[wp-hackers] The security week? :)

Ryan Boren ryan at boren.nu
Thu Apr 17 23:40:42 GMT 2008


On Thu, Apr 17, 2008 at 2:45 PM, Stephen Rider
<wp-hackers at striderweb.com> wrote:
> Just to be clear...
>
>  Please correct me if I'm wrong (security is not my strong point):
>
>  We should be defining both SECRET_KEY and SECRET_SALT in wp-config.php.

SECRET_SALT does not need to be defined.  Having one secret in the DB
instead of wp-config.php will prevent someone who somehow gets at your
wp-config.php (there have been some http server bugs that expose
files) from creating a cookie. Of course, if your DB is misconfigured
and allows connections from anywhere, someone who has wp-config.php
has your DB credentials and can get into your DB and change the
secret.

>  They should both be filled with a completely random, and preferably long,
> string, e.g. 'i!Db)RO;wIhV%YU!PY,C at L7^Jb0*(8~A]2";J9<II`-FwF$Shi$&r60(\vH/'

Random and long is good.  There are lots of random string generators around.

https://www.grc.com/passwords.htm

>  They should NOT be the same, however.

Correct.


More information about the wp-hackers mailing list