[wp-hackers] The security week? :)

Ryan Boren ryan at boren.nu
Thu Apr 17 23:42:44 GMT 2008

On Thu, Apr 17, 2008 at 7:09 AM, Austin Matzko <if.website at gmail.com> wrote:
> On Thu, Apr 17, 2008 at 9:48 AM, MichaelH <justmichaelh at gmail.com> wrote:
>  >  2. If you don't change the 'put your unique phrase here'  phrase, you are
>  >  actually better off deleting the SECRET_KEY definition from wp-config.php.
>  No, that is not the case.  Having the default SECRET_KEY and having no
>  secret key end up with the same result, and it would be better to
>  leave it in there as a reminder to customize it later.
>  > 4. And again, for upgrading users, if they don't add the SECRET_KEY
>  > definition to their existing wp-config.php, that is okay.
>  "Okay," but not good.  All WP users should have a custom SECRET_KEY to
>  reduce the risk of a security compromise.
>  > 5.  At any time, you can change the SECRET_KEY value in wp-config.php and
>  > NOT cause problems when users log in with their existing password.
>  No problems, but changing the SECRET_KEY will invalidate everyone's
>  cookies, forcing them to log in again.

Just seconding what Austin said.  Spot on.

More information about the wp-hackers mailing list