Is there any point setting the keys and salts in wp-config.php?

  1. If I choose to leave this up to WP, what should I actually put in wp-config.php?

Sounds like something you can easily find out. My guess: if you don’t have the define('AUTH_KEY', ..) etc. statements, the system will not work.

  1. Some sources (this SO answer, for example) appear to state that putting the keys and salts in wp-config.php is “more secure” than using the database version.

With clever SQL injections it is possible to read data from the DB, even if I don’t have direct access to it. So all I need to get the keys is one plugin that has a SQL vulnerability and I can get them.

If I store part in the filesystem and part in the DB, just access to information from the DB is not sufficient anymore.

As suggested in the other answer, just use WP’s generator or any of the other ones (e.g. this from roots.io) and supply these keys differently for each site that you spin up.

Related Posts:

  1. Is moving wp-config outside the web root really beneficial?
  2. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  3. Where to securely store API keys and passwords in WordPress?
  4. Why are passwords exportable as plain text in WordPress?
  5. How is password strength calculated?
  6. Generate WordPress salt
  7. Make password invalid once logged out of password-protected page
  8. Garbage in beginning of wp-config.php – was this WP installation compromised?
  9. Can’t reset WordPress password
  10. Is the “lost password” feature truly a vulnerability?
  11. Frontend Password change
  12. Is it possible to reduce the minimum character length for passwords?
  13. How does the “authentication unique keys and salts” feature work?
  14. Securing wp-config leads to sensitive information leak on wp-settings
  15. What’s the point of forbidding access to wp-config.php?
  16. Where to store OAuth 2.0 client id and secret?
  17. When is wp_set_password() called or how to capture a password
  18. Moving away from MD5: Where to declare the custom global $wp_hasher?
  19. How to get WordPress to send Password Reset Link Email instead of New Password?
  20. Config file with no Keys..?
  21. Basic password protection without using users and roles
  22. White screen of death on admin pages after moving wp-config up two levels for security
  23. How can I force a specific password?
  24. Storing FTP details in wp-config.php
  25. Can a WordPress administrator see other users’ passwords?
  26. My Site keeps crashing due to the wp-confg file being deleted
  27. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  28. How to change location of wp-config.php to folder or 2 folders up?
  29. Adding Security Keys?
  30. Remove hacked code – out of ideas! [closed]
  31. Secret keys in SCM
  32. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  33. wp-config.php moved above root results in no plugin updates
  34. Password-protect feed and make it usable in major aggregators
  35. wp-config.php file and code injection
  36. Malware/Permission bug removal?
  37. Could a user account with a stolen password compromised entire WP site?
  38. How to set custom validation for WordPress Passwords?
  39. Default installation permissions for wp-config.php
  40. Is my WP site being hacked?
  41. How to get real password (before encrypt) when register a user?
  42. Move data from wp-config to another file
  43. Directory to store secure file
  44. Can you alter the default wordpress strong password requirements?
  45. SSL Error: unable to get local issuer certificate
  46. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  47. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  48. How to redirect all HTTP requests to HTTPS
  49. What is the difference between a cer, pvk, and pfx file?
  50. How to solve “Kernel panic – not syncing – Attempted to kill init” — without erasing any user data
  51. What’s the best approach for generating a new API key?
  52. Is it possible to decrypt SHA1
  53. Simplest two-way encryption using PHP
  54. Why does the URL http://a/%%30%30 crash Google Chrome?
  55. what is a auth_user_file.txt?
  56. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  57. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  58. Error `sec_error_revoked_certificate` when viewed in Firefox only
  59. How to view PHP on live site
  60. Convert .pfx to .cer
  61. how fix “this certificate cannot be verified up to a trusted certification authority”
  62. Can an attacker use inspect element harmfully?
  63. Where does Internet Explorer store saved passwords?
  64. How can bcrypt have built-in salts?
  65. Hide the fact a site is using WordPress?
  66. Verifying that I have fully removed a WordPress hack?
  67. Infected Files – what to do [closed]
  68. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  69. Getting a List of Currently Available Roles on a WordPress Site?
  70. WordPress 4.7.1 REST API still exposing users
  71. Can I Prevent Enumeration of Usernames?
  72. Best way to eliminate xmlrpc.php?
  73. What’s the easiest way to stop WP from ever logging me out
  74. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  75. Should I escape wordpress functions like the_title, the_excerpt, the_content
  76. Why should I use the esc_url?
  77. Should I remove install.php and install-helper.php?
  78. How safe / sanitized is wp_insert_posts()?
  79. Why does WordPress need my private ssh key to update?
  80. When to use esc_html and when to use sanitize_text_field?
  81. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  82. Are Nonces Useless?
  83. What could a hacker do with my wp-config.php
  84. What is the difference between esc_html filter vs attribute_escape filter?
  85. Why escape if the_content isnt?
  86. Why does WordPress have more than one salt?
  87. What is the ideal setup to address security concerns?
  88. Will there be security updates for 3.1 once 3.2 is released?
  89. What’s the difference between esc_* functions?
  90. Full path disclosure on rss-functions.php
  91. What to use instead of wp_kses() in user output
  92. Enforcing password complexity
  93. How to set up fail2ban with WordFence?
  94. How do I technically prove that WordPress is secure?
  95. Are the default salts secure?
  96. is_email() VS sanitize_email()
  97. multi page password protection
  98. WordPress it’s cleaning a custom query_var to avoid sql injections?
  99. Which KSES should be used and when?
  100. Can someone explain the use cases of esc_html?
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)