[wp-trac] Re: [WordPress Trac] #8647: Try to configure secure keys in wp-config.php on install

WordPress Trac wp-trac at lists.automattic.com
Thu Dec 18 15:07:58 GMT 2008

#8647: Try to configure secure keys in wp-config.php on install
 Reporter:  sivel        |        Owner:  has-patch
     Type:  enhancement  |       Status:  new      
 Priority:  normal       |    Milestone:  2.8      
Component:  General      |      Version:  2.7      
 Severity:  normal       |   Resolution:           
 Keywords:               |  
Comment (by sivel):

 Replying to [comment:1 jacobsantos]:
 > Why not attempt to create the key yourself if the response fails.

 Isn't that what I said and what the patch does?  If the response fails the
 user is informed to create the keys themselves.

 > Some will '''NOT''' want to have the keys over HTTP connection. HTTPS
 might be only a tiny bit better.

 The patch is configured to use the HTTPS url and not the HTTP url.  Since
 wp-config.php lists the url to the secret-keys api as the recommended way
 to generate these secret keys how is it any less secure than the user
 requesting that page and then pasting it into their file?  Most users use
 FTP anyway so they would have just requested the api using https in their
 browser and then used plain text ftp to upload their secret keys, which is
 less secure than the install handling it.

Ticket URL: <http://trac.wordpress.org/ticket/8647#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list