I'm making a WordPress plugin that works with sensitive data. So I need to store/retrieve date with a trusty encryption method. I did some searches among many php encryption wrapper classes, and finally found Defuse\Crypto as one of the best options. The class needs minimum PHP 5.4 and also uses openssl_ and hash_hmac What do you think? am I going to have problems with these requirements to have the plugin installed on users hosts? or shared hosting companies cover them …

I am connecting a WP site to a service through the service API. The API authentication of this service is done using the service account username and password, not API keys: You send a request to the service API and give the account username and password. You receive a token, valid for a number of hours, that allows you to make API requests. The problem that I see is that the service account password will have to be stored in …

I have been provided with a working Azure AD B2C application, and my goal is to use it to facilitate a means of access control to particular content. Using that application URL, a successful login/authentication results in a redirect (in accordance with the redirect-URI) with an id_token appended. Here's an example: https://dev.domain.org/#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkxKTnZUd1g3Wm9qZnRHUWhXUEdid0hpZExzU3VSVEYyRDh2WjA4d3lpbjgifQ.eyJleHAiOjE2Mzk0OTgwOTQsIm5iZiI6MTYzOTQ5NDQ5NCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9henRzdGIyYy5iMmNsb2dpbi5jb20vNTMxZWJiOTktYTVkOS00NmJhLWFkZTctM2MyNTk3YzMzNTBmL3YyLjAvIiwic3ViIjoiYXV0b3NpaWNwenIucWF0ZXN0aW5nQGNmYXFhLnRlc3RpbmF0b3IuY29tIiwiYXVkIjoiYjg4NDdkMzEtMzA3Ny00Y2M1LThmNGUtYmU4ZmMzODUxNzk0IiwiYWNyIjoiYjJjXzFhX2N1c3RvbWVybm9waWRfY2ZhX3NpZ251cF9zaWduaW5fYjJjbG9naW4iLCJub25jZSI6ImRlZmF1bHROb25jZSIsImlhdCI6MTYzOTQ5NDQ5NCwiYXV0aF90aW1lIjoxNjM5NDk0NDk0LCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjIwMDcwNDQ2MCIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL3ZlbmRvcmlkIjoiODExNDI4MTAxIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIjoiYXV0b3NpaWNwenIucWF0ZXN0aW5nQGNmYXFhLnRlc3RpbmF0b3IuY29tIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImF1dG9zaWljcHpyLnFhdGVzdGluZ0BjZmFxYS50ZXN0aW5hdG9yLmNvbSIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL2dpdmVubmFtZSI6Im1BRmRDIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvc3VybmFtZSI6InBabktxIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS9hY2Nlc3Njb250cm9sc2VydmljZS8yMDEwLzA3L2NsYWltcy9pZGVudGl0eXByb3ZpZGVyIjoiQXp1cmVCMkMifQ.Nwx_uH9hbo0OHoeOlq0YYgS5rLqJK_PV5WulIlfnl4z-tY6jGF_jjEZ7VLpNGD9qivy70E1mfoxOuVkFPTIidScmMJSu_Ps5sNgvxLHNPPI_n5ufDcVo2zztAfS-SCLHXlLGsMXnfjDwDzEO2GQaCM3U66VaVzVXeeMVPSW0VBbyt3TM3jhnPE8BML5YqTWg0OMYFMUivRth1Ydf6sjbSvJzWsRNOv2I6NC2iAicVZ-mQAiBF2QJJPxPMHdwmwxt-qiA81q69BiylGlUFQQ3MthiJ1BztjtIGUYLgs6kI09-YPt881UjsFbVpS0D1CAs3PiqtQ1dgp0DHLmSz7c4oA The value of the id_token is encoded and encrypted, so it will need to be decoded and then decrypted. The encoding is Base 64 and the encryption is …

I am working with site that is done with WordPress, and I need to add some parts that are outside WP, and to check user login, Logging users outside WP. I tried with md5 of password but it's not... I tried this code: require_once( 'wp-includes/class-phpass.php' ); $wp_hasher = new PasswordHash( 8, TRUE ); $password = "passwordhere"; $hashed_password = $wp_hasher->HashPassword( $password ); $encryptedpass = md5($hashed_password); But this is only for first time creating password, and it's always different. I need code …

I am developing a plugin in wordpress. I have a question regarding the premium features. How we can manage premium features between free and paid membership? Are those features already part of plugin but disabled and once payment is made we just enable it? But then what if an average wp plugin developer like me crack those features ? Is there some kind of encryption used? I am more interested in saas type of membership. So there has to be …

