I am working on a wordpress plugin. My plugin requires some data to be transferred from user’s wordpress to my site (on server side). I can use cURL for that but I want to provide little security. I cannot use HTTPS or SSL because this data is not that sensitive which worth paying for certificates. How can I do that? Some public-key private key algorithm or something? And in which format should I transfer data? They are few strings.
Can you suggest me a secure way for this? I am concerned about MITM attacks.
Thanks.
Leave a Reply
You must be logged in to post a comment.
I am not sure if this would be a solution but you can always read the info from your end. Can you collect the information into local file (in the client’s plugin folder) and then remotely read it from your server (by some crone script) on regular basis ? and use something like
… plugin folder is always in the same place so the URL shouldn’t be an issue
… for the “securely” part, just protect the file so only you can read it
Is providing the user (who has their own wordpress site) a unique “token” to store in the plugin’s config an option?
If you have a token for each user, and the user has a matching token, the data can be encrypted and decrypted with that token.
The token itself is never communicated alongside the encrypted data, so any man in the middle would have a lot harder time decrypting it (not impossible, but the best you’ll get without SSH).
I am using following approach to transfer secure data over HTTP.
Data is a Request object, which I am serializing. Now this serialized object is encrypted using
mcrypt_encrypt()
as belowas mentioned here and POST that encrypted data to my host using curl.
On my host, I decrypt the data using
and then unserialize the object. I am also adding salt for greater security.
For more detailed explaination, you can visit this post