Your own custom maintenance mode for WordPress

The custom maintenance mode message in WordPress, during upgrades and installs, is far from beautiful 🙂 Time to change that! You can do your own page by adding a pure PHP maintenance.php into your /wp-content folder. Now go and build a nice page ! Just remember that during maintenance no WordPress functionality is available! Enjoy coding …

You might not need jQuery or Javascript!

Transition jQuery has provided easy access to complicated core Javascript solutions in the past and has been shielding us from difficult workarounds for legacy browsers. But times have changed and many of those things can be done as easily using Javascript directly. jQuery is a fast, small, and feature-rich JavaScript library. It makes interactions with HTML documents […]

WPML – Going multilingual with WordPress

Getting started “WPML (WordPress Multilingual) makes it easy to build multilingual sites and run them. It’s powerful enough for corporate sites, yet simple for blogs.” – WPML I have been running and setting up multilingual websites for more than 12 years. WordPress and related integrations have gladly come a long way to make our life’s […]

WP REST API rendered output & Visual Composer

Visual Composer shortcodes are normally not converted within the WordPress REST API rendered output. This can be accomplished by calling WPBMap::addAllMappedShortcodes(); add_action( ‘rest_api_init’, function () { register_rest_field( ‘page’, ‘content’, array( ‘get_callback’ => ‘convert_do_shortcodes’, ‘update_callback’ => null, ‘schema’ => null, ) ); }); function convert_do_shortcodes( $object, $field_name, $request ) { WPBMap::addAllMappedShortcodes(); // This does all the work global […]

World Grain / Milling & Grain – vibronet® advertisment 2025

World Grain + Milling & Grain magazine advertisment 2025 World GrainMilling & Grainvibronet® Gräf GmbH & Co. KG

WordPress: Caching MO-files … Does it make any sense!

First a bit of context 🙂 What is Gettext? Translation within WordPress is based of Gettext. Gettext is a software internationalization and localization (i18n) framework used in many programming languages to facilitate the translation of software applications into different languages. It provides a set of tools and libraries for managing multilingual strings and translating them […]

WordPress Plugins & Sessions

START SESSION ON INIT add_action(‘init’, ‘pluginStartSession’, 1); function pluginStartSession() { if(!session_id()) { session_start(); } } NEW SESSION ON LOGIN / LOGOUT add_action(‘wp_logout’, ‘pluginEndSession’); add_action(‘wp_login’, ‘pluginEndSession’); function pluginEndSession() { session_destroy (); } Now go ahead and use $_SESSION freely in your plugin. Here a nice additional class to  encrypt session data. Enjoy coding ….

WordPress Cron + WP-CLI + Ntfy

THE GOAL Create a system cron for WordPress, that is accessible and can be easily tweaked to provide more details. Here some basic information about crons and the tools I am going to use … WordPress CRON In WordPress, the term “cron” refers to the system used for scheduling tasks to be executed at predefined […]

WordPress + Query_Posts + Sticky + Pagination

We often have some posts that we would like to promote and keep at the first page of the blog. When you are using pagination, the sticky posts will be added to the standard posts, making the post count per page uneven. If you want to keep your posts per page count consistent, there is […]

Willen Logistics | Business Cards

I designed a fresh set of business cards for Willen Logistics last year, this is a small iteration with a QR-Code on the back. The business cards feature a partial varnish on the logo and QR-Code. I updated their different logos last year, to streamline their main corporate colors. “Seit mehr als 50 Jahren ist […]

Keeping Development Credentials Secure

4. March 2024
.SHARE

Table of Contents

Development today relies on multiple teams, services, and environments all working in unison. A topic that always comes up, when setting up a new development environment: How do we secure important credentials, while not making it too complicated for the rest of the team?

The key when working with version control systems like Git, is to keep any type of credentials out of the versioning system. These can be API keys, database or email passwords.

Even if its a private repository, development environments might change. It can be a simple staging & live website setup you are maintaining.

.env Files for Environment Variables

The simplest way in PHP is to use .env files to store your credentials outside of the public accessible directory structure. So outside the public_html, but still within the reach of the executing environment to read it. Variables are accessible through $_ENV['yourVar'] or getenv("yourVar"), once included in your code.

To make it simple you can use the popular package vlucas/phpdotenv, which reads and imports the file automatically.

Don’t fool yourself, if an attacker finds a way into your system, these variables can be easily read. This is just hiding the file from public access and provides some convenience while developing or sharing code.

