# SECURITY GUIDE - Managing Warmup Account Credentials ## 🔒 Overview This guide explains how to properly manage your warmup account credentials to keep them secure while making them easy to use across multiple scripts. --- ## 🎯 The Solution: Centralized Config File ### File Structure: ``` HSLG/ ├── config/ │ ├── warmup_accounts_config.php ← Real passwords (GIT IGNORED) │ └── warmup_accounts_config.EXAMPLE.php ← Template (SAFE to commit) ├── warmup_monitor.php ← Uses config ├── warmup_reply_sender.php ← Uses config ├── test_warmup_accounts.php ← Uses config ├── .gitignore ← Protects config └── README.md ``` --- ## 📋 Setup Steps ### Step 1: Copy Template to Real Config ```bash cd C:\xampp\htdocs\HSLG\config copy warmup_accounts_config.EXAMPLE.php warmup_accounts_config.php ``` ### Step 2: Edit Real Config with Passwords Open `warmup_accounts_config.php` and fill in your actual credentials: ```php return [ [ 'email' => 'waszuppmail@gmail.com', // ← Your real email 'password' => 'byjc yfhw jvgu wpga', // ← Your real App Password 'name' => 'Test User', 'imap_host' => '{imap.gmail.com:993/imap/ssl}INBOX', 'priority' => 'high', 'reply_rate' => 90, 'provider' => 'gmail' ], // ... more accounts ]; ``` ### Step 3: Set File Permissions (Linux/Mac) ```bash chmod 600 config/warmup_accounts_config.php ``` This makes the file readable only by you! ### Step 4: Verify .gitignore Make sure `.gitignore` contains: ``` config/warmup_accounts_config.php warmup_accounts_config.php *passwords*.txt ``` --- ## ✅ How Scripts Use the Config ### In any script: ```php // Load accounts from centralized config $accounts = require 'config/warmup_accounts_config.php'; // Now $accounts is an array of all your warmup accounts foreach ($accounts as $account) { echo $account['email']; // Access email echo $account['password']; // Access password } ``` ### Benefits: ✅ **Single source of truth** - Update password once, all scripts get it ✅ **No duplication** - Passwords stored in one place only ✅ **Easy to update** - Change one file, not 5 scripts ✅ **Git-safe** - Real config never committed --- ## 🚨 Security Best Practices ### DO: ✅ **Keep config outside web root** if possible ``` /home/rod/config/warmup_accounts_config.php ← GOOD (outside web) /var/www/html/HSLG/warmup_accounts_config.php ← BAD (inside web) ``` ✅ **Use .gitignore** - Always! ``` # .gitignore config/warmup_accounts_config.php *passwords*.txt ``` ✅ **Set strict file permissions** (Linux/Mac) ```bash chmod 600 warmup_accounts_config.php # Only you can read ``` ✅ **Use App Passwords** (not main passwords) - Gmail: Generate at https://myaccount.google.com/apppasswords - Yahoo: Generate at https://login.yahoo.com/account/security - These only work for email, not full account access ✅ **Keep backups** (encrypted) ```bash # Backup with encryption 7z a -p -mhe=on warmup_config_backup.7z warmup_accounts_config.php ``` ✅ **Rotate passwords periodically** (every 6 months) --- ### DON'T: ❌ **Never commit real passwords to git** ```bash # Check before committing: git status # Should NOT see warmup_accounts_config.php ``` ❌ **Never put config in web-accessible directory** ``` /public_html/config/passwords.php ← BAD! Can be downloaded! ``` ❌ **Never email passwords** (use encrypted file sharing) ❌ **Never store in plain text outside this config** - No Excel files with passwords - No Word docs with passwords - No sticky notes! ❌ **Never use the same password for multiple services** ❌ **Never share App Passwords** (generate separate ones per use) --- ## 🔍 Verify Security ### Test 1: Check .gitignore ```bash cd C:\xampp\htdocs\HSLG git status ``` Should NOT show `warmup_accounts_config.php` in changes. ### Test 2: Try to Access Config via Web Visit: `http://localhost/HSLG/config/warmup_accounts_config.php` Should show: **403 Forbidden** or **blank page** If you see the file contents → SECURITY ISSUE! **Fix with .htaccess in config folder:** ```apache # config/.htaccess Deny from all ``` ### Test 3: Check File Permissions (Linux) ```bash ls -la config/warmup_accounts_config.php ``` Should show: `-rw------- 1 rod rod` (600 permissions) --- ## 📝 Using Config in Your Scripts ### Example 1: Test Script ```php $accounts, 'hslg_sender' => 'rod@loyaltyfanloop.org', ]; // Process accounts foreach ($config['monitored_accounts'] as $account) { processAccount($account); } ``` ### Example 