Make WordPress Core

Opened 9 years ago

Closed 8 years ago

#9725 closed enhancement (duplicate)

Authentication Keys

Reported by: link2caro Owned by: ryan
Milestone: Priority: normal
Severity: minor Version:
Component: Security Keywords:
Focuses: Cc:


Should we implement the keys generator into setup-config.php?

Change History (6)

#1 @Denis-de-Bernardy
9 years ago

  • Keywords needs-patch added

#2 @hakre
9 years ago

  • Keywords developer-feedback added

can you provide the current code of the webservice so that this can be better judged?

#3 @hakre
9 years ago

+1 for doing so in general.

#4 @link2caro
9 years ago

quoted from "pluggable.php"


  • Get salt to add to hashes to help prevent attacks. *
  • The secret key is located in two places: the database in case the secret key
  • isn't defined in the second place, which is in the wp-config.php file. If you
  • are going to set the secret key, then you must do so in the wp-config.php
  • file. *
  • The secret key in the database is randomly generated and will be appended to
  • the secret key that is in wp-config.php file in some instances. It is
  • important to have the secret key defined or changed in wp-config.php. *
  • If you have installed WordPress 2.5 or later, then you will have the
  • SECRET_KEY defined in the wp-config.php already. You will want to change the
  • value in it because hackers will know what it is. If you have upgraded to
  • WordPress 2.5 or later version from a version before WordPress 2.5, then you
  • should add the constant to your wp-config.php file. *
  • Below is an example of how the SECRET_KEY constant is defined with a value.
  • You must not copy the below example and paste into your wp-config.php. If you
  • need an example, then you can have a
  • {@link https://api.wordpress.org/secret-key/1.1/ secret key created} for you. *
  • <code>
  • define('SECRET_KEY', 'mAry1HadA15|\/|b17w55w1t3asSn09w');
  • </code>

Is this PHPDoc correct for 2.7+, there is no SECRET_KEY since 2.6, is it?

Ticket -> invalid because if the keys are not changed, the auto-generated keys which are stored in DB are used.

#5 @Denis-de-Bernardy
9 years ago

  • Keywords developer-feedback auth_key authentication secret key removed
  • Milestone changed from 2.8 to Future Release

#6 @sivel
8 years ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

duplicate of #12159

Note: See TracTickets for help on using tickets.