PHPackages threadi/crypt-for-wordpress - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. threadi/crypt-for-wordpress ActiveLibrary[Security](/categories/security) threadi/crypt-for-wordpress =========================== 1.0.3(1mo ago)08GPL-3.0-or-laterPHPCI passing Since Mar 14Pushed 1mo agoCompare [ Source](https://github.com/threadi/crypt-for-wordpress)[ Packagist](https://packagist.org/packages/threadi/crypt-for-wordpress)[ RSS](/packages/threadi-crypt-for-wordpress/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (6)Dependencies (8)Versions (11)Used By (0) Crypt for WordPress =================== [](#crypt-for-wordpress) This repository contains the source code for the Composer package “Crypt for WordPress”. It can be used in plugins or themes to encrypt strings. How it works ------------ [](#how-it-works) A hash key is generated for each plugin or theme, that is used for all encryption and decryption. This key is stored in the **wp-config.php** file or, if using a MU plugin, within the WordPress installation itself. As a result, it is not stored in the database where the encrypted data resides, keeping the key and the data separate. This makes it more difficult for attackers to decrypt the data, as they would need both to be successful. The **wp-config.php** file is primarily used for this purpose. If this file is not writable (that is the case with some hosting providers), a Must-Use plugin is generated and stored. Optionally, you can force the usage of a Must-Use plugin for each plugin or theme (see Settings below). ### Hint [](#hint) Data encryption is not a silver bullet for protecting data. Projects that involve sensitive data should be secured through additional measures in addition to encryption. These include, for example, security plugins. This Composer package is not the only solution for this, but it can help. Demo ---- [](#demo) [This demo plugin](https://github.com/threadi/crypt-for-wordpress-demo) demonstrates how the encryption could be used. Use cases --------- [](#use-cases) - You allow users of your plugin to enter API credentials and want to store them securely in the database. - You allow users to enter FTP credentials and want to store them securely in the database. - You want users to enter JSON authentication data and store it securely. - You collect personal data - for example, from job applicants or customers - on your website, and this data must be stored securely. Requirements ------------ [](#requirements) - *composer* to install this package. - WordPress-plugin or theme to embed them in your project. Installation ------------ [](#installation) 1. `composer require threadi/crypt-for-wordpress` 2. Add the following codes in your plugin or theme: ``` $crypt = new \CryptForWordPress\Crypt( __FILE__ ); ``` ### Parameters [](#parameters) #### set\_config() [](#set_config) Set your custom configuration for the supported methods as array. This is optional, all options are optional. Format: ``` array( 'force_method' => 'openssl', // openssl or sodium. 'openssl' => array( 'hash_type' => 'hash_pbkdf2', // hash_pbkdf2 or hash. 'hash_algorithm' => 'sha256' // see hints below. 'force_mu_plugin => false, // true to force the usage of an MU-plugin to save the hashed key. ) 'sodium' => array( 'hash_type' => 'sodium_crypto_aead_xchacha20poly1305_ietf_keygen' // one of: sodium_crypto_aead_xchacha20poly1305_ietf_keygen, sodium_crypto_secretbox_keygen, sodium_crypto_auth_keygen, sodium_crypto_generichash_keygen, sodium_crypto_kdf_keygen, random_bytes ) ) ``` ##### Hint about usage of ciphers [](#hint-about-usage-of-ciphers) In March 2026 you should only use one of these ciphers: - aes-256-gcm - aes-256-cbc - chacha20-poly1305 ##### Hint about changes [](#hint-about-changes) If you change any of these settings, the changes will apply to newly encrypted strings. Strings that have already been encrypted will not be altered. Depending on the change, this could result in strings that were encrypted before the change no longer being decryptable. Usage ----- [](#usage) ### Encrypt [](#encrypt) To encrypt a plain string use: ``` $encrypted = $crypt->encrypt( 'My string to encrypt.' ); ``` ### Decrypt [](#decrypt) To decrypt an encrypted string use: ``` $decrypted = $crypt->decrypt( 'My encrypted string to decrypt.' ); ``` Uninstall --------- [](#uninstall) Use these code to remove the settings during uninstallation of your theme or plugin: ``` $crypt = new \CryptForWordPress\Crypt( __FILE__ ); $crypt->uninstall(); ``` Check for WordPress Coding Standards ------------------------------------ [](#check-for-wordpress-coding-standards) ### Initialize [](#initialize) `composer install` ### Run [](#run) `vendor/bin/phpcs --standard=ruleset.xml vendor/threadi/easy-directory-listing-for-wordpress/` ### Repair [](#repair) `vendor/bin/phpcbf --standard=ruleset.xml vendor/threadi/easy-directory-listing-for-wordpress/` Analyse with PHPStan -------------------- [](#analyse-with-phpstan) `vendor/bin/phpstan analyse` ### Health Score 38 — LowBetter than 85% of packages Maintenance90 Actively maintained with recent releases Popularity7 Limited adoption so far Community6 Small or concentrated contributor base Maturity40 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 4 Last Release 55d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/e7a1a0cb36bcd1de4fc890549902fe36e51f89dd126fb83f0dba09a4d5ecdfb7?d=identicon)[threadi](/maintainers/threadi) --- Top Contributors [![threadi](https://avatars.githubusercontent.com/u/16623633?v=4)](https://github.com/threadi "threadi (28 commits)") ### Code Quality Static AnalysisPHPStan Type Coverage Yes ### Embed Badge ![Health badge](/badges/threadi-crypt-for-wordpress/health.svg) ``` [![Health](https://phpackages.com/badges/threadi-crypt-for-wordpress/health.svg)](https://phpackages.com/packages/threadi-crypt-for-wordpress) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M212](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M112](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)