Bitcoin Forum

If I have password protected wallets on Bitcoin Core, but I need to make an RPC username and password for myself, for the purpose of calling utility JSON-RPC calls unrelated to the wallets, am I still under a risk of attack if someone finds the username and password? Can someone make a call that spends money from a password-protected wallet?

Are you making those RPC calls from the same machine or are they being initiated from across the network? If it's local, you might be better off not using the user/password option and simply using the .cookie file authentication.

If it's a network request, you can use the "rpcauth" option which stores a "username:SALT$HASH" in your bitcoin.conf so that your password will still be "unknown" if the bitcoin.conf gets compromised.

Refer: https://bitcoin.stackexchange.com/questions/46782/rpc-cookie-authentication

I will be making the calls from the same server, because I would like to make a wrapper API around the utility RPC calls and combine them with other things.

Would the cookie file be better in this case, or rpcauth? In any case I don't want to store the password in plain text.

With the cookie file, you can control the access to the cookie file by setting the appropriate read permissions on the file. The .cookie is automatically created when the bitcoind daemon starts, and is deleted when the daemon stops.

bitcoin-cli should automagically find the .cookie file by looking in the default datadir when you execute it locally (assuming you left it as default)... otherwise, you can also specify the datadir using the -datadir option.

You can also use rpcallowip setting to restrict access to RPC to the localhost only for added protection.