Automatically secure your site with keys and salts!

WordPress has a lot of excellent security features. One of these features is the ability to specify randomized keys and salts to help keep cookies and form nonces secure.

Sadly, there are a lot of WordPress users who miss out on this extra security because they haven’t configured it for their site.

wp-config-bad-salts

That’s why I’m happy to announce that from today, VaultPress will help you out by detecting sites that haven’t set up any keys or salts. It’ll offer to fix the problem for you too, by generating and inserting long and secure randomized values.

Be warned that when your keys and salts are reconfigured, any logged in users at your site will be logged out, and will have to log in again. After that, everything should  work as it did before the update — except with stronger security!

This entry was posted in Announcements, Features, Security. Bookmark the permalink.

4 Responses to Automatically secure your site with keys and salts!

  1. FYI, WordPress autogenerates these and stores the salt values in the DB if you use the value from wp-config-sample or an autogenerated wp-config file:

    https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L1331

    • Joseph Scott says:

      Correct, as noted in the docs for that function:

      “The secret keys in wp-config.php should be updated to strong, random keys to maximize security. Below is an example of how the secret key constants are defined.”

      Leaving them with the default values goes against that advice.

    • Mark Jaquith says:

      The reason for recommending wp-config.php-based salts is kind of non-obvious. It relates to cookie hashes (the value in the cookie you get when you log in to WordPress and which WordPress uses to continuously authenticate you). One of the inputs into that hash is a subset of the user’s password hash. That’s stored in the database. If an attacker somehow has read-access to the database, they’ll be able to grab this password hash substring. If they can also get the salts (because they’re stored in the database), they now have all the inputs they need to generate valid WordPress cookie values. By keeping the salt values in wp-config.php, you have made it so that they need database read access AND file read access in order to get their hands on both of those unknown hash inputs. If your house had two deadbolt locks on the front door, you wouldn’t keep both keys under the same rock.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s