Security Best Practices

Keep your API connections secure

Security Best Practices

Protect Your API Keys

API keys are like passwords. Treat them with the same care.

Do:

  • Store keys only in API Mapper's secure settings
  • Use different keys for development and production
  • Rotate keys periodically
  • Use read-only keys when possible

Don't:

  • Share keys via email or chat
  • Commit keys to version control
  • Use the same key for multiple projects
  • Give keys more permissions than needed

Use HTTPS Always

Never use HTTP for API connections.

✓ https://api.example.com/data
✗ http://api.example.com/data

Why?

  • HTTP transmits credentials in plain text
  • Anyone on the network can intercept your API key
  • Many APIs reject HTTP requests entirely

Principle of Least Privilege

Give API keys only the permissions they need.

For a product display:

✓ Read-only access to products
✗ Full admin access to the store

If your API provider offers granular permissions:

  • Enable only "read" permissions
  • Limit to specific resources
  • Restrict to specific IP addresses if possible

Secure Your Admin Area

API Mapper settings contain sensitive data. Protect your admin:

WordPress
  • Use strong admin passwords
  • Enable two-factor authentication
  • Limit login attempts
  • Keep WordPress updated
  • Use security plugins (Wordfence, Sucuri, etc.)

Handle Sensitive Data Carefully

If the API returns sensitive data:

  1. Filter it out - Don't map fields you don't need
  2. Don't display it - Some data is for internal use only
  3. Consider privacy - User data has legal requirements (GDPR, etc.)

Examples of sensitive data:

  • Email addresses
  • Phone numbers
  • Internal IDs
  • Financial information
  • Personal health data

Monitor API Usage

Watch for unusual activity:

  • Unexpected spikes in API calls
  • Failed authentication attempts
  • Access from unknown IPs
  • Usage outside business hours

Many API providers offer dashboards to monitor usage.

Keep Everything Updated

Security vulnerabilities get patched in updates:

  • Update API Mapper when new versions are available
  • Update YOOtheme Pro regularly
  • Keep WordPress/Joomla core updated
  • Update PHP to supported versions

Backup Regularly

Before making changes:

WordPress
  1. Backup your database
  2. Export API Mapper settings
  3. Test changes on staging first

Review Access Periodically

Every few months:

  1. Review API keys - Revoke unused keys
  2. Check permissions - Remove unnecessary access
  3. Audit connections - Delete unused connections
  4. Update credentials - Rotate keys for security

What to Do If Keys Are Compromised

If you suspect a key was exposed:

  1. Immediately revoke the key in your API provider dashboard
  2. Generate a new key
  3. Update API Mapper with the new key
  4. Check for unauthorized usage in API logs
  5. Review how it was exposed to prevent future incidents

Was this page helpful?

Previous
Caching Best Practices
Next
Migrating from Custom Code

On this page