id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
14803	Admins should be warned if authentication keys and salts have the default phrase	coffee2code		"WordPress already warns admin users if any of the eight authentication keys/salts are not present in the wp-config.php.  (See `secret_salt_warning()` in wp-admin/includes/ms.php)  While performing that check, WP should also see if any of the keys/salts are using the default string of ""put your unique phrase here"".

The default string is pre-set for all eight keys/salts that ship in wp-config-sample.php.  While the inline documentation indicates that those values should be changed, there is no notice or prompting to alert/remind the admin if the default string is left intact.

Bear in mind that `wp_salt()` (in wp-includes/pluggable.php) ignores the keys/salts that use the default phrase or are blank strings, so security isn't compromised.  However, if we want the admins to define secure phrases in wp-config.php, we should make them aware when that's not the case.

The attached patch modifies `secret_salt_warning()` to also check that the keys/salts aren't using the default phrase and aren't blank strings (same check as done in `wp_salt()`).  If any are, the warning message provides a link to the wordpress.org secret key service.

See the attached image to see an example where I've removed LOGGED_IN_SALT from wp-config.php (the error message for that is already what WP generates) and where I've left the default phrase in place for AUTH_KEY and AUTH_SALT and set NONCE_SALT to '' (triggering the error message added by the attached patch).
"	enhancement	new	normal	Future Release	Security	3.0.1	normal		has-patch ux-feedback