6 Apr '08
Stuff to do when upgrading to WP2.5
If you’re using the WordPress Automatic Upgrade plugin to follow WordPress to its latest version, here’s something that you should know. While it’s quick and thorough, the operation isn’t as complete as I’d first thought. You see, one of the new security features of WordPress 2.5, salted passwords, might not be available to you if you use the WPAU plugin.
Salted passwords, to explain simply, are passwords that are encrypted with the use of a secret key. This makes your WP install a whole lot more secure, and protects you from having your passwords hacked in case someone gains access to your database. If you were upgrading to WP v2.5 manually, you would define this secret key in your wp-config.php file.
When using WPAU, however, the wp-config.php file isn’t updated to include a secret key. Ergo, I presume that WordPress users’ passwords are not encrypted. Here’s how part of the configuration file looks like:
// Change SECRET_KEY to a unique phrase. You won't have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define('SECRET_KEY', 'put your unique phrase here');
// Change this to a unique phrase.
Still, I’m not discouraging you from using the WPAU plugin. But if you’d like your new WordPress version to be able to make use of salted passwords, make sure to add that block of code above to the configuration file (you’ll need FTP access for this).
In the 'put your unique phrase here' part, replace that text with any phrase you want — anything at all. This is the part that gets "salted" with the password you define in WordPress, making it virtually unbreakable (sheesh… I’m mixing metaphors here horribly!). Alternatively, instead of conjuring up your own secret key, I suggest you follow the advice above and go to https://www.grc.com/passwords.htm to get yourself a randomly-generated passphrase.
There are a couple of community blogs that I maintain, and some of the other members are even more techno-savvy than I am. Although I do trust them, I’ve always wondered about the security of my passwords…. You see, passwords are stored by WordPress in a table inside the database, along with other user information that you provide during installation (or registration). The passwords, when seen in the database, are not plainly readable — they’re encrypted, but easily decrypted. Hence my concern, because I use nearly the same password for all other Internet services.
But with WP2.5, decryption of salted passwords is virtually impossible (according to the literature anyway). I hope this little write-up of mine helps!
