Skip to main content

Security & Credential Storage

Protecting your Cloudflare API tokens is our priority. We offer multiple tiers of security depending on your environment and license.

Standard Database Storage

By default on the Free tier, WPFlareMail relies on WordPress's native database protections to store your API tokens. If someone gains access to your SQL export or phpMyAdmin, they could read your tokens.

Pro: OpenSSL Database Encryption

WPFlareMail Pro adds another layer of encryption. Before your Cloudflare API token is saved to the database, we encrypt it using two-way AES-256 OpenSSL encryption. It uses the WordPress authentication salts in your wp-config.php file as the key.

Even if someone steals your MySQL database, they cannot use the Cloudflare API tokens unless they also steal your raw server files.

Maximum Security: `wp-config.php` Constants

For developers, the safest method is to never store the credentials in the database.

You can define your API tokens directly in your wp-config.php file. If WPFlareMail detects these constants, it masks the input fields in the settings page, skips database writes, and only loads the keys into memory when sending an email.

To enable this, add the following lines to your wp-config.php file, ideally directly above the "That's all, stop editing!" line:

// WPFlareMail Security Overrides
define( 'WPFLAREMAIL_CF_ACCOUNT_ID', 'your_account_id_here' );
define( 'WPFLAREMAIL_CF_API_TOKEN', 'your_api_token_here' );
define( 'WPFLAREMAIL_LICENSE_KEY', 'your_pro_license_here' ); // Optional for Pro

Why is this safer?

Database injection (SQLi) is a common vector for CMS attacks. Hardcoding credentials in PHP files ensures web-based vulnerabilities cannot extract your Cloudflare keys.

Nice-to-Have: General WordPress Security Tips

Beyond securing your email tokens, maintaining a strong perimeter is vital for WordPress. We strongly recommend:

  • Enforce 2FA: Require Two-Factor Authentication for all Administrator and Editor roles.
  • Disable File Editing: Add define( 'DISALLOW_FILE_EDIT', true ); to your wp-config.php to prevent attackers from editing plugins directly from the dashboard if they gain access.
  • Hide the Login URL: Use a plugin to change `wp-login.php` to a custom URL to drastically reduce brute-force bot attacks.
  • Keep Themes & Plugins Updated: Over 90% of WordPress vulnerabilities stem from outdated third-party code. Turn on auto-updates for trusted plugins like WPFlareMail.