[wp-hackers] The security week? :)
wordpress at santosj.name
Thu Apr 17 04:17:35 GMT 2008
This thread is full of WTF?s. I'll number them off for you.
1. Ryan has stated many times the purpose of SECRET_KEY, blogged about
it. Peter Westwood also had to of mentioned it many times before also on
his weekly SVN report.
I apologize, because really don't know how many of you track the trac
mailing list or look at the SVN or read the Peter Westwood's weekly SVN
report. If you don't know where the weekly SVN report is, then I would
guess you start at westi.wordpress.com and see if you can find it from
I've been out of touch with the SVN and Trac mailing lists, so I've come
across very interesting topics, which would have very much interested
me. So I can understand if all you do is follow the mailing list, you
can miss a lot of good information.
I could also swear that there was a codex page on this information.
Damn, the pluggable.php file in the wp-includes folder can easily be
copied to the codex, since the documentation is GPL.
I'm not sure that you can spread the word well enough, unless it was
built in to the administration. I think, if anything, it should just do
it for you with no fuss and involvement from the user.
2. Um, who said it isn't important to change the SECRET_KEY and why is
that person still breathing?
Change the SECRET_KEY setting! As soon as possible, do it now! It is
very important to change the SECRET_KEY setting from the default. Okay,
after checking documentation, I realize that it was me. However, I
specifically state that it is not required only if it is NOT DEFINED in
wp-config.php, which it is on new installations for 2.5.
Also, you may define SECRET_SALT, which is not defined in wp-config.php
by default and will be generated by WordPress. This means that even if
you don't change the SECRET_KEY, you will be likewise protected from
Those who are paranoid, like me, can define one or both.
3. What about actually allowing it to be defined at installation?
I know that yeah, the installation should only be five minutes and as
easy as pie, but hey, you can randomize the process for the user and the
power users can change it for themselves.
The only problem with defining the SECRET_KEY and/or SECRET_SALT on the
installation or by a web page on the administration is that most
WordPress applications are sent through HTTP and not HTTPS.
It would be another WTF, if you send what is supposed to be a secret
over the net in plaintext. However, much can be said by sending the
actual password over the net in plaintext, but we'll leave that out of
the discussion for the sake of keeping our sanity.
4. Sigh, sometime it would be a good idea to create a phpdocumentor site
You know, there is something said about having inline documentation.
There is something else to be said about having it searchable and where
users actually feel comfortable viewing it. In the past, I had planned
on creating a phpDocumentor site, but I had always felt it was something
that should be on WordPress.org and not on one of my sites that hardly
anyone will go to, until they find out about it and actually do start
going to it.
The only problem with phpDocumentor sites is that they are more
technical, so end users and even most developers who could care less
don't wish to wade through all of it to find the one function they need.
The only goal of the phpDocumentor site is to provide up-to-date web
documentation about functions, which could then in turn be linked from
the codex to the function page on the phpDocumentor site. It doesn't
make sense to have function documentation on the codex, where with each
passing version that the function is not updated means that the greater
the chance that the information on the codex is inaccurate.
Besides, where better to make a change to the documentation than right
there where the change is being made? I don't like finding the function
in the codex and I would very much like it better to have everything
automated. Why should I write the same information twice? I'm just not
going to do it.
I think where codex authors go wrong is that the codex should describe
in English (or whatever language) how to use the functions, instead of
what the properties are and what the function does.
That is all I can think of at the moment. Thank you for taking the time
to read my ranting. However, for such a small thread, so many WTF?s
should not be acceptable.
> On Wed, Apr 16, 2008 at 2:16 PM, Mark Jaquith <mark.wordpress at txfx.net> wrote:
>> We have a couple options here:
>> 1. Spread the word and encourage people to add it.
>> 2. Have a "nag" in wp-admin that generates a random salt, prints the
>> define('SECRET_KEY', $random_salt); line and tells you to add it to
>> 3. Try to automatically add the SECRET_KEY define() to wp-config.php and
>> fall back to #2 if we cannot.
>> #1 is going to result in very few people utilizing the feature. #2 or #3
>> is probably the way to go.
> I like all of the above. Step 1, nag the user with a yellow box, like
> with an upgrade (You need to create a secret key!). Step 2, give them
> a page linked from said yellow box to generate one and save it
> automatically or present it to them and have them do it themselves.
> Should simply be a good long random string.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
http://www.santosj.name - blog
http://funcdoc.wordpress.com - WordPress Documentation Blog/Guide Licensed under GPLv2
Also known as darkdragon and santosj on WP trac.
More information about the wp-hackers