[wp-hackers] The security week? :)

Thu Apr 17 23:59:00 GMT 2008

The documentation for a lot of the hashing and password functions are
incorrect and need to be updated, both in the source and there needs to be
a codex page that lists the information from this thread as well as
helpful tips.

I'm going to do the inline documentation this weekend, since it is very
important to have correct information. However, if there isn't a codex
page when I get to it, then I'll create one.

If someone creates a codex page, please post it to this thread, so that I
can find yours.

In the future, when there are changes to the core and patches don't
include documentation changes, it would be nice if the core developers can
proceed to do so. I say it would be nice, but really I mean you better do
it, lest the documentation go stale and you have a similar problem as you
would have if it was in the codex. That is except that it is right in
front of you, so there really isn't any excuse.

I say that and really what I mean is that patches and developers (core or
otherwise should correct and add documentation whenever possible).

I would go deeper and say stuff that wouldn't be acceptable, but I'll
leave that for a day when I'm actually right enough times. Right now it is
1 and 0 and not in my favor.

Ah a person can dream, a person can dream. Here is to a day when every
function is documented with mostly accurate information and when it would
actually be acceptable to say what I want to say. That would be good. Not
my complaining, but the fact that every function would be documented.

Except that with core developers and patches adding new functions that
don't have documentation, really causes the movement to go backwards,
which is terrible. I'll scream, I really will, if two years after every
function is documented, if there are just as many functions which aren't
documented.

A nice way of putting it, I think. I think that in two years, if my
prediction does come true and I seek to join the community once again,
I'll turn right around and join another project. However, there is much to
be done for documentation, so less complaining and more action.

> On Thu, Apr 17, 2008 at 2:45 PM, Stephen Rider
> <wp-hackers at striderweb.com> wrote:
>> Just to be clear...
>>
>>  Please correct me if I'm wrong (security is not my strong point):
>>
>>  We should be defining both SECRET_KEY and SECRET_SALT in wp-config.php.
>
> SECRET_SALT does not need to be defined.  Having one secret in the DB
> instead of wp-config.php will prevent someone who somehow gets at your
> wp-config.php (there have been some http server bugs that expose
> files) from creating a cookie. Of course, if your DB is misconfigured
> and allows connections from anywhere, someone who has wp-config.php
> has your DB credentials and can get into your DB and change the
> secret.
>
>>  They should both be filled with a completely random, and preferably
>> long,
>> string, e.g.
>> 'i!Db)RO;wIhV%YU!PY,C at L7^Jb0*(8~A]2";J9<II`-FwF$Shi$&r60(\vH/'
>
> Random and long is good.  There are lots of random string generators
> around.
>
> https://www.grc.com/passwords.htm
>
>>  They should NOT be the same, however.
>
> Correct.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

-- 
Jacob Santos

http://www.santosj.name - Personal Blog
http://funcdoc.wordpress.com - WordPress Function Documentation Blog