[wp-hackers] Salting

Otto otto at ottodestruct.com
Mon Jul 1 18:49:59 UTC 2013 

If you make your own wp-config.php file instead of letting the
setup-config process do it for you, then yes, you should get your own
salts manually and put them in there. having it store them in the DB
is slightly slower. Not enough where I'd expect you to notice though.

A lot of install instruction sets still say to copy the
wp-config-sample.php file, but the automatic config process is
somewhat better and I recommend using that when possible.

-Otto


On Mon, Jul 1, 2013 at 1:44 PM, Dobri <dyordan1 at ramapo.edu> wrote:
> Ah, that would make sense. I only brought it up cause I noticed it didn't change anything in the wp-config.php file when I tried a fresh install. Come to think of it that makes no sense whatsoever, better to store it in DB at that point. Thanks for that!
>
> ~Dobri
>
> On Mon, 1 Jul 2013, at 2:36 PM, Andrew Nacin wrote:
>
>> On Mon, Jul 1, 2013 at 2:32 PM, Dobri <dyordan1 at ramapo.edu> wrote:
>>
>>> I might be wrong on how all of this works but since this ->
>>> https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built
>>> into wordpress to just grab a random set of salts on the initial
>>> installation and save it in the wp-config on its own instead of the 'put
>>> your unique phrase here'? I feel like a good 40-50% of all installations
>>> have exactly that as salts so I feel this would make it a bit more secure.
>>> Am I missing something?
>>
>>
>> It is built into WP; see wp-admin/setup-config.php.
>>
>> It's worth noting that if keys or salts are unchanged from the default, or
>> are duplicated in any way, wp_salt() actually refuses to honor what is in
>> wp-config.php, and generates a new value (storing it in the DB).
>>
>> Even if 40-50% of installations have exactly the same salts, wp_salt() very
>> likely is returning something different all together.
>>
>> Nacin
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list