ExternalResources is a core plugin, it allows the system administrator to point references to some (or all) static resources to another server (on an individual basis, or all-in-one). This allows for parallel downloading of resources, giving a faster page load. Where the Google hosted JQuery libraries are used, this can greatly improve load times.

The only file not supported is info.php as the keyfile needs to reside on the same domain as the rest of PHPCredLocker.


Read more…

AffinityLive Logging

A plugin for PHPCredLocker allowing a note to be registered against the relevant customer in AffinityLive whenever a customers credentials are added, amended, viewed or deleted. The plugin currently uses Affinity Live's webform API, but will be updated to use their JSON API when it comes out of beta.


AutoAuth is a PHPCredLocker plugin providing a one-click login option for certain CredTypes. By providing the relevant form id's (presets are available), superadmins can configure a credential type to display a 'Log In' button for all associated credentials.

AutoAuth is known to work with

  • CPanel/WHM
  • Webmin
  • WordPress
  • Drupal

AutoAuth doesn't currently work with Joomla! as it requires a correct form token to be included in the request.

You can see AutoAuth in action in the PHPCredLocker demo.

See below for the Plugin's README




Read more…

Security in PHPCredLocker

Given the sensitivity of the data inherent in PHPCredLocker's intended purpose, security has been given priority over any other consideration. If something is convenient, but lowers security it's not generally been implemented.

A number of potential attack vectors have been identified and measures put in place to mitigate the risk of such an attack, these are

  • Authentication Attempts (Brute-forcing of logins etc.)
  • Database retrieval (SQL injection etc)
  • User Session Hijacking
  • Direct Script Access
  • Cross-Site Scripting (XSS)
  • User Error

This documentation details the measures put in place to mitigate each of these risks.



Read more…

Introducing PHPCredLocker

PHPCredlocker is an Open Source(GNU AGPL V3) credentials locker written in PHP. Featuring strong encryption and a paranoid approach to security, the system has been designed to prioritise the secure storage of credentials over all other considerations.

I'm not an interface designer (not by a long shot) so the system has been designed to be templatable by those who know how to make things look nice!


Read more…

Installing PHPCredLocker

 This documentation details how to install PHPCredLocker, but there are a few pre-requisites

  • MySQL (with an empty database already created)
  • PHP > 5.2 (5.3 recommended as you can use OpenSSL instead of MCrypt)
  • SSL certificate installed (optional, but highly recommended)

So long as you satisfy these requirements, you should be ready to install. Grab PHPCredLocker from GitHub


Extract the archive into a directory on your webserver.



Permissions may be correct straight away, but it's unlikely. Many systems will use 755 permissions, but for security reasons we cannot allow this (do you really want to allow all users to read your crypto keys?). So set the following permissions recursively (whether by using chmod or in your FTP/File Manager)

  • /conf 760
  • /plugins 760
  • /sessions 760

Make sure the above directories (and their contents) are owned by whichever user your webserver runs as (if you use CPanel it'll generally be the same user as you log into CPanel as.). This may be nobody, apache, root (if so, you've got problems) or some other user (if you have suExec enabled).

Note: There's no reason you can't set all the PHPCredLocker files/directories to 760, but the ones listed above must be set to deny access to users who are not either the owner or part of the owning group - you could also deny access to group if you wished.

Read more…