API keys live in wp_options or DB tables, feels wrong.
Secrets in wp_options is common but not ideal. When you export the DB (for staging, support), they ride along. Move them to wp-config.php or env vars.
Try this first
- 1Inventory which secrets sit in wp_options: API keys (Stripe, Mailchimp, Sendgrid), webhook URLs, custom tokens.
- 2Move critical secrets to wp-config.php as constants: define('STRIPE_SECRET_KEY', 'sk_live_...'); read with getenv() or constant().
- 3Better still: use env vars via your hosting panel or a .env loader. Then the secret isn't in code and isn't in the DB.
- 4Plugins that write to wp_options (like WP Mail SMTP) often have a 'use constants' option. Enable it.
- 5Rotate secrets that lived in DB exports or backups. A backup on a laptop with unencrypted disk is a leak.
- 6Document in a runbook where each secret lives and who can rotate it. Key management on tribal knowledge is waiting for an incident.
When to bring us in
Dozens of secrets, external partners and compliance? A secret manager (1Password, HashiCorp Vault, AWS Secrets Manager) is the structural fix.
See also
- WordPress, plugins and theme have gone 6+ months without updatesOut-of-date WP is the number-one entry for malware. Don't just hit 'update all', back up first.
- Theme update broke the layout or threw a fatal errorThemes overwrite custom CSS on update unless you use a child theme.
- WordPress shows a blank screen after a plugin install or updateWSOD (white screen of death) is usually one crashing plugin. You isolate it.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.