Your plugin broke website while recreating keys, plugin didn’t delete properly old keys, it deleted 90% of code but leftovers, of course, created 500 error.
]]>When I change the salts manually (using the WordPress salt generator), the logged in users cannot log in until they clear their cookies.
Does your plugin also have this problem?
]]>Hi there, we’ve recently starting using Salt Shaker PRO for our websites.
We set it up with Quarterly updating and none of the other checkboxes selected. Specifically, we do NOT want email reminders sent to the site administrator.
About a week after installing Salt Shaker on the sites, they are sending out email reminders to site administrators. We check the settings, that box is still not checked.
How do we stop these emails from being sent?
]]>Hi,
I have been experimenting with this plugin for the past few hours. Every password that I have set and checked the hash in my database on the web server is possible to be reverse engineered without the salt strings. I simply put it in john the ripper and with a dictionary attack it picks out the password from a wide list with the plugin enabled. I assumed with the hash that because the hash is different compared to the original password that pentesting tools wouldn’t be able to crack it.
Does this plugin only salt the password in cookies or does it also add a salt to the stored hash too.
Kind regards,
Alex
Your plugin’s memory usage on your latest update has increased 5x comparing to your previous update (1.3.2). Is this a bug?
You can see the memory usage details over at plugintests.com where they do tests on all plugins.
Latest update: https://plugintests.com/plugins/wporg/salt-shaker/latest
Previous update: https://plugintests.com/plugins/wporg/salt-shaker/1.3.2
And one more thing, I see it as a security risk by showing the salts in the plugin settings. The more secret they are, the better.
Keep up the good work, I am considering the Pro version but should like a lifetime deal of an unlimited license.
]]>In some installations or local environments (like https://localwp.com/) are no salts defined by default.
It is – as you said in your FAQ – easy for competent people to insert salts from https://api.www.ads-software.com/secret-key/1.1/salt/
But a lot of users are not able to work with wp-config.php directly. And your plugin is a lifesaver for them, when it comes to managing salts.
So it would be really great, if Salt Shaker could insert missing salts too!
]]>This feature is great but needs to be supported in modern wordpress fresh installs which has a file named wp-salt.php. After making some changes, nothing happens, I check the wp-salt.php there is no changes with the keys.
]]>Hi, i will ask. Can you help me write snippet to ManageWP to regenerate salt?
This help me a lot ??
Many thanks
Hi,
The outage of www.ads-software.com on August 5, 2022 lead to a white screen at a customer’s website. I looks as if the plugin tried to renew the SALT keys during the outage period. Instead of SALT keys I found this message in wp-config.php:
www.ads-software.com is currently offline due to a 3rd party data center outage. Please see https://status.www.ads-software.com/ for updates. which caused the white screen.
Probably the plugin just scraped and copied what was displayed at https://api.www.ads-software.com/secret-key/1.1/salt/.
Apparently, outages of www.ads-software.com are quite rare. Nevertheless, I’m reporting this to you so you can consider an enhancement that can handle such cases.
]]>Hi,
I installed and tested the plugin. Very easy and simple. It worked but 3 keys out of 9 were not changed. The first 2 are AUTH_KEY and AUTH_SALT. Another post suggests that all the keys should be changed manually prior to using the plugin and then everything will be fine, which I’ll do tonight.
However, my wp-config.php file has a 9th key called WP_CACHE_KEY_SALT which is not changed. That key is not mentioned in the plugin documentation.
What can I do?
Thanks in advance
current code:
public function shuffleSalts() {
$this->salts_array = array(
“define(‘AUTH_KEY’,”,
‘SECURE_AUTH_KEY’,
‘LOGGED_IN_KEY’,
‘NONCE_KEY’,
“define(‘AUTH_SALT’,”,
‘SECURE_AUTH_SALT’,
‘LOGGED_IN_SALT’,
‘NONCE_SALT’,
);
Shoud remove define( from code in core.class.php the wordpress default and sample file contains a space after define for Auth_Key and Auth_Salt:
public function shuffleSalts() {
$this->salts_array = array(
"'AUTH_KEY',",
'SECURE_AUTH_KEY',
'LOGGED_IN_KEY',
'NONCE_KEY',
"'AUTH_SALT',",
'SECURE_AUTH_SALT',
'LOGGED_IN_SALT',
'NONCE_SALT',
);chrome dev errors when I open my theme design options even without making any edit:
The page request was canceled because it took too long to complete
too many calls to admin.ajax through jquery-core,jquery-migrate,jquery-ui-core,
type of error: xhr
/wp-admin/admin-ajax.php
Failed to load resource: the server responded with a status of 429 ()
Failed to load resource: the server responded with a status of 504 ()
Hey.
So I read your code, and I’m unclear as to how this is supposed to increase site security. The way I see it, it only protects against session spoofing, and that’s assuming the attack comes after the keys have been changed.
Otherwise, it doesn’t increase security of the cookie itself (since it can’t do that), the cookie is already resistant to cracking (mainly because WP uses a different algo to store passwords, so you can’t re-use a collision string for anything), and a live browser hijack will not be prevented from executing by this plugin (or much else except possibly the browser itself).
Further, I would expect to see lost sessions (possibly lost shopping carts in Woo), if you happen to be doing something when the key replacement fires.
So how does it help, exactly?
]]>This is 1 of the best plugins I’ve used so far.
But unfortunately, I’m not able to set the cronjob for it at the moment because it no longer shows up on my cronjob list.
Any solutions will be appreciated.
]]>Hi,
Thought you’d like to know about a conflict with WordPress to Buffer Pro. I use Divi. When both Salt Shaker and WordPress to Buffer Pro are activated Divi slows to a crawl. If either one is active and the other is inactive, Divi operates correctly. (Opening a Divi page in admin: 6 seconds is normal. With both activated it’s 25 to 27 seconds.
