[wp-hackers] The security week? :)
xel at netgra.de
Thu Apr 17 07:42:14 GMT 2008
> The only problem with defining the SECRET_KEY and/or SECRET_SALT on the
> installation or by a web page on the administration is that most WordPress
> applications are sent through HTTP and not HTTPS.
When it is possible to include that secret into wp-config without the user
noticing it, it would be possible to do this with a randomly created one
too. It wouldn't be hard to generate a (random lengt) phrase of between 10
to 15 random chars or whatever.
If there is any notice to do that within the installation dialog I didn't
read it - if there is none how should one know to do it?
You know there is an installation because one will not want to do everything
by hand. You can not expect anyone to know that he/she will have to do
anything for it.
While members of wp-hackers mailing list may have noticed while reading the
trac mailing list or the SVN Report (which of course isn't really required
to be on this list), normal users can not be expected to know this.
2008/4/17, Stefano Aglietti <steagl4ml at gmail.com>:
> On Wed, 16 Apr 2008 15:16:01 -0400, Mark Jaquith
> <mark.wordpress at txfx.net> wrote:
> >We have a couple options here:
> >1. Spread the word and encourage people to add it.
> >2. Have a "nag" in wp-admin that generates a random salt, prints the
> >define('SECRET_KEY', $random_salt); line and tells you to add it to wp-
> >3. Try to automatically add the SECRET_KEY define() to wp-config.php
> >and fall back to #2 if we cannot.
> >#1 is going to result in very few people utilizing the feature. #2 or
> >#3 is probably the way to go.
> +1 to #2 and #3 sound the best and logical solution.
> Stefano Aglietti - StallonIt on IRCnet - ICQ#: 2078431
> Email: steve at 40annibuttati.it steagl at people.it
> Sites: http://www.40annibuttati.it (personal blog)
> http://www.wordpress-it.it (WordPress Italia)
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers