WordPress.org
Get WordPress

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#44887 closed enhancement (invalid)

Add an error on installation if the security keys are not secure

Reported by: nnikolov's profile nnikolov Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: close
Focuses: Cc:

Description

Hello.

My suggestion is a simple. When the installation process starts, to check if the user has actually changed the security keys in the wp-config.php and show an error if one of them has its default value 'put your unique phrase here'. And also another error if two of the keys are the same.

Here is one way to do it: Add the following code (without the opening php tag) in the wp-admin/install.php file on line 277 (talking about version 4.9.8).

<?php
if ( in_array( 'put your unique phrase here', Array( AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT ) ) ) {
        display_header();
        die(
                '<h1>' . __( 'Configuration Error' ) . '</h1>' .
                '<p>' . sprintf(
                        /* translators: %s: wp-config.php */
                        __( 'At least one of the security keys in your %s file still has its default value.' ),
                        '<code>wp-config.php</code>'
                ) . '</p></body></html>'
        );
}

if ( count( array_unique( Array( AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT ) ) ) < 8 ) {
        display_header();
        die(
                '<h1>' . __( 'Configuration Error' ) . '</h1>' .
                '<p>' . sprintf(
                        /* translators: %s: wp-config.php */
                        __( 'The security keys in your %s file need to be different from each other.' ),
                        '<code>wp-config.php</code>'
                ) . '</p></body></html>'
        );
}

Change History (4)

#1 follow-up: @SergeyBiryukov
6 years ago

  • Keywords close reporter-feedback added

Hi @nnikolov, welcome to WordPress Trac! Thanks for the ticket.

Unless I'm missing something, a better alternative is already implemented in [19771] for #19599.

If the security keys are not changed, wp_salt() creates auto-generated keys and saves them in the database to use instead of the ones from wp-config.php. So I don't think showing an error on installation is necessary here.

#2 in reply to: ↑ 1 @nnikolov
6 years ago

Ah, OK, thanks. I didn't know about that.

#3 @mukesh27
6 years ago

  • Keywords reporter-feedback removed
  • Resolution set to invalid
  • Status changed from new to closed

@SergeyBiryukov +1 your answer

#4 @netweb
6 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.