Mikhail Morfikov
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Mass resize of images and their thumbnailsI think it does the same thing as wp-cli. So the width/height values and the thumbnail name are the same in the published post.
The problem with the articles is that they’re outdated. When you look at the code, you can see some new stuff. This is a pretty decent explanation, but despite the fact that the article is written in 2014, it’s still outdated. I mean, most of the things that you can read in that post applies to the recent version of the code, but some of things are missing, for instance the Token.
The following is a comment that I posted in the aforementioned article:
In the recent version (4+) there was a change in the authentication process, I mean there’s another parameter — token, so the cookie looks like this:
Set-Cookie: wordpress_urlhash=user|timestamp|token|hash(sha256|sha1)
I’m wonder what is the purpose of the token and whether it can be predicted.
Also I have some additional questions concerning key/salt strings that can be set in wp-config.php file because I can’t find any useful info on this subject.
1. Can I use any utf-8 character to set the keys, for instance ® ?
2. Is there a limit in the length of the strings?
3. What is the purpose of NONCE cookie? I can understand the 3 other.
4. If you don’t have the keys set in the wp-config.php file, they will be automatically created in the database, but what if you create them in the wp-config.php? You have now two sets of keys — one in the database and one in the file. According to https://codex.ww.wp.xz.cn/Function_Reference/wp_salt , they “will be appended to the secret key that is in wp-config.php file in some instances.” — do you know what instances? Is it better to have the two sets or delete the keys from the database?
5. Why do we need two different keys (key + salt) in wp-config.php file? I mean, there’s one file and the two values are read from it, so what’s the purpose of having two keys instead of just one?
6. Why the default length of the keys (salts) is 64 chars? I mean the sha256 hash also has 64 chars — is there any connection between the two? Is there any security improvement when I use more than 64 chars in the keys/salts?But the comment is still awaiting moderation, and I didn’t get answers to these questions.
Forum: Fixing WordPress
In reply to: How does the "authentication unique keys and salts" feature workI’ve found a pretty decent explanation here on how the keys work. The article’s date is 2014, so it’s a little bit newer than the one you gave earlier. Still some questions remain without answers.
Forum: Fixing WordPress
In reply to: How does the "authentication unique keys and salts" feature workSo, I understand that I can use any utf-8 character, including a copyright sign for instance, right? Or would that be a problem? — that’s the real question.
I know that “the standard keys that the API produces are around 64 long, I’d stick to that as that should be all that’s needed.”, but I’m not asking whether it’s ok to use 64 characters (less or more), only what’s the limit?
As for storing keys in the database, again I know that it’s better to store them in wp-config.php file, but if you don’t set them in this file, they will be automatically created in the database, and what will happen when you set the keys in the file again? I’ve read of the possibility of appending them to the keys that are set in the wp-config file — is that true, or will the keys in the file will be used instead. And should I delete the keys from the database after setting them in the file?
They’re just simple questions and there should be simple answers.
I’ve search >150 pages for any kind of info on the wordpress key-salt subject, and people always say the same thing. There’s absolutely zero knowledge on how this supposed to work. I’m not saying that you can’t use “technical language” — look for instance at this wiki article concerning DH protocol. Do you see any kind of code reference in the description of the process? You have the details later on, but I want something similar to the description — how this supposed to work because everybody says, that’s the “great improvement of security”, but no one knows how it works. I doubt it’s really that great. 🙂
I’m trying to set my own blog (in my native language), and I write about all the settings that I’ve changed during the process — just to know them better, and what they’re responsible for. And most of the info can be found in the codex, but I have some questions concerning this particular subject, and no one can answer to them. I can’t just write another boring article saying what the 150 others say — it would be 151st. 🙂
Forum: Fixing WordPress
In reply to: How does the "authentication unique keys and salts" feature workThanks for the hardening link, and the other one called “Why WordPress Authentication Unique Keys and Salts Are Important”. I’ll read them as soon as I have some free time. Maybe I’ll find some useful info there.
Anyways, I’m not asking about explanation on how to implement cryptographic cyphers and anything like that. 🙂
I have just simple questions, like what set of characters, or how many characters can be used, or what happens when I have different keys in the wordpress database and the wp-config.php file. I think this kind of information should be in the key/salts documentation, but instead there’s just general info.
Yesterday, I read the codex entry about changing the password, and as you can see, there’s pretty much all the info that user should know. For instance: “Note that even if the passwords are salted, meaning they look like $P$BLDJMdyBwegaCLE0GeDiGtC/mqXLzB0, you can still replace the password with an MD5 hash, and WordPress will let you log in. “. There’s should also be information that wordpress will add salt to the generated (manually) md5 hash after first login (I compared the database entry before and after). 🙂 — So that is the kind of info I’m looking for, I’m not asking what wordpress exactly does in order (in this case) to set the hashed and salted pass inside of the database, but instead what should be the expected behavior.
Forum: Fixing WordPress
In reply to: How does the "authentication unique keys and salts" feature workI know, but I’m not a programmer, and I don’t think that I would be able to understand the code. So that’s why I’m asking for a little bit more user friendly explanation.
Forum: Plugins
In reply to: [WP-PostRatings] Three wp-* plugins combined into oneThis is it, thanks! 🙂
Forum: Plugins
In reply to: [WP-PostRatings] Three wp-* plugins combined into oneI’m using similar code:
<div class="meta-header"> <div class="row"> <div class="col-xs-10"> Rating: <?php if(function_exists('the_ratings')) { the_ratings( 'span' ); } ?> , <?php if(function_exists('the_views')) { the_views(); } ?> </div> <div class="col-xs-2"> <div class="pull-right"> <?php if(function_exists('wp_print')) { print_link(); } ?> </div> </div> </div> </div>I restored the default plugin’s settings and added the
spantag here, and yes, the line after voting met expectations. But the problem I described in my previous post stays the same, I mean there’s still 2 lines before voting.When you hover your mouse over one of the stars you get this: http://i.imgur.com/U6e4ilp.png — the text 1 star, 2 stars, etc appears. I looked into the firefox inspector, and I got the code: http://i.imgur.com/c67X1rB.png — the two
brtags aren’t mine. I removed them from the inspector, and I got one single line, but without text separation, which looks like this: http://i.imgur.com/qwByJyI.png%5D .I hope this will help in some way. Maybe is there an option to remove the 1 star, 2 stars text altogether?