3: Reply Sender ```php 'test@gmail.com', 'password' => 'NEW PASSWORD HERE', // ← Update this line // ... rest stays same ], ``` 3. **Test immediately** ```bash php test_warmup_accounts.php ``` 4. **All scripts auto-update** (they all use the same config!) --- ## 🛡️ What If Credentials Are Compromised? ### Immediate Actions: 1. **Revoke App Passwords** - Gmail: https://myaccount.google.com/apppasswords → Delete - Yahoo: https://login.yahoo.com/account/security → Revoke 2. **Generate new App Passwords** - Create fresh passwords immediately 3. **Update config file** - Replace all old passwords with new ones 4. **Check for unauthorized access** - Gmail: https://myaccount.google.com/device-activity - Yahoo: Account activity log 5. **Enable 2FA** (if not already enabled) - Gmail: https://myaccount.google.com/security - Yahoo: Account security settings --- ## 📊 Database Option (Alternative - More Complex) If you prefer storing credentials in database with encryption: ### Pros: - ✅ Centralized in database - ✅ Can encrypt passwords - ✅ Easy to add/remove accounts via admin panel ### Cons: - ❌ More complex setup - ❌ Requires encryption key management - ❌ Database itself must be secured - ❌ Slower access (database query vs file read) ### Implementation: ```sql CREATE TABLE warmup_account_credentials ( id INT AUTO_INCREMENT PRIMARY KEY, email VARCHAR(255) NOT NULL UNIQUE, encrypted_password VARBINARY(500) NOT NULL, provider ENUM('gmail','yahoo','namecheap') NOT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); ``` ```php // Encrypt password $encrypted = openssl_encrypt( $password, 'AES-256-CBC', $encryptionKey, 0, $iv ); // Decrypt password $password = openssl_decrypt( $encrypted, 'AES-256-CBC', $encryptionKey, 0, $iv ); ``` **For your use case, the file-based config is simpler and sufficient.** --- ## ✅ Recommended Approach for You **Use the file-based config (warmup_accounts_config.php):** 1. ✅ Simple to set up (5 minutes) 2. ✅ Easy to maintain (edit one file) 3. ✅ Secure if done right (.gitignore, permissions) 4. ✅ Fast (no database queries) 5. ✅ Portable (copy file to new server) **Database is overkill unless:** - You have 50+ accounts - Multiple people manage accounts - You need audit logs of who accessed passwords - You're building an admin panel --- ## 🎯 Quick Reference ### Good File Structure: ``` ✅ config/warmup_accounts_config.php (real, git-ignored) ✅ config/warmup_accounts_config.EXAMPLE.php (template, git-committed) ✅ .gitignore (protects real config) ✅ All scripts load from single config ``` ### Bad File Structure: ``` ❌ warmup_monitor.php (passwords hardcoded) ❌ warmup_reply_sender.php (passwords hardcoded) ❌ test_accounts.php (passwords hardcoded) ❌ Each script has different passwords ❌ Config file committed to git ``` --- ## 🚀 Your Action Plan 1. **Create config directory** (if not exists) ```bash mkdir config ``` 2. **Copy template to real config** ```bash copy warmup_accounts_config.EXAMPLE.php warmup_accounts_config.php ``` 3. **Fill in your real passwords** - Edit warmup_accounts_config.php - Add all 22 account credentials 4. **Update .gitignore** - Add `config/warmup_accounts_config.php` - Verify with `git status` 5. **Update all scripts to use config** - Replace hardcoded arrays with: `$accounts = require 'config/warmup_accounts_config.php';` 6. **Test everything** ```bash php test_warmup_accounts.php php warmup_monitor.php ``` 7. **Commit template only** ```bash git add config/warmup_accounts_config.EXAMPLE.php git add .gitignore git commit -m "Add centralized config template" ``` **Done! Your credentials are now secure and centralized!** 🎉 --- ## 📞 Questions? - **"Can I use environment variables instead?"** Yes! `.env` files work great for production servers. For local development, PHP config file is simpler. - **"What about password managers?"** Great for personal use! But scripts still need passwords in code/config/database. - **"Should I encrypt the config file?"** File permissions are usually sufficient. Encryption adds complexity without much benefit if server is secure. - **"Can I store in AWS Secrets Manager?"** Yes! For production servers, cloud secret managers are excellent. Overkill for local dev. --- **Bottom line: Use the file-based config with .gitignore. It's simple, secure, and perfect for your use case!** 🔒