[wp-hackers] Salting

Dobri dyordan1 at ramapo.edu
Mon Jul 1 18:44:56 UTC 2013


Ah, that would make sense. I only brought it up cause I noticed it didn't change anything in the wp-config.php file when I tried a fresh install. Come to think of it that makes no sense whatsoever, better to store it in DB at that point. Thanks for that!

~Dobri

On Mon, 1 Jul 2013, at 2:36 PM, Andrew Nacin wrote:

> On Mon, Jul 1, 2013 at 2:32 PM, Dobri <dyordan1 at ramapo.edu> wrote:
> 
>> I might be wrong on how all of this works but since this ->
>> https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built
>> into wordpress to just grab a random set of salts on the initial
>> installation and save it in the wp-config on its own instead of the 'put
>> your unique phrase here'? I feel like a good 40-50% of all installations
>> have exactly that as salts so I feel this would make it a bit more secure.
>> Am I missing something?
> 
> 
> It is built into WP; see wp-admin/setup-config.php.
> 
> It's worth noting that if keys or salts are unchanged from the default, or
> are duplicated in any way, wp_salt() actually refuses to honor what is in
> wp-config.php, and generates a new value (storing it in the DB).
> 
> Even if 40-50% of installations have exactly the same salts, wp_salt() very
> likely is returning something different all together.
> 
> Nacin
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list