API Key Protection

4886f381 · ‎02-09-2021

So I am new and I am hiring someone to transfer my wordpress site to dropfunnel, My wordpress site has my PayPal & Stripe API Keys as well as credit card information on it. How do I protect this data?

adeleke-adeniji · ‎02-10-2021

Sabrina W wrote:
So I am new and I am hiring someone to transfer my wordpress site to dropfunnel, My wordpress site has my PayPal & Stripe API Keys as well as credit card information on it. How do I protect this data?

Hello Sabrina, I believe you don't seem to trust the person you're working with (though you shouldn't trust anyone with your card info), my advice is, you put your website in maintenance mode (shouldn't do this for more than 48 hours because of search engines bots crawling your website as it will return a 503 status error code), and disable the Stripe and PayPal plugins, after which you can grant the freelancer access to your website.

I hope this helps.

prestonhunter · ‎02-10-2021

re: "How do I protect this data?"

One option is to NOT protect the API keys. Check with the API vendors or documentation to verify that you can generate new API keys whenever you want to.

Have the freelancer do the work. Then change the API keys.

fd627b83 · ‎02-10-2021

Agreed on the other points. I just encountered a freelancer who I believe only had intentions of bad behavior. I would make a list of all API keys you have and rotate them after working with them. It would be worthwhile to change Wordpress passwords as well.

prestonhunter · ‎02-10-2021

As a general principle, it is entirely possible (and a good practice) to create a development environment which only uses fake data and sandbox accounts for third-part vendors.

For example, your website that allows users to make payment using credit card (such as through Stripe) and PayPal can use sandbox settings for both. That allows developers to work on the site and test it while testing as many transactions as they want without anybody actually being charged anything. But this also has the virtue of being able to provide freelancers access to work on the system without them actually having access to real financial accounts.

lysis10 · ‎02-13-2021

You shouldn't give your API keys out unless there is a way to deactivate them and create new ones. PayPal has a sandbox environment that the developer should be using anyway. I wouldn't use production PayPal because it might flag their anti-fraud system if you start messing around with charging. idk about Stripe but I assume they have something similar.

prestonhunter · ‎02-13-2021

re: "idk about Stripe but I assume they have something similar."

I would imagine that all payment gateways have something similar.

As a developer, I have been using Stripe and PayPal pretty extensively during the past few months. I set up development environments where other developers are able to work.

We can let them work and test the systems as much as they want, because the configuration file points the development server only to the sandbox environment.

We can hire as many strangers as we want to work on this. If somebody for some reason went totally crazy and wanted to be vindictive, what could they do? They only thing they could do would be to trash their own files (which we have backup copies of) and post fake credit card charges that get recorded in a fake database. But the source code files are EXACTLY THE SAME files we use on the live production environment. We don't change the developers' work when we move it to the production environment. But the configuration file on the live server utilizes the REAL API keys.

So the arrangement is completely safe for the project owner.