WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#9725 closed enhancement (duplicate)

Authentication Keys

Reported by: link2caro Owned by: ryan
Milestone: Priority: normal
Severity: minor Version:
Component: Security Keywords:
Focuses: Cc:

Description

Should we implement the keys generator into setup-config.php?

Change History (6)

comment:1 Denis-de-Bernardy5 years ago

  • Keywords needs-patch added

comment:2 hakre5 years ago

  • Keywords developer-feedback added

can you provide the current code of the webservice so that this can be better judged?

comment:3 hakre5 years ago

+1 for doing so in general.

comment:4 link2caro5 years ago

quoted from "pluggable.php"

/

  • Get salt to add to hashes to help prevent attacks. *
  • The secret key is located in two places: the database in case the secret key
  • isn't defined in the second place, which is in the wp-config.php file. If you
  • are going to set the secret key, then you must do so in the wp-config.php
  • file. *
  • The secret key in the database is randomly generated and will be appended to
  • the secret key that is in wp-config.php file in some instances. It is
  • important to have the secret key defined or changed in wp-config.php. *
  • If you have installed WordPress 2.5 or later, then you will have the
  • SECRET_KEY defined in the wp-config.php already. You will want to change the
  • value in it because hackers will know what it is. If you have upgraded to
  • WordPress 2.5 or later version from a version before WordPress 2.5, then you
  • should add the constant to your wp-config.php file. *
  • Below is an example of how the SECRET_KEY constant is defined with a value.
  • You must not copy the below example and paste into your wp-config.php. If you
  • need an example, then you can have a
  • {@link https://api.wordpress.org/secret-key/1.1/ secret key created} for you. *
  • <code>
  • define('SECRET_KEY', 'mAry1HadA15|\/|b17w55w1t3asSn09w');
  • </code>

Is this PHPDoc correct for 2.7+, there is no SECRET_KEY since 2.6, is it?

Ticket -> invalid because if the keys are not changed, the auto-generated keys which are stored in DB are used.

comment:5 Denis-de-Bernardy5 years ago

  • Keywords developer-feedback auth_key authentication secret key removed
  • Milestone changed from 2.8 to Future Release

comment:6 sivel4 years ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

duplicate of #12159

Note: See TracTickets for help on using tickets.