[wp-trac] [WordPress Trac] #44887: Add an error on installation if the security keys are not secure

WordPress Trac noreply at wordpress.org
Tue Sep 4 07:49:33 UTC 2018 

#44887: Add an error on installation if the security keys are not secure
-------------------------+-----------------------------
 Reporter:  nnikolov     |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 Hello.

 My suggestion is a simple. When the installation process starts, to check
 if the user has actually changed the security keys in the **wp-
 config.php** and show an error if one of them has its default value **'put
 your unique phrase here'**. And also another error if two of the keys are
 the same.

 Here is one way to do it: Add the following code (without the opening php
 tag) in the **wp-admin/install.php** file on **line 277** (talking about
 version 4.9.8).

 {{{#!php
 <?php
 if ( in_array( 'put your unique phrase here', Array( AUTH_KEY,
 SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT,
 LOGGED_IN_SALT, NONCE_SALT ) ) ) {
         display_header();
         die(
                 '<h1>' . __( 'Configuration Error' ) . '</h1>' .
                 '<p>' . sprintf(
                         /* translators: %s: wp-config.php */
                         __( 'At least one of the security keys in your %s
 file still has its default value.' ),
                         '<code>wp-config.php</code>'
                 ) . '</p></body></html>'
         );
 }

 if ( count( array_unique( Array( AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY,
 NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT ) ) ) <
 8 ) {
         display_header();
         die(
                 '<h1>' . __( 'Configuration Error' ) . '</h1>' .
                 '<p>' . sprintf(
                         /* translators: %s: wp-config.php */
                         __( 'The security keys in your %s file need to be
 different from each other.' ),
                         '<code>wp-config.php</code>'
                 ) . '</p></body></html>'
         );
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44887>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list