[wp-hackers] Implications of failure to change 'unique' keys and salts

David Anderson david at wordshell.net
Fri Oct 26 10:36:41 UTC 2012

I've been handed a hacked site to investigate. Unfortunately the client 
deleted the hacked version and had no logs, so I'm just looking for 
probable cause rather than doing forensics on the hacked site.

The client had not changed any of the 'Authentication Unique Keys and 
Salts' in wp-config.php

I read 
and that seems to say that if the keys/salts are known, then you can 
forge an authentication cookie at will - you don't need any 
man-in-the-middle access to observe any existing session to do so. Can 
anyone confirm if that is right?

If that is right, then it seems to me that WordPress should refuse to 
run if the 'default' entry for any key is still "put your unique phrase 
here". I did an audit of my web hosting customers, and found two others 
who had this too. So across the Internet there must be tens of thousands 
at least. But is it right?


WordShell - WordPress fast from the CLI - www.wordshell.net

More information about the wp-hackers mailing list