Storing Strong API Credentials

Since 3.0.0, we have added an extra way of storing your API details.

How are the API credentials stored normally?

You can create the API login credentials from your ePDQ BackOffice account, as seen from step#3 from our setup guide.
API logins are stored in the WP database, which means that an SQL exploit may result in access to your API key data. While such an exploit also has access to the rest of the database as those API keys are unencrypted, it does leave the potential for an exploit. Other payment gateway plugins implement the same procedure when saving the API credentials, but we’d like to offer something different to protect your data.

How will the API credentials be stored using our new feature?

You can now define the API logins on your website; this means that the API keys are no longer stored in the database. Should a hacker gain access to the database, the API keys are not visible to them.

Setting SHA method

0 = SHA-1

1 = SHA-256

2 = SHA-512

We recommend that SHA-512 is set, this is more secure, if you do decide to use SHA-512 then you would define it like this:

define( ‘secure_ePDQ_SHA_method’, ‘2’ );

What are the steps so that I can define the API logins on my website to enable this feature?

Step 1

Before proceeding, please create a backup of your site, as you will be editing your theme files as a preventive measure if you have accidentally deleted any code. You can ask your hosting provider to backup your site for you.

Step 2

You would need to use the code below and replace the required credentials for your ePDQ account below:

// This stops anyone from editing the plugin files within the WP admin
define(‘DISALLOW_FILE_EDIT’ , true);

define( ‘ePDQ_Direct_PSPID’, ‘#replace with PSPID for account#’ );
define( ‘ePDQ_Direct_UserID’, ‘#replace with user id for account#’ );
define( ‘ePDQ_Direct_Pswd’, ‘#replace with password for account#’ );
define( ‘ePDQ_Direct_SHA_in’, ‘#replace with SHA in for account#’ );
define( ‘ePDQ_Direct_SHA_out’, ‘#replace with SHA out for account#’ );
define( ‘ePDQ_Direct_SHA_method’, ‘#replace with SHA method for account#’ );

Once you have replaced it with the correct information, copy and paste the code on your theme’s functions.php file.

The quickest way to add these would be to add them to your theme’s functions.php file from your:
WordPress dashboard > Appearance > Theme Editor > click the functions.php from the file selection.

Image 2020-04-17 at 6.13.46 PM

After that, kindly click the Update File button for the changes to be applied.

We recommend that you add the above code into the wp-config.php file via FTP.

Note: If you have followed the steps above, it will prioritize the normal way of storing the API credentials.

Was this helpful?

Next Article

How it works