Updates to the Store Locator Plus WordPress plugin version 4.9.15, released today, includes patches to the Google API Key management.

Let’s start by letting users of our fully managed MySLP SaaS service know that you don’t have to worry about any of this.  You can skip this entire article.

Google API Keys

For our SLP WordPress plugin users there has been a notable change in the management of Google API Keys.

We now support a Geocoding Key and a Browser Key.    The Browser key is used to display the map and handle user-input addresses during a location search.  The Geocoding key is used on your WordPress server to geocoding locations you’ve entered via the Google API.

Each type of access requires a different method of securing the key, if you choose to do so.     Since Google now requires every site to use an API key to render their maps AND they require those API keys to be attached to a billing account, the chances of someone having the desire and putting in the effort to steal an API key has increased.   To help prevent this issue we’ve introduced the Geocoding key, but let’s start with the Browser Key.

Google Browser Key

This key is the same Google API key you’ve been using all along.   This is the default key that, up until the 4.9.15 release, should have been used to allow your site to talk to Google.   It previously had no restrictions on the key.

As of 4.9.15 you can now go to your Google Cloud Platform and set the HTTP referrer restriction.  The URL you enter should match your website.    This ensures that if someone does copy this key, it won’t work unless the site they install it on happens to match your domain name — very unlikely.

IMPORTANT Note:!!  If you add a restrictive referrer key  your back-end Geocoding will break.   You can no longer add locations and have them show up on the map — unless you have a Geocoding Key as well. Regardless of whether or not you obtain one of two keys, Google will require you to establish a billing account. Read here for more info on how the Google Billing account works.

Google Geocoding Key

If you do NOT set a restriction on your Google Browser Key, you do NOT need to set a Geocoding key.  Store Locator Plus will use your unrestricted Google Browser Key.

However, if you did set a restriction on your Google Browser Key, you will now need to go to the Google Cloud Platform and create a SECOND key to be used by your WordPress plugin install.   Here you will create a new API key and either set it to have NO RESTRICTIONS or set it to have an IP Address restriction.  You CANNOT use HTTP Referrer restrictions here as Google will block the request — HTTP Referrer restrictions are only allowed on browser-to-Google not server-to-Google requests.

If you use IP Address restrictions the IP address must be the direct IP address of the server not a proxy service address.  Since this key is not exposed to the general public and can only be seen by your site administrators there is little risk of it being copied if you leave this key with no restrictions.

Google Business License

Along with these changes the support of Google OEM licenses or Google Business Licenses has been dropped.  This feature was seldom used and added a lot of complexity to the Google Maps requests.  Combined with the ability to use pay-as-you-go billing from Google and achieve similar performance we opted to speed up our product and eliminate the API key confusion for 99.99% of our customers by dropping this feature.

Non-Google Patches

We’ve also included a few patches including patching a bug showing duplicate entries under the Categories interface for Power users, preparing our WordPress plugin for direct communication with MySLP accounts for easy location exports to our managed service, and fixing some behind-the-scenes memory management issues.

Leave a Reply