WordPress.org

Make WordPress Core

Opened 11 months ago

Closed 11 months ago

Last modified 10 months ago

#44887 closed enhancement (invalid)

Add an error on installation if the security keys are not secure

Reported by: nnikolov Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: close
Focuses: Cc:

Description

Hello.

My suggestion is a simple. When the installation process starts, to check if the user has actually changed the security keys in the wp-config.php and show an error if one of them has its default value 'put your unique phrase here'. And also another error if two of the keys are the same.

Here is one way to do it: Add the following code (without the opening php tag) in the wp-admin/install.php file on line 277 (talking about version 4.9.8).

<?php
if ( in_array( 'put your unique phrase here', Array( AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT ) ) ) {
        display_header();
        die(
                '<h1>' . __( 'Configuration Error' ) . '</h1>' .
                '<p>' . sprintf(
                        /* translators: %s: wp-config.php */
                        __( 'At least one of the security keys in your %s file still has its default value.' ),
                        '<code>wp-config.php</code>'
                ) . '</p></body></html>'
        );
}

if ( count( array_unique( Array( AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT ) ) ) < 8 ) {
        display_header();
        die(
                '<h1>' . __( 'Configuration Error' ) . '</h1>' .
                '<p>' . sprintf(
                        /* translators: %s: wp-config.php */
                        __( 'The security keys in your %s file need to be different from each other.' ),
                        '<code>wp-config.php</code>'
                ) . '</p></body></html>'
        );
}

Change History (4)

#1 follow-up: @SergeyBiryukov
11 months ago

  • Keywords close reporter-feedback added

Hi @nnikolov, welcome to WordPress Trac! Thanks for the ticket.

Unless I'm missing something, a better alternative is already implemented in [19771] for #19599.

If the security keys are not changed, wp_salt() creates auto-generated keys and saves them in the database to use instead of the ones from wp-config.php. So I don't think showing an error on installation is necessary here.

#2 in reply to: ↑ 1 @nnikolov
11 months ago

Ah, OK, thanks. I didn't know about that.

#3 @mukesh27
11 months ago

  • Keywords reporter-feedback removed
  • Resolution set to invalid
  • Status changed from new to closed

@SergeyBiryukov +1 your answer

#4 @netweb
10 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.