Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12687 closed enhancement (duplicate)

automatically generate unique AUTH_KEY and other values

Reported by: jdingman Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords: needs-patch
Focuses: Cc:


right now, when someone installs WordPress, it provides this in the wp-config.php:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

why should it not automatically generate unique values from the get-go and have the user one step closer to being more secure?

I'm suggesting it automatically generate unique values for those constants from the moment WordPress installed

Change History (5)

comment:1 @aaroncampbell5 years ago

Why not just pull in from https://api.wordpress.org/secret-key/1.1/salt/ and set up all 8 salts?

comment:2 @aaroncampbell5 years ago

Actyually, it looks like it already DOES do this. in wp-admin/setup-config.php lines 195-206:

	if ( $no_api || is_wp_error( $secret_keys ) ) {
		$secret_keys = array();
		require_once( ABSPATH . WPINC . '/pluggable.php' );
		for ( $i = 0; $i < 8; $i++ ) {
			$secret_keys[] = wp_generate_password( 64, true, true );
	} else {
		$secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
		foreach ( $secret_keys as $k => $v ) {
			$secret_keys[$k] = substr( $v, 28, 64 );
	$key = 0;

Then later in lines 226-235:

			case "define('AUTH_KEY":
			case "define('SECURE_A":
			case "define('LOGGED_I":
			case "define('NONCE_KE":
			case "define('AUTH_SAL":
			case "define('SECURE_A":
			case "define('LOGGED_I":
			case "define('NONCE_SA":
				$configFile[$line_num] = str_replace('put your unique phrase here', $secret_keys[$key++], $line );

comment:3 @aaroncampbell5 years ago

  • Cc aaron@… added

comment:4 @aaroncampbell5 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

This has already been fixed, and is a duplicate of #12159

comment:5 @nacin5 years ago

  • Milestone Unassigned deleted
Note: See TracTickets for help on using tickets.