visitors, the options table is fine. If you need to secure from the site’s admin, saving it anywhere on their server is impractical unless it’s encrypted. If it’s encrypted, where would the decryption key come from? Saving the decryption key on their server isn’t very secure. Your plugin would need to fetch the decryption key from elsewhere, such as a server you control. If you go through that effort, why not just fetch the access key itself?
Even then, a site admin could sniff network traffic and discover the key at some point where it is in plain text form. If you cannot trust the site admin, then you probably should not be using your own key and should require them to get their own.
Having your plugin fetch data from your own server has privacy implications that need to be considered whether you are actually collecting user data or not.
Are you sure security is even warranted? For example, the API key for the Google Geocoding service can be associated with a specific server IP and is useless from anywhere else, thus public knowledge of the key does not present any risk. Maybe not a practical solution for your plugin, it’s just an example of an alternative way of securing a key from unauthorized use.
Many, many thanks to both of you for your answers. I will go with the options table, especially as no-one will have admin rights on the target systems but me.
-
This reply was modified 2 years, 7 months ago by
Mr.Meerkat.
But I have become curious about the case that the admin is not to be trusted. If anyone knows of a detailed tutorial for this case, please let me know.
