Is there any point setting the keys and salts in wp-config.php?

I'm auto-generating WordPress (5.9.3) sites on a VPS. I could, as part of the generation script, create random strings for the various keys and salts in wp-config.php. However, there doesn't appear to be any unequivocal statement in the docs that this is actually necessary, and various sources appear to state that WP will generate the keys and salts anyway if there are none in wp-config.php.

Two questions:

  1. If I choose to leave this up to WP, what should I actually put in wp-config.php? I don't want to leave in the default 'put your unique phrase here', because the end-user is then guaranteed to complain that the site is insecure and I don't know what I'm doing. Can I just delete the key/salt lines?
  2. Some sources (this SO answer, for example) appear to state that putting the keys and salts in wp-config.php is more secure than using the database version. Does this make any sense? In my case, the database (MariaDB 10.3.34) has no non-localhost access, and the DB passwords appear to be stored as two rounds of SHA1 hashing, which is fairly secure. Realistically speaking, it's much more likely that someone will break into the server itself, via Apache or otherwise, and simply read the plaintext DB password out of... wait for it... wp-config.php. And, if they can do that, cookie security is irrelevant anyway.

Topic password wp-config security Wordpress

Category Web

1
answered at
  1. If I choose to leave this up to WP, what should I actually put in wp-config.php?

Sounds like something you can easily find out. My guess: if you don't have the define('AUTH_KEY', ..) etc. statements, the system will not work.

  1. Some sources (this SO answer, for example) appear to state that putting the keys and salts in wp-config.php is "more secure" than using the database version.

With clever SQL injections it is possible to read data from the DB, even if I don't have direct access to it. So all I need to get the keys is one plugin that has a SQL vulnerability and I can get them.

If I store part in the filesystem and part in the DB, just access to information from the DB is not sufficient anymore.

As suggested in the other answer, just use WP's generator or any of the other ones (e.g. this from roots.io) and supply these keys differently for each site that you spin up.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.