How to store a secret for a plugin inside public_html
My friend has a WordPress site, I have a django server. I am trying to talk to his WordPress site custom endpoints of the REST API, and do priviledged activities like create and unpublish posts. I am making a plugin for him.
My friends wordpress hosting has the following structure:
public_html - wp-admin - wp-content - plugins - My-Shiny-New-REST-Plugin - secret.php - wp-includes
In order for the WordPress REST API and my server to talk together, I wish for them to both have copies of a secret key. On the wordpress site it will be stored in
secret.php above. Now what concerns me, as far as I can see is that php code seems to be public (django python code is private). And I imagine secret.php is not very secret at all.
How does one store a secret token for ones plugin in a secure way?