[wp-hackers] The security week? :)
Ryan Boren
ryan at boren.nu
Thu Apr 17 23:42:44 GMT 2008
On Thu, Apr 17, 2008 at 7:09 AM, Austin Matzko <if.website at gmail.com> wrote:
> On Thu, Apr 17, 2008 at 9:48 AM, MichaelH <justmichaelh at gmail.com> wrote:
> > 2. If you don't change the 'put your unique phrase here' phrase, you are
> > actually better off deleting the SECRET_KEY definition from wp-config.php.
>
> No, that is not the case. Having the default SECRET_KEY and having no
> secret key end up with the same result, and it would be better to
> leave it in there as a reminder to customize it later.
>
>
> > 4. And again, for upgrading users, if they don't add the SECRET_KEY
> > definition to their existing wp-config.php, that is okay.
>
> "Okay," but not good. All WP users should have a custom SECRET_KEY to
> reduce the risk of a security compromise.
>
>
> > 5. At any time, you can change the SECRET_KEY value in wp-config.php and
> > NOT cause problems when users log in with their existing password.
>
> No problems, but changing the SECRET_KEY will invalidate everyone's
> cookies, forcing them to log in again.
Just seconding what Austin said. Spot on.
More information about the wp-hackers
mailing list