WordPress Upgraders — Did You Miss New Security?

calendar Posted on April 29, 2008   comments 5 Comments

If you’ve just upgraded your WordPress blog — as opposed to a new install — it is possible that you’ve missed out on a new security feature introduced with WordPress 2.5x. Why do I think that’s possible? Well, because I did.

WP 2.5 introduced a “security key” that you add to your wp-config.php file. When I upgrade, I don’t touch that file, and there you go. Missed.

Here’s an easy way to retrofit it in. Just visit http://api.wordpress.org/secret-key/1.0/. That’ll give you something looks like this:

define('SECRET_KEY', 'lots of characters‘);

(I substituted `lots of characters` for the actual key to get it to fit on a page) You could also try the GRC Passwords page for a key as well.

Now, edit your blog’s wp-config.php file:

  • If you don’t have a line that starts with “define(’SECRET_KEY”,” then copy and paste the one you got from the key generator.-or-
  • If you do already have a line like that, but the key is still the default ‘put your unique phrase here‘ then replace the entire line with what you got from the key generator.

Next time you access any protected content on your blog you’ll have to re-login.

What’s this do? Otto42, a fellow WP support moderator, explains:

Doing this will invalidate all your logins, so everybody on your site will have to relogin, but doing it will greatly increase the cookie strength of WordPress 2.5. This means that your login cookies, if intercepted, won’t be able to be reproduced as easily. It also means that somebody who gains read-only access to your database through some other means won’t be able to login to your site.

You can find more details in the Codex as well. In particular, read the Mark Jaquith quote there. Actually, I’ll just copy that part here as it’s so useful:

It is a hashing salt that is not readable through the database. “And what is a salt?” A salt is something that adds randomness to a hash input and makes it much harder to crack. For example:

In these examples, consider that the password is “test”, but that the cracker does not know this (indeed, this is what he’s trying to determine). And yes, I’m glossing over some stuff, but this is the simplistic explanation.

Easy to crack: md5(’test’);

Since ‘test’ is a short dictionary word, crackers who have the output hash can easily use rainbow tables (dictionary lookup table) to crack that password in seconds, or minutes.

Harder to crack: md5(’test’ . $known_salt);

In this case, the cracker has to generate a new rainbow table that adds the $known_salt value to their table’s hashes. This slows them down.

Even harder to crack: md5(’test’ . $unknown_salt);

In this case, they don’t know the salt. And since a good salt is something very random, like “888a7da62429ba6ad3cb3c76a09641fc” — they can’t use rainbow tables to help them. They have to just “brute force” their way through all the possible combinations. This is a huge hurdle. Something that might take 10 minutes before could now take years.

Want to learn more about salting? Check out this wikipedia article on Salting (crypto).

Now, go check your wp-config.php files!

tags Tags: , , ,

Related Posts Possibly Related Posts

Comments

5 Responses to “WordPress Upgraders — Did You Miss New Security?”

  1. Trent on April 29th, 2008 11:23 am

    See, I do read your blog Chris! I figured this out as well with my testbed on WPMU 1.5 RC as well. It is something that Donncha is also making known right away as upgrades will not have this figured out without manual intervention. Thanks for posting this for all of us that don’t want to learn this the hard way ;)

  2. James on April 29th, 2008 12:10 pm

    Excellent article Chris. I was looking at this new security feature only yesterday and wondering what it all meant. Your article has made it oh so easy. Great stuff! Thanks a lot!

  3. Rich G. on April 29th, 2008 7:10 pm

    Thanks for the heads up. I’d upgraded and totally missed that addition. You’d think something that big would be in bold letters somewhere on the install/upgrade page.

    it’s a feature they would want to let ppl know about… adding stealth features doesn’t count lol.

  4. Alisha on April 29th, 2008 7:17 pm

    I usually check for any updates in the wp-config.php file, but this time around I just didn’t.

    Thanks for sharing that, Chris!

  5. Chris on April 30th, 2008 10:14 am

    Thanks guys - glad you all liked it. :-)

    I don’t have a ton of readers here, so be sure to spread the word to other WP bloggers!

Leave a Reply




Have you read the Comments section on the Disclaimer page?

About

Wandering the Internet, looking at all things bright and shiny. Playing with many, writing about some. More …

Recent Posts

Recent Comments:

Twitter Activity