[wp-hackers] The security week? :)

Stephen Rider wp-hackers at striderweb.com
Thu Apr 17 21:45:16 GMT 2008


Just to be clear...

Please correct me if I'm wrong (security is not my strong point):

We should be defining both SECRET_KEY and SECRET_SALT in wp-config.php.

They should both be filled with a completely random, and preferably  
long, string, e.g. 'i!Db)RO;wIhV%YU!PY,C at L7^Jb0*(8~A]2";J9<II`-FwF$Shi 
$&r60(\vH/'

They should NOT be the same, however.

Is this correct?

Stephen


On Apr 17, 2008, at 7:30 AM, Jacob Santos wrote:
> The vector for attack on getting the SECRET_SALT is that if it is  
> not defined in wp-config.php or elsewhere (like a plugin perhaps?)  
> then it is within the database table. If a hacker were to somehow  
> get into the database and view it, then the salt will become  
> available. If the default SECRET_KEY is not changed, then the hacker  
> will know both the SECRET_KEY and the SECRET_SALT. The steps to hack  
> into the database are more difficult in WordPress 2.5.


More information about the wp-hackers mailing list