[wp-hackers] Salting

Andrew Nacin wp at andrewnacin.com
Mon Jul 1 18:36:21 UTC 2013

On Mon, Jul 1, 2013 at 2:32 PM, Dobri <dyordan1 at ramapo.edu> wrote:

> I might be wrong on how all of this works but since this ->
> https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built
> into wordpress to just grab a random set of salts on the initial
> installation and save it in the wp-config on its own instead of the 'put
> your unique phrase here'? I feel like a good 40-50% of all installations
> have exactly that as salts so I feel this would make it a bit more secure.
> Am I missing something?

It is built into WP; see wp-admin/setup-config.php.

It's worth noting that if keys or salts are unchanged from the default, or
are duplicated in any way, wp_salt() actually refuses to honor what is in
wp-config.php, and generates a new value (storing it in the DB).

Even if 40-50% of installations have exactly the same salts, wp_salt() very
likely is returning something different all together.


More information about the wp-hackers mailing list