[wp-hackers] wp-config variables add commented out?

Otto otto at ottodestruct.com
Mon Aug 18 15:34:52 GMT 2008

On Thu, Aug 14, 2008 at 4:35 PM, Ozh <ozh at planetozh.com> wrote:
> Out of curiosity I checked the link and -- wtf? AUTH_KEY,
> I knew about AUTH_KEY because either it's been more advertised or
> because I was offline when 2.6 came out, but didn't know about the 2
> others.

As has been stated, the two new ones only really change things if
you're using SSL.

It's like this:
- WP 2.5 introduced "SECRET_KEY" to make the cookie encryption stronger.
- WP 2.6 supports SSL admin, and so uses three separate cookies (one
for auth, one for ssl auth, and one for logged in user identity).

However, these are all optional. If you don't have a secret key, 2.5
is just as secure as previous versions were. If you don't use SSL,
then still having a SECRET_KEY instead of the three new ones is just
the same.

See here for more details:

> How come upgrade.php does not update the wp-config.php too ? It's
> pretty obvious that 99% of people out there don't have things like
> these in their wp-config.php.

Because editing somebody's wp-config.php is problematic. For one
thing, this file can be customized a lot. It's usually the case that
users have hand-edited these files, and breaking a user's main
configuration file on an upgrade is a pretty bad user experience.


More information about the wp-hackers mailing list