Are the default salts secure?

  1. Is wp_generate_password() as safe as the salts generated by the recommended https://api.wordpress.org/secret-key/1.1/salt/?

Those details can’t be answered as for obvious reasons, the internals are unknown by the public. If we could answer that, then details would be known that allow for reverse engineering the process. This could lead to a decrease of security. Note, that someone could still try to set a gazillion of requests to this Url and then try to reverse engineer the process from watching what bubbles to the surface.

  1. Is there any downgrade in security by having the salts in the database as this method falls back to that?

Yes. You do not want to have security details/authentication credentials saved anywhere where it might be accessible by others. This includes:

  • Version control
  • Command line history
  • Database or file backups

Either keep your authentication credentials and related data (like for e.g. “salt”) in .env files (see Dotenv package), in your deployment services secret secure haven, in separate configuration files (for e.g. AWS credentials file) and therefore in only a single location.

  1. Does it have any security implications to not set the values and let them be generated randomly on the fly to the db?

Yes. As auth constants are used in Cookies as well, you would invalidate your users log in sessions by invalidating your users Cookies. Those are constants for a reason: They should stick and do not change per request.

Edit: As @gmazzap pointed me to it, I was not talking about values saved to the database, but about “generated on the fly” constants. In case you save it to the database, please refer to point 2 regarding security.

For further additions, please follow the link from @Mark Kaplun and read @gmazzap answer in detail (and upvote both).

Additional Note/Reminder: Always add some own pseudo random characters to the retrieved data from the API servers. And never ever give your credentials or your database out of hands. You won’t believe what people tend to email, save on usb-sticks, their private dropbox accounts or on hard disks on laptops without password…

Edit: As @stephenharris pointed out in [chat], there’s an interesting blog post around that topic that goes in far more detail than our answers here.

Related Posts:

  1. Simplest two-way encryption using PHP
  2. Encrypt emails?
  3. Moving away from MD5: Where to declare the custom global $wp_hasher?
  4. Using an Encryption class in a WordPress Plugin
  5. How to get real password (before encrypt) when register a user?
  6. Encrypt Password in Configuration Files?
  7. what is a auth_user_file.txt?
  8. How to view PHP on live site
  9. Is moving wp-config outside the web root really beneficial?
  10. Hide the fact a site is using WordPress?
  11. Verifying that I have fully removed a WordPress hack?
  12. Can I Prevent Enumeration of Usernames?
  13. Best way to eliminate xmlrpc.php?
  14. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  15. Should I remove install.php and install-helper.php?
  16. Are Nonces Useless?
  17. What is the difference between esc_html filter vs attribute_escape filter?
  18. How do I technically prove that WordPress is secure?
  19. WordPress it’s cleaning a custom query_var to avoid sql injections?
  20. Can someone explain the use cases of esc_html?
  21. How do WordPress Nonces Work?
  22. Tips for finding SPAM links injected into the_content
  23. Is WordPress vulnerable to the httpoxy?
  24. How can I easily verify a core or plugin update has not broken anything?
  25. Vanilla WordPress install, what can/should I put in disable_functions?
  26. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  27. Secure my “add_settings_field” translation?
  28. Is there a security risk giving someone temporary access to my blog’s code?
  29. How to properly sanitize/secure a WP Query coming from the front end
  30. WordPress Logout Only If User Click Logout or If User Delete Browser History
  31. How brute-forcer knows that the password is cracked for target username?
  32. wp_insert_post disable HTML filter
  33. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  34. Completely remove the author url
  35. Restricting access to content
  36. About WordPress site security
  37. Relative security of different releases of WordPress
  38. Is there any point setting the keys and salts in wp-config.php?
  39. Where to store OAuth 2.0 client id and secret?
  40. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  41. Using HTACCESS for Secret Access
  42. Definitive wordpress directory ownership and permissions on linux
  43. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  44. Would it be dangerous to send all the wp_options to javascript file?
  45. Changing Table Prefixes – once done, am I good to go going forward?
  46. wordpress website host price and security [closed]
  47. Are there security risks in working directly in the themes folder that builds into a theme folder?
  48. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  49. Secure WordPress: Change admin
  50. Changing the default header name
  51. how much information can we hide when using wordpress cms?
  52. Is it safe to use a global wp nonce per user instead of a nonce per action?
  53. Wordfence detects change in wp-admin/includes/upgrade.php
  54. Basic password protection without using users and roles
  55. System setting changed by system user
  56. Does meta-data need to be sanitized?
  57. Will there be security updates for WordPress 4.9.9
  58. Any known bugs that could cause disappearance of the wp_users table?
  59. On new server, site got hacked, permissions a bit strange? Please help
  60. 404/500 error on content images if Referer header is from another domain [closed]
  61. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  62. Restrict Access without Creating Users
  63. Switching between security plugins is a risk?
  64. How to obfuscate wp-config.php or code
  65. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  66. How to prevent to direct access of my custom plugin folder/files
  67. Checking for origin of a xmlrpc request
  68. RESTRICT EDIT of PHP files?
  69. wp-content – permissions for files/folders created by apache
  70. How can I restrict access to specific parts of a page, not just the page itself?
  71. User generated content and security
  72. Are major WordPress updates mandatory for security?
  73. i moved wp-config.php outside of public html and this broke my website
  74. Monitor wordpress all external calls
  75. Is it safe to use the basic administration with reduced rights for private member space
  76. Securing WordPress running on Azure platform
  77. Verifying that I have fully removed a WordPress hack?
  78. Spam Registrations
  79. How can I have more confidence that WP plugins aren’t getting and storing user data?
  80. Standard Method for Securing a WordPress Site
  81. wordpress security (only one part of the site)
  82. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  83. Any way to disable /wp-login.php redirecting to the site folder?
  84. Folder Permissions + Security Concerns
  85. Malware/Permission bug removal?
  86. Could a user account with a stolen password compromised entire WP site?
  87. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  88. Secure a WordPress website in 2019: one plugin or a combinations of them?
  89. What are the different types of firewall protections available for a WordPress website?
  90. Run a security scan on WordPress site that has .htaccess password [closed]
  91. Is this a WordPress security bug?
  92. Competitor is somehow accessing MetaData on a hidden WordPress site
  93. WordPress Hacks/Defacing [closed]
  94. checking the form submit in right order
  95. Our security auditor is an idiot. How do I give him the information he wants?
  96. I am under DDoS. What can I do?
  97. SSH keypair generation: RSA or DSA?
  98. How do I protect my company from my IT guy? [closed]
  99. Does changing default port number actually increase security? [closed]
  100. WordPress – tracking options

Leave a Comment