Cheers,
Daniel Weinstein
]]>Hi,
I installed the plugin and it works fine, except that I noticed that AUTH_KEY and AUTH_SALT never change.
When going to https://api.www.ads-software.com/secret-key/1.1/salt/ you get 8 new keys, but your plugin only seems to generate 6 new keys. So I don’t understand why your plugin doesn’t change AUTH_KEY and AUTH_SALT.
Is this on purpose or is it a bug?
Guy
]]>Hi,
A quick shout from a translator. In https://plugins.trac.www.ads-software.com/browser/salt-shaker/tags/1.2.8/_inc/gui/inner-settings-template.php#L8 you’re pointing towards a Codex page that now has been migrated to https://www.ads-software.com/support/article/changing-file-permissions/
Nothing bad, but when you next time update your plugin, you may want to point directly to the new location.
Hi @nagdy
Thank you very much for this plugin. I like the idea of rotating WordPress salts. I also like the idea of set and leave by periodically getting this done automatically – sort of like a set and forget. Don’t you think that it’s counter-intuitive though to leave wp-config.php writeable?
The manual approach is good however some network admins & developers would forget to put the file back to un-writable. This happens quite a lot in my experience.
Perhaps a combination of:
…will be the best way to implement this?
I haven’t played with this idea but I’m thinking of safeguards to ensure the WordPress will only fire the routine if the request came from the server (or valid servers if with load balancer).
Appreciate your thoughts. Thanks, mate.
MC
]]>Hi
Thanks for creating an easy-to-use plugin!
Where can I find the salts created by this plugin?
1) I want to test to make sure salts are used, and that they change when they’re supposed to. 2) I cannot find salts in the wp-config file – are they located somewhere else?
Thank you!
]]>Hi,
installed Salt Shaker on a demo site to test it out.
Activated it and in Settings I chose Immediate change and counted on having to log in again. Nothing happened.
OK, let′s try scheduling, ticked the box and set it to Monthly. Logged out, went to Settings again, it still says Daily.
I couldn′t find a Save button or is it automatically saved?
To sum it up, nothing happens when trying different settings.
Can you help me? Thanks.
Jan
Hi,
Your plugin is creating 2 ajax-calls for each letter typed into a WYSIWYG-editor. See documentation here:
https://www.dropbox.com/s/9xtaz082ihuo7x4/Screen%20Recording%202020-03-18%20at%2015.44.00.mov?dl=0
This needs to be fixed ASAP as it causes huge load on servers.
]]>Thank you for making this great free plugin available. 5 starred and favorited. I have been using for several months on several sites and it has always worked great … Except maybe today. I was checking my wp-config file for another reason and I noticed the keys and salts were gone – just blank lines where they should be. The file date was yesterday. I manually put new keys and salts in and tested changing them with Salt Shaker and all seems to work fine. Any idea why they would have disappeared. It could be that I did something dunderheaded that has nothing to do with this plugin – but I can’t think of what that could have been.
]]>After updating this plugin to 1.2.5, I couldn’t make any changes to my wordpress website because it spiked all resources on my server (phys memory, # of processes & cpu usage). I had to move all plugins to a separate file then activate them one by one to discover the culprit – this plugin. Been using the plugin for a year without issues before this latest release.
]]>please change
<?php printf( __( ‘The salt keys will be automatically changed on %s’ ), $next_schedule ); ?>
by
<?php printf( __( ‘The salt keys will be automatically changed on %s’,’salt-shaker’ ), $next_schedule ); ?>
at _inc/gui/inner-settings-template.php line 23
for the translation to work
]]>Hi Nagdy,
Unfortunately your plugin doesn’t work if wp-content folder has a different name as default name.
Could it be possible to update it using a variable instead of hard-coded path?
Thanks in advance.
Best regards
]]>Hi,
Just installed the plugin.
1) Clicking “Change Now” button doesn’t log me out, instead an error message is displayed “Not available” (url remains stucked at WPsite/wp-admin/tools.php?page=salt_shaker)
2) Checking changes in wp-config.php
All Keys and Salts values are changed but AUTH_KEY and AUTH_SALT. They remain exactly the same as the previous ones…
Any idea?
Thanks
Best regards
Hi
i have one issue after I update the salt shaker.
in debug log i have many this warning. And every second increase.
Warning: feof() expects parameter 1 to be resource, bool given in /wp-content/plugins/salt-shaker/_inc/core.class.php on line 62
Warning: fgets() expects parameter 1 to be resource, bool given in /wp-content/plugins/salt-shaker/_inc/core.class.php on line 63
$replaced = false;
while (!feof($readin_config)) {
$line = fgets($readin_config);
if (stristr($line, $salt_value)) {
$line = $new_salts[$salt_key] . "\n";
$replaced = true;It is possible stop this script?
I coming crazy when must every time delete.
Thank you
]]>It will be helpful if following 2 additional filters in core.class.php in function shufflesalts() will be added:
$this->new_salts = apply_filters('salt_shaker_salts', $this->new_salts);
$this->salts_array = apply_filters('salt_shaker_salt_ids', $this->salts_array);This will help me to add additional salt for instance if I am using JWT tokens which also require a secret key. Or, if permission granted I will commit the changes.
]]>Help ,
i downloaded salt shaker and install it with daily option..
but now i cannot logged to my site via wordpress ..
]]>Hi,
thanks for that little handy plugin – love it!
I’ve seen that your plugin is setting the file wp-config.php to CHMOD 666.
Is that OK? Shouldn’t it be 444 or 644?
Best regards
Ralf