Salts and Keys in wp-salt.php

  • Resolved acann

    (@acann)


    5 years, 11 months ago

    Hi, I recently created a new WordPress site on a VPS webhost (Cloudways). When I went to manually update the salts and keys, I found in the wp-config.php there were no placeholders present and instead was a line

    require('wp-salt.php');

    I looked in this file and it contains the salts and keys (nothing else).

    I can’t find anything online about this method of implementing salts and keys. I asked the webhost if this was something they did with their wordpress image for all installs and they insist that the wp-salt.php file is generated by WordPress when it is installed.

    I downloaded WordPress from www.ads-software.com and when I look at the files I don’t see any wp-salt.php file anywhere, and the wp-config-sample.php clearly has placeholders for the salts and keys right in it.

    I’m hoping someone here can clear this up for me:

    1. Is this method (putting the salts and keys in a unique file wp-salt.php and calling that file in the wp-config.php) the current standard/default for WordPress? Or is this something unique to Cloudways?

    2. What is the purpose of defining the salts and keys at all, since I’ve read that if you don’t, the database does this anyway?

    3. What is the accepted best practice? Let database do it? Define manually directly in wp-config.php? Define in a separate file which is called within the wp-config.php?

    I just want to know the best practice is.

    Thanks in advance to anyone who can assist.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    That’s not a WP generated file. Perhaps the person who originally created the site did it. The best practice is to add salts directly to wp-config.php.

    Thread Starter acann

    (@acann)

    Thanks Steven! It was a fresh install but it is done through the webhost console so I thought it was something the webhost had done on their “image” or “script” which installs WordPress on a new VPS. That’s why I was confused when they insisted it was WordPress.

    Thank you for confirming this is NOT a WordPress file. I will delete the file whenever I install a WordPress site on this webhost and ensure the salts and keys are inserted directly in the wp-config.php

    Many thanks for the quick reply!

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    The advantange of putting the salts directly in wp-config.php is that you can quickly invalidate all of them (forcing new logins, etc) by simply adding a character to each. Plus, it’s one less file access each time the site is loaded.

    Thread Starter acann

    (@acann)

    In case it’s of interested, when I pressed the webhost further they stated that doing it this way is not uncommon and then provided this link as a reference

    https://www.ibm.com/blogs/bluemix/2014/02/deploy-wordpress-application-ibm-bluemix/

    I will stick with what you’ve indicated above, as opposed to this arbitrary article from 2014.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Salts and Keys in wp-salt.php’ is closed to new replies.

Tags