Aside

A few months ago Tim gave a talk at WordCamp Manchester regarding the state of the plugin eco-system, the talk to WordPress professionals and lovers was a jovial romp through the often scary world of picking a plugin and hoping that this time, this plugin will just well work!

Following on from the Must Use plugins Tim takes a look at Hard Coding WordPress options and presents a small Must Use Generic Plugin for hard coding WordPress options.

Writing a post on WordPress security or performance, then why not let me take a look at it for you for free before you publish?

Many plugins call on 3rd party services when they do those services often provide some form of credentials and 9 times out of 10 those credentials get stored in wp-options table. Except I don’t want my security credentials in my database. Where you store you secrets can be deeply personal thing.

A common way to call credentials in plugin is something along the lines of

$api_key = get_option( 'mysecretkey' );
define( 'SECRETKEY', $api_key );

if you are going to do that, then try this instead

if ( ! defined( 'SECRETKEY' ) ) {
$api_key = get_option( 'mysecretkey' );
define( 'SECRETKEY', $api_key );
}

By checking if it’s already defined before pulling it from DB it allows me to add the API key in the wp-config.php and avoid putting it in my DB.

If you develop plugins that make use of third party services and storing API keys, then give your users the flexibility to store the keys where they want.