Encrypted .env files

Some people propose to encrypt / decrypt environment variables using a secret key. But if an attacker can access your data, he can also find the secret key. 

There are some nice packages that offer just that. You have to decide if those fit your ammo.

  • The psecio/secure_dotenv library provides an easy way to handle the encryption and decryption of the information in your .envfile. @Github
  • johnathanmiller/secure-env-php – Env encryption and decryption library. Prevent committing and exposing vulnerable plain-text environment variables in production environments. The lib provides a nice guided interface to encrypt your .env file.  @Github
  • beyondcode/laravel-credential – Add encrypted credentials to your Laravel production environment. You can edit and encrypt using php artisan credentials:edit.  @Github

Apache Pull – setting environment variables

The Apache2 environment variables are set in the /etc/apache2/envvars file. These variables are not the same as the environment variables of your Linux system; they are stored and manipulated in an internal Apache structure.

The /etc/apache2/envvars file holds variable definitions such as APACHE_LOG_DIR (the location of Apache log files), APACHE_PID_FILE (the Apache process ID), APACHE_RUN_USERS (the user that run Apache, by defaultwww-data), etc.

You can open and modify this file in a text editor of your choice. This is nice, but far from simple and requires a server restart. This is something which helps you when hardening security on a live deployed setup.

There are dynamic approaches, but you can do some research for that yourself 🙂 Skipped that rabbit hole for now …

Infrastructure Secret Management

Handling secrets completely detached is another possibility. This is surely an overkill for most cases, but using an Infrastructure Secret Management concept might be worth looking into, if you are working on bigger scale projects that involve multiple development teams and setups. These services also often deal with secret rotation.

HashiCorp Vault – “Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.”

You can deploy your own vault on your own infrastructure or test out a hosted version, which is free for Open Source projects. HashiCorp Vault

You will find a bunch of Hashicorp related packages that will help you to integrate a vault into your project workflow (scmrus/php-vault-env , poc-webapp-vault). 

While this is nice, you will need to cache / store credentials somewhere, as you don’t want to query the vault on every single access.

The Hashicorp Vault is not the only Infrastructure Secret Management solution. There is a nice Github Gist that lists other solutions and a nice feature matrix.

Amazon also provides a solution called AWS Secrets Manager, which makes a lot of sense, when you build and deploy on AWS already 🙂

What a rabbit hole, once you start researching solutions 🙂 
Have fun …

Let’s Talk!

Looking for a reliable partner to bring your project to the next level? Whether it’s development, design, security, or ongoing support—I’d love to chat and see how I can help.

Get in touch,
and let’s create something amazing together!

RELATED POSTS

Enhancing WordPress Development with the Timber Template System

WordPress has long been the go-to CMS for developers and designers, but its traditional PHP-based templating system can sometimes feel outdated and cumbersome. Enter Timber, a powerful templating framework that brings the flexibility and clarity of the Twig templating language to WordPress. With Timber, developers can separate logic from presentation, leading to cleaner, more maintainable code. All my […]

Day 4: Kimai Time Tracking – 7 Days of Docker

Kimai is a powerful open-source time-tracking application that helps businesses and freelancers efficiently manage work hours and billing. It supports multi-user environments, customizable reporting, and integrations with various tools. In this guide, we’ll walk through setting up Kimai using Docker and explore how to use it effectively. Why Use Kimai with Docker? Running Kimai with […]

Day 3: GlitchTip – 7 Days of Docker

GlitchTip and Sentry are both error tracking and performance monitoring tools designed to help developers detect, diagnose, and fix issues in their applications. Why Should You Use Them? What is GlitchTip? GlitchTip is an open-source error tracking and performance monitoring tool, serving as an alternative to Sentry. It provides similar features, such as: What is […]

Alexander

I am a full-stack developer. My expertise include:

  • Server, Network and Hosting Environments
  • Data Modeling / Import / Export
  • Business Logic
  • API Layer / Action layer / MVC
  • User Interfaces
  • User Experience
  • Understand what the customer and the business needs


I have a deep passion for programming, design, and server architecture—each of these fuels my creativity, and I wouldn’t feel complete without them.

With a broad range of interests, I’m always exploring new technologies and expanding my knowledge wherever needed. The tech world evolves rapidly, and I love staying ahead by embracing the latest innovations.

Beyond technology, I value peace and surround myself with like-minded individuals.

I firmly believe in the principle: Help others, and help will find its way back to you when you need it.