Is there any point setting the keys and salts in wp-config.php?

  1. If I choose to leave this up to WP, what should I actually put in wp-config.php?

Sounds like something you can easily find out. My guess: if you don’t have the define('AUTH_KEY', ..) etc. statements, the system will not work.

  1. Some sources (this SO answer, for example) appear to state that putting the keys and salts in wp-config.php is “more secure” than using the database version.

With clever SQL injections it is possible to read data from the DB, even if I don’t have direct access to it. So all I need to get the keys is one plugin that has a SQL vulnerability and I can get them.

If I store part in the filesystem and part in the DB, just access to information from the DB is not sufficient anymore.

As suggested in the other answer, just use WP’s generator or any of the other ones (e.g. this from roots.io) and supply these keys differently for each site that you spin up.

Related Posts:

  1. Is moving wp-config outside the web root really beneficial?
  2. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  3. Where to securely store API keys and passwords in WordPress?
  4. Why are passwords exportable as plain text in WordPress?
  5. How is password strength calculated?
  6. Generate WordPress salt
  7. Make password invalid once logged out of password-protected page
  8. Garbage in beginning of wp-config.php – was this WP installation compromised?
  9. Can’t reset WordPress password
  10. Is the “lost password” feature truly a vulnerability?
  11. Frontend Password change
  12. Is it possible to reduce the minimum character length for passwords?
  13. How does the “authentication unique keys and salts” feature work?
  14. Securing wp-config leads to sensitive information leak on wp-settings
  15. What’s the point of forbidding access to wp-config.php?
  16. Where to store OAuth 2.0 client id and secret?
  17. When is wp_set_password() called or how to capture a password
  18. Moving away from MD5: Where to declare the custom global $wp_hasher?
  19. How to get WordPress to send Password Reset Link Email instead of New Password?
  20. Config file with no Keys..?
  21. Basic password protection without using users and roles
  22. White screen of death on admin pages after moving wp-config up two levels for security
  23. How can I force a specific password?
  24. Storing FTP details in wp-config.php
  25. Can a WordPress administrator see other users’ passwords?
  26. My Site keeps crashing due to the wp-confg file being deleted
  27. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  28. How to change location of wp-config.php to folder or 2 folders up?
  29. Adding Security Keys?
  30. Remove hacked code – out of ideas! [closed]
  31. Secret keys in SCM
  32. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  33. wp-config.php moved above root results in no plugin updates
  34. Password-protect feed and make it usable in major aggregators
  35. wp-config.php file and code injection
  36. Malware/Permission bug removal?
  37. Could a user account with a stolen password compromised entire WP site?
  38. How to set custom validation for WordPress Passwords?
  39. Default installation permissions for wp-config.php
  40. Is my WP site being hacked?
  41. How to get real password (before encrypt) when register a user?
  42. Move data from wp-config to another file
  43. Directory to store secure file
  44. Can you alter the default wordpress strong password requirements?
  45. what is a auth_user_file.txt?
  46. Best way to eliminate xmlrpc.php?
  47. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  48. Which KSES should be used and when?
  49. Disable comment windows for all existing posts (pages/blogposts)
  50. Stop wordpress automatically escaping $_POST data
  51. how can i embed wordpress backend in iframe
  52. Handling nonces for actions from guests to logged-in users
  53. Can I force a password change?
  54. What is pclzip.lib.php file that wordfence think it’s a malicious code
  55. How to disable XML-RPC from Linux command-line in a total way?
  56. How to remove javascript malware in wordpress site [closed]
  57. Completely remove the author url
  58. Securing my WordPress Files and Directories
  59. Single sign-on: wp_authenticate_user vs wp_authenticate
  60. How to allow internal links using wp_kses filtration
  61. How does Cross Site Scripting (XSS) work exactly? [closed]
  62. Password protect a specific category page/post
  63. vs WordPress Security
  64. esc_html__ security : what for in this example?
  65. Using HTACCESS for Secret Access
  66. Definitive wordpress directory ownership and permissions on linux
  67. How do I protect user_activation_key?
  68. wordpress website host price and security [closed]
  69. Are there security risks in working directly in the themes folder that builds into a theme folder?
  70. how much information can we hide when using wordpress cms?
  71. System setting changed by system user
  72. Does meta-data need to be sanitized?
  73. Need help for WordPress User Session Management?
  74. Specific way to allow WordPress users to view their current password? And edit it?
  75. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  76. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  77. How to prevent to direct access of my custom plugin folder/files
  78. Checking for origin of a xmlrpc request
  79. RESTRICT EDIT of PHP files?
  80. wp-content – permissions for files/folders created by apache
  81. How can I restrict access to specific parts of a page, not just the page itself?
  82. Using password protection to load different page elements?
  83. User generated content and security
  84. Monitor wordpress all external calls
  85. Securing WordPress running on Azure platform
  86. Spam Registrations
  87. How can I have more confidence that WP plugins aren’t getting and storing user data?
  88. Standard Method for Securing a WordPress Site
  89. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  90. Any way to disable /wp-login.php redirecting to the site folder?
  91. Folder Permissions + Security Concerns
  92. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  93. Secure a WordPress website in 2019: one plugin or a combinations of them?
  94. What are the different types of firewall protections available for a WordPress website?
  95. Is this a WordPress security bug?
  96. Competitor is somehow accessing MetaData on a hidden WordPress site
  97. WordPress Hacks/Defacing [closed]
  98. SSH keypair generation: RSA or DSA?
  99. How do I protect my company from my IT guy? [closed]
  100. Does changing default port number actually increase security? [closed]