[wp-hackers] Implications of failure to change 'unique' keys and salts

Abdussamad Abdurrazzaq abdussamad at abdussamad.com
Fri Oct 26 15:30:33 UTC 2012

According to the site you linked to you can brute force login if you try 
continuously for a week. So not exactly "at will".

On 10/26/2012 03:36 PM, David Anderson wrote:
> I've been handed a hacked site to investigate. Unfortunately the 
> client deleted the hacked version and had no logs, so I'm just looking 
> for probable cause rather than doing forensics on the hacked site.
> The client had not changed any of the 'Authentication Unique Keys and 
> Salts' in wp-config.php
> I read 
> http://codeseekah.com/2012/04/09/why-wordpress-authentication-unique-keys-and-salts-are-important/, 
> and that seems to say that if the keys/salts are known, then you can 
> forge an authentication cookie at will - you don't need any 
> man-in-the-middle access to observe any existing session to do so. Can 
> anyone confirm if that is right?
> If that is right, then it seems to me that WordPress should refuse to 
> run if the 'default' entry for any key is still "put your unique 
> phrase here". I did an audit of my web hosting customers, and found 
> two others who had this too. So across the Internet there must be tens 
> of thousands at least. But is it right?
> Thanks,
> David

More information about the wp-hackers mailing list