[wp-hackers] The security week? :)

Jacob Santos wordpress at santosj.name
Thu Apr 17 04:17:35 GMT 2008


This thread is full of WTF?s. I'll number them off for you.

1. Ryan has stated many times the purpose of SECRET_KEY, blogged about 
it. Peter Westwood also had to of mentioned it many times before also on 
his weekly SVN report.

I apologize, because really don't know how many of you track the trac 
mailing list or look at the SVN or read the Peter Westwood's weekly SVN 
report. If you don't know where the weekly SVN report is, then I would 
guess you start at westi.wordpress.com and see if you can find it from 
there.

I've been out of touch with the SVN and Trac mailing lists, so I've come 
across very interesting topics, which would have very much interested 
me. So I can understand if all you do is follow the mailing list, you 
can miss a lot of good information.

I could also swear that there was a codex page on this information. 
Damn, the pluggable.php file in the wp-includes folder can easily be 
copied to the codex, since the documentation is GPL.

I'm not sure that you can spread the word well enough, unless it was 
built in to the administration. I think, if anything, it should just do 
it for you with no fuss and involvement from the user.

2. Um, who said it isn't important to change the SECRET_KEY and why is 
that person still breathing?

Change the SECRET_KEY setting! As soon as possible, do it now! It is 
very important to change the SECRET_KEY setting from the default. Okay, 
after checking documentation, I realize that it was me. However, I 
specifically state that it is not required only if it is NOT DEFINED in 
wp-config.php, which it is on new installations for 2.5.

Also, you may define SECRET_SALT, which is not defined in wp-config.php 
by default and will be generated by WordPress. This means that even if 
you don't change the SECRET_KEY, you will be likewise protected from 
yourself.

Those who are paranoid, like me, can define one or both.

3. What about actually allowing it to be defined at installation?

I know that yeah, the installation should only be five minutes and as 
easy as pie, but hey, you can randomize the process for the user and the 
power users can change it for themselves.

The only problem with defining the SECRET_KEY and/or SECRET_SALT on the 
installation or by a web page on the administration is that most 
WordPress applications are sent through HTTP and not HTTPS.

It would be another WTF, if you send what is supposed to be a secret 
over the net in plaintext. However, much can be said by sending the 
actual password over the net in plaintext, but we'll leave that out of 
the discussion for the sake of keeping our sanity.

4. Sigh, sometime it would be a good idea to create a phpdocumentor site 
for WordPress.

You know, there is something said about having inline documentation. 
There is something else to be said about having it searchable and where 
users actually feel comfortable viewing it. In the past, I had planned 
on creating a phpDocumentor site, but I had always felt it was something 
that should be on WordPress.org and not on one of my sites that hardly 
anyone will go to, until they find out about it and actually do start 
going to it.

The only problem with phpDocumentor sites is that they are more 
technical, so end users and even most developers who could care less 
don't wish to wade through all of it to find the one function they need.

The only goal of the phpDocumentor site is to provide up-to-date web 
documentation about functions, which could then in turn be linked from 
the codex to the function page on the phpDocumentor site. It doesn't 
make sense to have function documentation on the codex, where with each 
passing version that the function is not updated means that the greater 
the chance that the information on the codex is inaccurate.

Besides, where better to make a change to the documentation than right 
there where the change is being made? I don't like finding the function 
in the codex and I would very much like it better to have everything 
automated. Why should I write the same information twice? I'm just not 
going to do it.

I think where codex authors go wrong is that the codex should describe 
in English (or whatever language) how to use the functions, instead of 
what the properties are and what the function does.

That is all I can think of at the moment. Thank you for taking the time 
to read my ranting. However, for such a small thread, so many WTF?s 
should not be acceptable.


Otto wrote:
> On Wed, Apr 16, 2008 at 2:16 PM, Mark Jaquith <mark.wordpress at txfx.net> wrote:
>   
>>  We have a couple options here:
>>
>>  1. Spread the word and encourage people to add it.
>>  2. Have a "nag" in wp-admin that generates a random salt, prints the
>> define('SECRET_KEY', $random_salt); line and tells you to add it to
>> wp-config.php
>>  3. Try to automatically add the SECRET_KEY define() to wp-config.php and
>> fall back to #2 if we cannot.
>>
>>  #1 is going to result in very few people utilizing the feature.  #2 or #3
>> is probably the way to go.
>>     
>
> I like all of the above. Step 1, nag the user with a yellow box, like
> with an upgrade (You need to create a secret key!). Step 2, give them
> a page linked from said yellow box to generate one and save it
> automatically or present it to them and have them do it themselves.
> Should simply be a good long random string.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>   


-- 

Jacob Santos

http://www.santosj.name - blog
http://funcdoc.wordpress.com - WordPress Documentation Blog/Guide Licensed under GPLv2

Also known as darkdragon and santosj on WP trac.



More information about the wp-hackers mailing list