Title: API key displayed on screen
Last modified: August 31, 2016

---

# API key displayed on screen

 *  Resolved [nikolaidis](https://wordpress.org/support/users/nikolaidis/)
 * (@nikolaidis)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/)
 * In the plugin settings, the API key is displayed as plain text. On the page at
   [https://www.cloudflare.com/a/account/my-account](https://www.cloudflare.com/a/account/my-account)
   we are told to “Protect this key like a password!” Shouldn’t this be in a password
   field so it’s not displayed within the plugin settings?
 * [https://wordpress.org/plugins/cloudflare/](https://wordpress.org/plugins/cloudflare/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [Brandon Hubbard](https://wordpress.org/support/users/bhubbard/)
 * (@bhubbard)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-6908622)
 * I agree it should be a password field.
 * Or maybe hidden by default with a link/button to view when needed. This way you
   can prevent the support tickets for users who have trouble with copy/paste or
   typing out the API key.
 *  [simon-says](https://wordpress.org/support/users/simon-says/)
 * (@simon-says)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-6908639)
 * Good suggestion, this is something we’ll look to add in the next version.
 *  [Simon Foxe](https://wordpress.org/support/users/sfoxe/)
 * (@sfoxe)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-6908814)
 * Thanks for suggesting this guys, I’d also like to add my enthusiasm for this 
   feature. I’m not using the API key functionality on ANY site yet because of this
   lack of security.
 * I have one Cloudflare account that services multiple clients and domains, thus
   one API key which could affect completely separate businesses. Too risky until
   this feature is added.
 *  [myaffee](https://wordpress.org/support/users/myaffee/)
 * (@myaffee)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-6908840)
 * I vote for this also ASAP!! We’d like to use this for a number of client sites
   that are all in the same CloudFlare account but don’t want to expose the plugin
   API to any of them. It really should be not only obscured on the front-end but
   1-way encrypted in the database as well.
 *  [Rob](https://wordpress.org/support/users/robmuzo/)
 * (@robmuzo)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-6908845)
 * Any update on this? I’m in the same scenario as above its a big security flaw,
   if one clients site gets hacked it could allow API access to a whole bunch of
   others. myaffee your right not only hidden but encrypted in DB too.
 *  [toddtoven](https://wordpress.org/support/users/toddtoven/)
 * (@toddtoven)
 * [10 years ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-6908855)
 * Hi simon-says, I’m also in favor of having the API key obscured once it’s been
   saved. Do you have this available on GitHub?
 *  [Lucas Balzer](https://wordpress.org/support/users/lbalzer/)
 * (@lbalzer)
 * [9 years, 6 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-8407221)
 * I agree! The concerns caused by the API key in clear text on the settings page
   pale in comparison to the key STORED as plain text in the DB — far more attack
   vectors on the DB than on the clear text of a single options screen.
 * I understand there are issues surrounding encrypting data in the WP DB, ([https://wordpress.org/support/topic/encrypt-smtp-login-information/](https://wordpress.org/support/topic/encrypt-smtp-login-information/))
   but since the CloudFlare API key is only necessary when actively making changes
   to the CF account in question, many of the concerns outlined in the referenced
   article are moot. Specifically, the API key could be encrypted with a user-known
   passphrase and decrypted (either 1 time or for the session) by requesting the
   passphrase whenever an API call needs to be made. Additionally, if this were 
   a session-long decryption, it’s reasonable that the decrypted API key could be
   stored in cookies. (Yes, less secure. But again, the attack surface of a user’s
   computer is MUCH smaller than the WP DB.)
    -  This reply was modified 9 years, 6 months ago by [Lucas Balzer](https://wordpress.org/support/users/lbalzer/).
      Reason: Wanted to offer a solution. At first I just +1ed the feature request

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘API key displayed on screen’ is closed to new replies.

 * ![](https://ps.w.org/cloudflare/assets/icon-256x256.png?rev=2471183)
 * [Cloudflare](https://wordpress.org/plugins/cloudflare/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/cloudflare/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/cloudflare/)
 * [Active Topics](https://wordpress.org/support/plugin/cloudflare/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/cloudflare/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/cloudflare/reviews/)

## Tags

 * [api](https://wordpress.org/support/topic-tag/api/)
 * [key](https://wordpress.org/support/topic-tag/key/)
 * [password](https://wordpress.org/support/topic-tag/password/)

 * 7 replies
 * 8 participants
 * Last reply from: [Lucas Balzer](https://wordpress.org/support/users/lbalzer/)
 * Last activity: [9 years, 6 months ago](https://wordpress.org/support/topic/api-key-displayed-on-screen/#post-8407221)
 * Status: resolved