This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Password Vault


Do NOT use with PHP 7.3 or above. This plugin currently uses features which are only found in PHP 7.2 and below.

Allows for the secure saving of passwords within the WordPress Admin Interface. Access to a accounts can be given based on
wordpress users and/or groups. Groups are defined within the plugin directly on the settings screen. Plugin uses your sites
specific SECURE_AUTH_KEY value from your wp-config.php file as your encryption key, so no two sites use the same key (a
warning is shown if you are using the default value).

The plugin includes 5 user configurable fields (“Client Name” and “Account Type” in the screenshots) so you can customize
them for your needs.

All viewing of passwords as well as changing of passwords is logged for auditing purposes.

Encryption keys can be changed by putting the new key in the wp-config.php file and the old key in the settings page, then
running through the key migration process.

Searching in the username field supports wildcard searching by default. By default the five user defined fields are static
matching when there is a value in the field. Wildcard searching is supported on the user defined fields by using the %.


  • Adding a new account.
  • Searching for an account.
  • Editing an account.
  • Editing permissions on an account.
  • Main settings page.
  • Group Management settings page.
  • Group Membership settings page.
  • Optional Settings Menu


This section describes how to install the plugin and get it working.


  1. Upload the contents of the zip file to the /wp-content/plugins/password-vault directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Set a secure password as the SECURE_AUTH_KEY value in the wp-config.php file
  4. Configure the settings through the settings page.
  5. Begin documenting account information through the tools page.


What does this plugin do?

This plugin allows you to securly store usernames and passwords online in a password protected repository.

How do I change the encryption key?

To change the encryption key, first enter the new key in the wp-config.php file. Then open the settings page,
and put the old key in the field at the bottom and save the settings. A new menu option at the top of the page
will appear called “Complete Key Change”. Select this link, check the checkbox to verify that you have a backup
and click the “Complete Key Change” button. Depending on how much data you have in the main table and the audit
table this process may run quickly or it may take a long time. No matter how long it takes do NOT stop the process.

Stopping the process can cause you to loose access to some or all of the data.

After the process is done, go back to the main page and remove the old encryption key and save the settings. This will
remove the link from the menu at the top of the page.

How many Groups can I have?

Basically as many as you want. The field is an INT(11) in MySQL so you should be able to have 2,147,483,647 groups.

Where are the users configured?

The users are simply users from WordPress.

Can a user see an account if they don’t have access to it?

Sort of. They will be able to see that the account exists, but they won’t be able to see the password. Even if they
figure out the ID number and stick it in the URL field manually it still won’t show them the password.

Can someone have write permissions without read permissions?

No. If you grant write permissions to a user, they get read permissions automatically.

Can someone have owner permissions without read or write permissions?

No. If you grant owner permissions to a user, they get read and write permissions automatically.

What takes priority, group or user permissions?

Neither, they are merged.

My site is behind a load balancer, and I’ve got the “Requires SSL” setting checked, but it isn’t working.

This is because the application is using the is_ssl() function within WordPress
which isn’t correctly handle load balancers. For now it is recommended that you follow the directions in the is_ssl()
document and add the “Force SSL URL Scheme” plugin to your site so that the site forces SSL. If this doesn’t work, contact us
via the forums and we’ll figure it out.

Why does auditing turn itself on every time I upgrade or activate the plugin?

This is done as a security precaution. Every time the plugin is activated it turns auditing back on if it is disabled.


There are no reviews for this plugin.

བྱས་རྗེས་འཇོག་མཁན། & གསར་འབྱེད་པ།

“Password Vault” is open source software. The following people have contributed to this plugin.




  • Fixed passwords being saved in autosave dropdown in the browser
  • Fixed another XSS potential issue


  • Fixed XSS potential issues
  • Tested up through 4.7.2
  • Changed default screen to be search page instead of just the menu


  • Tested for version 4.3
  • Fixed issue with users being able to see passwords from other groups
  • Fixed issue with permissions not being added to new records on insert correctly


  • Tested for version 4.1
  • Verified that all database calls with parameters which have user specified data are paramaterized
  • Sanatizing user inputs to prevent javascript attacks


  • Changed graphics to use absolute paths based on plugin folder location, so they aren’t incorrect if using non-default location.
  • Cleaned up some class calls.
  • Uploaded this update from 30k feet at 400mph, because that’s just how I roll.


  • Added a setting to hide the application unless the user is a member of a group within the application.
  • Added a setting to hide users and groups which the user doesn’t have a group relationship with.
  • Changed the builtin ad from showing the WordPress version number to the plugin version number.


  • Allows for users to see or not see accounts they have access to depending on setting.
  • Added validation to ensure that values are the correct length when being stored.
  • Added button to go from adding a new record to using that record quicker.
  • Added option to redirect away from page with password showing after n seconds.
  • Added a link to the “requires SSL” error to make it easier to get to the app via SSL.
  • Enabled account deletion, when deletion is enabled in the settings.
  • Made all custom fields wildcard searches by default.
  • Cleaned up buttons on the view account screen.


  • Fixing icon in custom menu, because I’m an idiot.


  • Fixing icon files which didn’t get uploaded in the initial 1.3 release


  • Made option to have application as it’s own menu item instead of under Options and Tools menus


  • Fixed the double back slash problem
  • Removed the double back slash problem from the FAQ
  • Made URLs in the user defined fields clickable from the search page
  • Fixed formatting on the Find Account page


  • Fixed formatting issues with a couple of tables.


  • Fixing upgrade code.


  • Made auditing optional
  • Logs when auditing is enabled and disabled
  • Tightened up the code a little
  • Added an additional security check to ensure user is logged in when using the application


  • Cleaned up buttons
  • Added audit viewing screen.
  • Add option to require SSL for plugin use. Settings page doesn’t require SSL.
  • Made custom labels optional or required.
  • Code cleanup.


  • User Defined Fields are added.
  • Group Management.
  • Group Membership.
  • Encryption for passwords everywhere they are stored.
  • User level permissions.
  • Group permissions.