Credential Constants

Contents

Introduced in Matador Jobs 3.7.0, an alternate method for defining certain sensitive settings was added to Matador Jobs. Some settings fields may be overridden by PHP Constants defined in the WordPress config file. Defining credentials in the this improves security and avoids issues caused by critical settings being unintentionally changed. This help document will show you how to use this feature.

Setting the Foundation

Let’s take a moment to define a few pieces of this puzzle.

What is a “Credential”?

A credential is a piece of information used by Matador Jobs to connect with external services, including your Applicant Tracking Systems and other services.

Credentials can include usernames and passwords, API application keys, API secret keys, and more. Credentials are be used to access sensitive data and even make potentially destructive actions using APIs, so it is important to keep them secure.

It is highly recommended that you also save all login and API credentials in a password manager or secure file accessible by your colleagues.

Why Shouldn’t They Stay in Settings?

Inputting credentials into settings fields makes it easy for users to get up and running, especially those without knowledge of programming. It is super easy to copy-and-paste a username, password, and API keys into a box and click save, but once a site is configured and working, they won’t change often. That said, many users leave these critical pieces of information just “laying around” in a settings screen accessible by most WordPress users and even potentially disrupted by poorly written code elsewhere on the site.

Leaving Credentials in settings screens make it easy for them to be accidentally changed. Since credentials don’t change often, once they are working, it should be difficult to change them.
Leaving Credentials in settings makes it easy for malicious users to steal them. Site operators share access to their site to trusted persons, including web developers and support techs, but just because these people are trusted to work on a site does not mean they should have access to your API connections. Left in basic settings fields, it is easy for users to steal credentials.
Leaving Credentials in settings makes it theoretically possible for poorly written theme or plugin code to modify it, and if credentials are not backed up elsewhere, this can cause a disruption to your site.
Leaving Credentials in the database means hackers can steal access to API connections if they ever compromise your database.

Migrate your credentials outside of the Matador Settings by defining Matador Credentials Constants in the WP Config file.

What is a Credential Constant?

A Credential Constant is a PHP Constant Variable which is defined in the WordPress Configuration file. In PHP, the server-side programming language which WordPress and Matador Jobs is written with, you can define constant variables easily. These are a type of variable which will not be changed by the code during runtime.

Because WP Config files do not store information in the database, they cannot be seen or changed by people without file editor access to your site. To change them requires a conscious effort.

How To Override Settings with Credential Constants

To override a credential-carrying setting with a Credential Constant, you will need to use file access (FTP, sFTP, FTPs) to download and edit a copy of your site’s wp-config.php file.

Find a spot above the line that says “That’s all, stop editing!” and insert your Credential Constants. The list below contain all credentials you can set Constants for in the core Matador Jobs Pro platform. Extensions may also allow you to set additional Credential Constants.