[wp-trac] [WordPress Trac] #14803: Admins should be warned if authentication keys and salts have the default phrase

WordPress Trac wp-trac at lists.automattic.com
Tue Sep 7 15:20:17 UTC 2010


#14803: Admins should be warned if authentication keys and salts have the default
phrase
-------------------------+--------------------------------------------------
 Reporter:  coffee2code  |       Owner:                 
     Type:  enhancement  |      Status:  new            
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:                 
 Severity:  normal       |    Keywords:  has-patch      
-------------------------+--------------------------------------------------
 WordPress already warns admin users if any of the eight authentication
 keys/salts are not present in the wp-config.php.  (See
 `secret_salt_warning()` in wp-admin/includes/ms.php)  While performing
 that check, WP should also see if any of the keys/salts are using the
 default string of "put your unique phrase here".

 The default string is pre-set for all eight keys/salts that ship in wp-
 config-sample.php.  While the inline documentation indicates that those
 values should be changed, there is no notice or prompting to alert/remind
 the admin if the default string is left intact.

 Bear in mind that `wp_salt()` (in wp-includes/pluggable.php) ignores the
 keys/salts that use the default phrase or are blank strings, so security
 isn't compromised.  However, if we want the admins to define secure
 phrases in wp-config.php, we should make them aware when that's not the
 case.

 The attached patch modifies `secret_salt_warning()` to also check that the
 keys/salts aren't using the default phrase and aren't blank strings (same
 check as done in `wp_salt()`).  If any are, the warning message provides a
 link to the wordpress.org secret key service.

 See the attached image to see an example where I've removed LOGGED_IN_SALT
 from wp-config.php (the error message for that is already what WP
 generates) and where I've left the default phrase in place for AUTH_KEY
 and AUTH_SALT and set NONCE_SALT to '' (triggering the error message added
 by the attached patch).

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14803>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list