[wp-hackers] The security week? :)

Austin Matzko if.website at gmail.com
Thu Apr 17 14:09:23 GMT 2008

On Thu, Apr 17, 2008 at 9:48 AM, MichaelH <justmichaelh at gmail.com> wrote:
>  2. If you don't change the 'put your unique phrase here'  phrase, you are
>  actually better off deleting the SECRET_KEY definition from wp-config.php.

No, that is not the case.  Having the default SECRET_KEY and having no
secret key end up with the same result, and it would be better to
leave it in there as a reminder to customize it later.

> 4. And again, for upgrading users, if they don't add the SECRET_KEY
> definition to their existing wp-config.php, that is okay.

"Okay," but not good.  All WP users should have a custom SECRET_KEY to
reduce the risk of a security compromise.

> 5.  At any time, you can change the SECRET_KEY value in wp-config.php and
> NOT cause problems when users log in with their existing password.

No problems, but changing the SECRET_KEY will invalidate everyone's
cookies, forcing them to log in again.

More information about the wp-hackers mailing list