Plugin security question

  • Hi,

    I’m new to plugin development, and one thing I need to do is store some confidential data which can be read when the plugin is installed and then used every time the plugin functionality is invoked. I can see how to create a custom database table and store entries there, but my worry is that any other plugin will have access to it. Is there a way for plugins to have their own private tables? Since we plan to open source the plugin, the source code can’t contain any hardcoded sensitive data. Others must have come across this issue, so what’s the best practice in a case like this?

    TIA,
    mc

Viewing 2 replies - 1 through 2 (of 2 total)

  • If it’s super secret, there’s encryption. That still needs a public key and private key, but a lot of different software handles that already. Do some reading on the web about how it all works.

    Moderator bcworkz

    (@bcworkz)

    The thing is, all plugins run under unrestricted authority that is granted to PHP. Anything that you try to make private will require some sort of token to access it. Any token that is accessed by your plugin could also be accessed by another plugin. You can attempt to encrypt, obfuscate, hide, misdirect, etc. the means to get to the data, but if someone were so inclined, they could work through all of that through their own plugin and gain access. In most cases no one would make the effort, but the fact remains that the data cannot be truly protected from malicious code when it comes in through another plugin.

    The most secure data is data not stored on a computer. There is no truly secure data, only degrees of difficulty to access.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Plugin security question’ is closed to new replies.