id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
14803,Admins should be warned if authentication keys and salts have the default phrase,coffee2code,,"WordPress already warns admin users if any of the eight authentication keys/salts are not present in the wp-config.php.  (See `secret_salt_warning()` in wp-admin/includes/ms.php)  While performing that check, WP should also see if any of the keys/salts are using the default string of ""put your unique phrase here"".

The default string is pre-set for all eight keys/salts that ship in wp-config-sample.php.  While the inline documentation indicates that those values should be changed, there is no notice or prompting to alert/remind the admin if the default string is left intact.

Bear in mind that `wp_salt()` (in wp-includes/pluggable.php) ignores the keys/salts that use the default phrase or are blank strings, so security isn't compromised.  However, if we want the admins to define secure phrases in wp-config.php, we should make them aware when that's not the case.

The attached patch modifies `secret_salt_warning()` to also check that the keys/salts aren't using the default phrase and aren't blank strings (same check as done in `wp_salt()`).  If any are, the warning message provides a link to the wordpress.org secret key service.

See the attached image to see an example where I've removed LOGGED_IN_SALT from wp-config.php (the error message for that is already what WP generates) and where I've left the default phrase in place for AUTH_KEY and AUTH_SALT and set NONCE_SALT to '' (triggering the error message added by the attached patch).
",enhancement,new,normal,Future Release,Security,3.0.1,normal,,has-patch ux-feedback,