search

Azure / wordpress-linux-appservice

MIT License
96 stars 65 forks source link

Salts and keys are not set #116

Closed tersor closed 9 months ago

tersor commented 9 months ago

Hello :)

In a fresh setup out-of-the-box, I notice that salts and keys are not set in /home/site/wwwroot/wp-config.php. This raises some security concerns, to say the least.

Is this intentional, am I missing something here?

samrueby commented 9 months ago

Hi!

The out-of-the-box WordPress wp-config includes:

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

Part of the standard procedure of bootstrapping a new WP instance is updating these phrases, optionally by using the tool provided.

I cannot speak on Microsoft's behalf, but suspect that maintaining this procedure is intentional.

ZubaeyrMSFT commented 9 months ago

@tersor, thanks for letting us know. We will add this by default.

WordPress uses a built-in random generator to create these keys and salts when they are not explicitly defined in the wp-config file. However, it's a good practice to define your own unique keys and salts manually. This way, you will have greater control over the security of your WordPress site.

You can run the below command on your from SSH console to generate the keys. wp config shuffle-salts --path=/home/site/wwwroot --allow-root

tersor commented 9 months ago

We will add this by default.

Great, a much welcome addition considering not everybody will do the manual lifting as described above as a part of the post installation process.