One of the risks of running a public website is that there are plenty of nefarious people – usually spammers and illicit marketers – who want to crack the security systems protecting it. There’s primarily two reasons for this: stealing email addresses of comments to add them to marketing databases, and gaining access to the server for the purposes of sending spam. I’ve rescued several cracked WordPress installations in the past couple of years, which has prompted me to wonder what could be done to protect against the theft of personal data.
My solution is this: where a comment is added to the WordPress database, the private components of it (IP and email address) are encrypted using the public part of a asymmetric encryption key. This happens automatically. When an authorised administrator logs onto the WP interface, they supply the private part of the key, held in the PHP session only, which is used to decrypt the personal data. Thus, data thieves have significantly more work to do to capture the private key, and if they’ve been able to steal the database, the personal data within is encrypted and thus useless without the private key.
I’ve got about 75% of this written (on Github here) and need to make some progress with unit tests and the search interface. Watch this space.