Enhancement: Implement Credential Protection for Sensitive Settings #15
Description
Feature Request: Add Credential Protection Layer
Current Behavior
The plugin stores configuration settings including authentication credentials in the WordPress options table using standard WordPress options API.
Proposed Enhancement
Implement an additional protection layer for sensitive configuration fields (such as authentication tokens and passwords) to align with security best practices for WordPress plugins handling external service credentials.
Suggested Implementation
- Add Protection Utilities: Implement encoding/decoding utility methods within the settings management class to add an extra protection layer for sensitive fields.
- Apply on Save: Modify the settings sanitization to apply protection to sensitive fields when configuration is updated.
- Restore on Use: Ensure protected values are properly restored before being passed to external services.
- Maintain UI Behavior: Password fields should continue to display masked input and only update when users explicitly provide new values.
Benefits
- Follows WordPress plugin security best practices
- Adds defense-in-depth for credential storage
- Improves overall plugin security posture
- Aligns with recommendations from WordPress plugin review guidelines
Files to Modify
includes/class-wpfa-mailconnect-smtp.php- Potentially add a utility trait/class for reusable protection methods
This enhancement would improve the plugin's security profile and make it more suitable for enterprise deployments.