I've already seen this topic: wp_hash_password unexpected behaviour And the problem is similar. I'm creating an API system where api_key and api_secret are the same as username and user_pwd. The problem is that, of course, i can't know the user password, so it will be the same encrypted password from the DB. The user will put his password, so i need to encrypt it in the same way as wordpress and compare it to the password/key in the DB. But …

We have developed a custom WordPress plugin. We want to encrypt the plugin code to protect the data. The plugin file contains 2 main files - The main plugin core file and a .php file. Both the files contains WordPress core functions as well as plugin hook functions. I found that we can encrypt .php file using some online tool. But it shows some error because of the WordPress core functions. ie., the online tool couldn't encrypt the PHP file …

Good day I am new here and to wordpress as well, please can someone tell me how i can automatically hide email addresses displayed on the front page(dynamic Content), see example https://quickleads.co.za/ is there a plugin or something? e.g [email protected] to m****[email protected]

I just need to get real password (before encrypt) when user is registering. I need to save that password in another table. How I access the real password before encrypt? The reason for it is, I am doing a research about passwords.

I'm currently developing a plugin and the chances are that I will more than likely release it on the public plugin repository so others can use it. The plugin will be using an API and to use this API you need to pass a username and password. So my plugin needs to store these login credentials in the database. I don't want to store these in plain text although the API needs them in plain text. So my question is …

I would need to apply some sort of encryption on whatever gets inserted in the wp_post > post_content, so I was wondering if there is a way, either modifying the core (rather not), or using some filter or hook and function, where I could perform the encryption right before the content gets saved. And then once called for by the frontend or backend, to apply an decryption, before the post_content gets actually used. Thanks in advance to anyone with some …

I'm developing a custom plugin, which requires input of authentication data for a remote API, and this data needs to be saved. I want to encrypt it before saving to db. I've added a settings page, containing: <form method="post" action="options.php"> <!-- form fields here... --> </form> Rather than having each option saved as a different entry in {wp_table_prefix}_options table, I want them saved as an object in only one row, so the name attributes are of this type: <input name="plugin-slug[option-key]" …

I have an additional security requirement (in addition to SSL) and I'm looking for a method (either a plugin or custom solution) of how to encrypt and store submissions from Contact Form 7 in the database. For example there are plugins such as Flamingo that allow the submissions to to be stored in the DB, there are fore other form platforms such as Gravitate Encryption that encrypt the submissions in the DB. Is there an option or method to encrypt …

Possible Duplicate: How to validate WordPress generated password in DB using PHP? I am working with site that is done with WordPress, and I need to add some parts that are outside WP, and to check user login, but I can't find how WP is encrypting password before it writes it in DB... I tried with md5 but it's not... Does anyone know how to check password outside WP, without using it's pluggins/checkers, clear PHP code?

Is there an easy way to check if the site url or the home url has been updated ? Im looking for a hook that I can preferably plug into. I have a cryptographic function that needs to run only once because its compute expensive. This calculation can be cached as long as the value of the site url does not change. Thanks for the help !

I would like to auto login to subdomain from main domain as well as from subdomain to main domain (if possible). I was already able to do this by sending url with encoded params to own php login file but weak security and encryption php control for the url param would put perfomance load on server. I think cookies are the right way to approach and know that it can be shared within domain network but the cookie setups I …

I've inherited a WordPress project and first thing I tried to do was create a superadmin user by inserting a new user into wp_users and the appropriate permissions into wp_usermeta. I've done that a dozen times without problems... but… All the current and working passwords start with $P$B… and are 35 chars long strings with dots and slashes on them. Which means, I guess, that maybe they are using some hashing other than md5 and maybe some salt. I've read …

One of my plugins is using an API key to communicate with an off-page service. However, this API is not encrypted and is therefore visible to everyone with an admin login. Can I encrypt the API key in the database? And what would be the best practice for doing this? Thanks,

I found some instructions on encrypting an options field for a plugin here, using: encrypt($input_string, $key){ $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $h_key = hash('sha256', $key, TRUE); return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $h_key, $input_string, MCRYPT_MODE_ECB, $iv)); And here, recommending WP's Portable PHP Password hashing framework: require_once( '/path/to/wp-includes/class-phpass.php' ); $wp_hasher = new PasswordHash( 8, TRUE ); $password = 'swordfish'; $hashed_password = $wp_hasher->HashPassword( $password ); But I'm having trouble because I want to display the decrypted password (if set) in the form field, …

I have a situation here where I need to access the $_POST data to send a sensitive string to a javascript without using localize script and also not letting the sensitive string be available in the console or source ( html ) of the page. I researched that AJAX can prevent the sensitive string coming from the PHP to be displayed on the source of the page (html) since this will pose a security issue on our side, but then …