Weight Loss Demystified

To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase

If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php. Regardless, defining SECRET_KEY and giving it a unique phrase will give your cookies some added security. To make adding a secret key easier, we’ve created a web page that will create the full statement needed to define SECRET_KEY complete with a strong, randomly-generated phrase. Go to api.wordpress.org/secret-key/1.0/ for a line you can cut-and-paste into your wp-config.php file. Here’s some sample output:

define('SECRET_KEY', 'C~1Vr5|!meuT$j`Y.:i&*Cd=O^N0XWD_HzHruzl-?R%LPzlzQ( q^KSW[dmcK;vw');

Cut-and-paste that entire line into your wp-config.php. You can put it after the define statements for the database settings. If you already have SECRET_KEY defined in your wp-config.php, delete the existing line and add the new line. After you add your SECRET_KEY, all users on your blog that are logged in will be logged out. They’ll have to log back in to get a new cookie. If you ever need to force all users to log out, changing SECRET_KEY is an easy way to do so. Don’t worry that changing SECRET_KEY will affect passwords; it affects only login cookies. And don’t worry about having to remember that long random phrase. WordPress will never ask you to input that phrase. It’s just there to act a piece of randomness, frozen in time, for use in creating more secure login cookies for your blog.

Update: As mentioned in the comments, don’t directly copy the example I have above.  Visit api.wordpress.org/secret-key/1.0/ to get your own secret key.  Get a different secret for each of your blogs.

When you add the SECRET_KEY line, add it after the ‘<?php’ tag on the first line.  It has to be between the first line and the last line of wp-config.php, in between the ‘<?php’ and ‘?>’ tags.  In a future version of WP, we’ll try to do this for you automatically if your server config allows WP to write to your wp-config.php file.  That way you won’t have to edit any PHP files.

If you are seeing this post, then you are getting pages served from my new server at Slicehost. I still have to migrate my other web sites, and figure out how I’m going to mange email, but this was a big hurdle, and I’m glad to say that it went pretty smoothly. There are still some old files that I haven’t put back in place yet, so if anything seems awry, don’t be too surprised. I know of a couple of things I need to take care of, but I’m sure there are others that haven’t crossed my mind yet. So feel free to contact me if you see anything wrong on the site (dead links, missing images, etc.).

When I was shopping for a hosting company, there were a few final contenders in consideration. But Slicehost hit a sweet-spot in the variables of price, host stats, and that certain je ne sais quoi that tells you that a company seems to Get It. “Built for Developers” — that’s a good start right there. You want Plesk or Webmin? They don’t give it to you. But you can install it yourself if you really want it. Yeah, baby — that’s my kind of hosting.

ShareThis

UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.

Okay, people, if you are running any version of WordPress older than 2.3.3 2.5*, you need to upgrade now. Seriously. WordPress 2.3.3 and older have security holes that are being actively exploited by hackers to inject spam links into blogs which are not maintained. And search engines like Technorati are de-listing hacked blogs. Are you listening now? Do I have your attention? Upgrade your web apps before you get hacked and your site drops off the search-engine radar.

While the Technorati article specifically talks about WordPress sites, this goes for any web application. You need to pay attention to updates which are released, and upgrade whenever a security probem is fixed. WordPress gets particular attention due to its popularity and the sheer number of installed sites out in the wild. But it is no more or less secure than any other similar web application. So whatever you’re running, keep it up-to-date.

And the same goes for any add-ons — if you install third-part plugins or themes, make sure you keep up with updates. WordPress 2.5 makes updating plugins easier than ever. Review your Plugins page from time to time, and pay attention when it tells you that a newer version of a plugin is available.

I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.

There are several ways to keep up with new WordPress releases. The Dashboard shows you all sorts of news from the WP community, including announcements from the Development Blog. There are several mailing lists. If those lists are too noisy for you, you can get just release announcements by signing up on Freshmeat.net and subscribing to the WordPress Project. I normally submit the Freshmeat update within 24 hours of an official release.

* One exception is WordPress version 2.0.11 (or the 2.0 svn branch, more generally), which is maintained with security updates for the Debian package.

ShareThis

I went on an already planned vacation on the day we released 2.5. While I’ve been chilling out with my family in SoCal, the WP devs have been fixing bugs in preparation for 2.5.1, and the Automattic crew unveiled the new admin UI on WordPress.com. Feedback on the new UI from the large WordPress.com user base will be interesting and educational.

I’ll be back to WP work on Monday. I and the other WP devs will be focusing on fixing bugs for 2.5.1 and planning 2.6 features. After the lengthy 2.5 cycle, we’ll aim for a shorter feature list and quicker turn-around on 2.6.