[wp-hackers] The security week? :)
Ryan Boren
ryan at boren.nu
Thu Apr 17 23:40:42 GMT 2008
On Thu, Apr 17, 2008 at 2:45 PM, Stephen Rider
<wp-hackers at striderweb.com> wrote:
> Just to be clear...
>
> Please correct me if I'm wrong (security is not my strong point):
>
> We should be defining both SECRET_KEY and SECRET_SALT in wp-config.php.
SECRET_SALT does not need to be defined. Having one secret in the DB
instead of wp-config.php will prevent someone who somehow gets at your
wp-config.php (there have been some http server bugs that expose
files) from creating a cookie. Of course, if your DB is misconfigured
and allows connections from anywhere, someone who has wp-config.php
has your DB credentials and can get into your DB and change the
secret.
> They should both be filled with a completely random, and preferably long,
> string, e.g. 'i!Db)RO;wIhV%YU!PY,C at L7^Jb0*(8~A]2";J9<II`-FwF$Shi$&r60(\vH/'
Random and long is good. There are lots of random string generators around.
https://www.grc.com/passwords.htm
> They should NOT be the same, however.
Correct.
More information about the wp-hackers
mailing list