[wp-trac] [WordPress Trac] #64789: Security audit for API key storage on the Connectors screen
WordPress Trac
noreply at wordpress.org
Sat Mar 7 18:03:13 UTC 2026
#64789: Security audit for API key storage on the Connectors screen
--------------------------+---------------------
Reporter: gziolo | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 7.0
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+---------------------
Comment (by ericmann):
This came up the other day in a discussion about the Two Factor plugin and
how we'd store a key for encrypting TOTP tokens in the database. It got me
thinking, and I started working on a potential option to add a
`get_secret()` function (and related utility) to WP.
I spun this up as a plugin (https://github.com/ericmann/secrets-manager/)
and submitted it to the .org repo for review. It's still a first pass and
needs some more attention, but provides similar utility to Kubernetes'
secrets system, just in WordPress. Secrets are automatically encrypted
either with a fixed key set in wp-config.php or using the Site Kit
approach of concatenating existing salts from the config. It also has
utility for rotation and WP CLI integration to make it more usable.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64789#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list