API Key Visible

  • Consider changing the input field type from text to password for the following fields:

    • Gmail client ID and client secret
    • MailGun private API key
    • SendGrid API key

    This will prevent exposing sensitive API keys on sites with multiple admins.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi Greg – I’ve shared this feature request with our team. Thanks for the suggestion! ??

    Hi Greg (@gregmount),

    I wanted to check back in with you about your feature request here ??

    We’ve made lots of changes since this was originally posted, including meeting (just about all of) this request. The only item you mentioned that isn’t concealed as password dots when entered is the Gmail Client ID, I believe because this isn’t considered a protected value in the ways the others are.

    I wanted to share something else, too, though. When you have a chance, could you please check out our option to define settings values with constants (rather than defining in the admin area)? Here’s our tutorial with all the details.

    There are a couple of benefits to this constants method:
    1) No one can see those values from within the WordPress admin
    2) These values will not be held in your WordPress database
    3) The only way to see these values will be to have access to your site files (which in most sites would require FTP or cPanel access)

    I hope these details are helpful! ??

    Thread Starter Greg Mount

    (@gregmount)

    Hey Jess. Thanks for the detailed response and especially for the link to the constant values article. Since the original post, we have shifted to using constants to define settings.

    For bonus points, it’s also helpful to define conditional constants for WPMS in wp-config.php based on the hosting environment. For example, we define PHP Mailer constants for our development environment, which is configured to send all mail to a specific test account. In production, we configure email to be sent using SendGrid.

    This enables us to migrate sites between development, staging and production environments without worrying about transactional email. Here’s a snippet of what we use:

    if ( ! preg_match( '/(^dev\.)|(\.dev$)/', $_SERVER['HTTP_HOST'] ) ) {
  // Production environment only
  define( 'WPMS_MAILER', 'sendgrid' );
  define( 'WPMS_SENDGRID_API_KEY', 'API key required' ); // Enter SendGrid API key
} else {
  // Development environment only
  define( 'WPMS_MAILER', 'mail' );
}

    Awesome, thanks Greg! I don’t believe I’ve seen conditional usage of these constants before, but that definitely makes sense. Pretty cool way to simplify development!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘API Key Visible’ is closed to new replies.