[wp-hackers] The security week? :)
Austin Matzko
if.website at gmail.com
Thu Apr 17 14:09:23 GMT 2008
On Thu, Apr 17, 2008 at 9:48 AM, MichaelH <justmichaelh at gmail.com> wrote:
> 2. If you don't change the 'put your unique phrase here' phrase, you are
> actually better off deleting the SECRET_KEY definition from wp-config.php.
No, that is not the case. Having the default SECRET_KEY and having no
secret key end up with the same result, and it would be better to
leave it in there as a reminder to customize it later.
> 4. And again, for upgrading users, if they don't add the SECRET_KEY
> definition to their existing wp-config.php, that is okay.
"Okay," but not good. All WP users should have a custom SECRET_KEY to
reduce the risk of a security compromise.
> 5. At any time, you can change the SECRET_KEY value in wp-config.php and
> NOT cause problems when users log in with their existing password.
No problems, but changing the SECRET_KEY will invalidate everyone's
cookies, forcing them to log in again.
More information about the wp-hackers
mailing list