[wp-hackers] The security week? :)
wp-hackers at striderweb.com
Thu Apr 17 21:45:16 GMT 2008
Just to be clear...
Please correct me if I'm wrong (security is not my strong point):
We should be defining both SECRET_KEY and SECRET_SALT in wp-config.php.
They should both be filled with a completely random, and preferably
long, string, e.g. 'i!Db)RO;wIhV%YU!PY,C at L7^Jb0*(8~A]2";J9<II`-FwF$Shi
They should NOT be the same, however.
Is this correct?
On Apr 17, 2008, at 7:30 AM, Jacob Santos wrote:
> The vector for attack on getting the SECRET_SALT is that if it is
> not defined in wp-config.php or elsewhere (like a plugin perhaps?)
> then it is within the database table. If a hacker were to somehow
> get into the database and view it, then the salt will become
> available. If the default SECRET_KEY is not changed, then the hacker
> will know both the SECRET_KEY and the SECRET_SALT. The steps to hack
> into the database are more difficult in WordPress 2.5.
More information about the wp-hackers