Security & Credential Storage
Protecting your Cloudflare API tokens is our priority. We offer multiple tiers of security depending on your environment and license.
OpenSSL Database Encryption (All Tiers)
Before your Cloudflare API token is saved to the database, Flarepipe encrypts it using two-way AES-256 OpenSSL encryption. It uses the WordPress authentication salts in your wp-config.php file as the key. This applies to every tier, including the free version.
Even if someone steals your MySQL database, they cannot use the Cloudflare API tokens unless they also steal your raw server files.
Maximum Security: `wp-config.php` Constants
For developers, the safest method is to never store the credentials in the database.
You can define your API tokens directly in your wp-config.php file. If Flarepipe detects these constants, it masks the input fields in the settings page, skips database writes, and only loads the keys into memory when sending an email.
To enable this, add the following lines to your wp-config.php file, ideally directly above the "That's all, stop editing!" line:
// Flarepipe Security Overrides
define( 'WPFLAREMAIL_CF_ACCOUNT_ID', 'your_account_id_here' );
define( 'WPFLAREMAIL_CF_API_TOKEN', 'your_api_token_here' );
define( 'WPFLAREMAIL_LICENSE_KEY', 'your_pro_license_here' ); // Optional for Pro Why is this safer?
Database injection (SQLi) is a common vector for CMS attacks. Hardcoding credentials in PHP files ensures web-based vulnerabilities cannot extract your Cloudflare keys.
Nice-to-Have: General WordPress Security Tips
Beyond securing your email tokens, maintaining a strong perimeter is vital for WordPress. We strongly recommend:
- Enforce 2FA: Require Two-Factor Authentication for all Administrator and Editor roles.
- Disable File Editing: Add
define( 'DISALLOW_FILE_EDIT', true );to yourwp-config.phpto prevent attackers from editing plugins directly from the dashboard if they gain access. - Hide the Login URL: Use a plugin to change `wp-login.php` to a custom URL to drastically reduce brute-force bot attacks.
- Keep Themes & Plugins Updated: Over 90% of WordPress vulnerabilities stem from outdated third-party code. Turn on auto-updates for trusted plugins like Flarepipe.