Secure WordPress

Reveal It, Share Your Messages Safely

Blog Secure WordPress Reveal It, Share Your Messages Safely

When I want to share sensitive data or when I ask a client to share sensitive data, I use a service to do the job, a service called

This free service was made by a an ex-coworker, it works fine, I trust him so everything was OK.

Then one day on Slack someone (also using this website) told me that it could be great to have it in french, then another one said that it could be better if there was a privacy page and another one wanted to add some information about how it works, so clients could really trust the system.

I asked Sebastien if he planned to do this, and as I know him, he’s one of the most busy guys with plenty of side project, so I knew he won’t do it soon enough and he refuses to let us contribute or share the source code.

This is why I’m here after a few days spent to create a RevealIt clone called RevealIt…

Revealit in English

Revealit is a free service to share private or sensitive data provided by SecuPress.

So what are the differences from the original one :

The URL is a subdomain of SecuPress, that makes it more trustable even if you don’t know SecuPress ;

  • French and English supported ;
  • A small “how it works” is visible on the front page ;
  • A real terms and conditions page is present ;
  • You can contact me, the links are not 404 pages ;

If you already trust us with SecuPress, you know this is developed the more secured way possible and let’s be honest we don’t cheat, I mean, I have everything to lose to cheat, I won’t.

You may already know how to use that kind of service, but I think a small reminder is a good thing :

First rule is : do not share something directly usable. This means do not share a login/pass/url because if someone can read it before you (I don’t know how I have to say…), they can use it before you. But if you only share a part of the info like only 2 on 3, nobody can use that.

Second rule : Use it when you know that none is looking at your screen because the textarea is a clear text field and not a password one.

Third obvious rule : Don’t open a private message then leave your computer alone is a crowded space, but hey, this is a common sense rule right?

Also, better know that the message will be automatically deleted after 7 days and 0 seconds, or once read, only 1 read and it’s gone.


The website is a small WordPress one (“What? You could have use [insert another working solution]!” “Yes but I love WP, that’s it.”) I didn’t use a Custom Post Type for that, it’s just native options without autoload.

So noone can open the backend to edit a message. Oh, there is no way to read the messages anyway, it’s cyphered using AES-128-CTR with a unique salt seed for each message.

When you load a secret URL to read the message, you are actually on a 404 page, and in the 404 template, I check if this option exists in the database (with a prefix), if so, I trigger what it must be displayed, otherwise, I indicate that this message has already been read, or does not exist or has expired (no need to be precise, on the contrary).

The only way to access the messages is to get into the database to get the data, then get the source code to understand how to decypher it. Good luck (but don’t try thanks).

Good to know, I think it’s important to notice that the data re NOT on the cloud hosted only 1 french host in 1 copy in Clermont-Ferrand, my unique and favourite o2switch !

Now you can replace your bookmark (or add a new one?) with