Add WP_CACHE_KEY_SALT to WordPress.org secret-key service

[kraftbj]

Originally posted by @paulschreiber at ​https://core.trac.wordpress.org/ticket/44425 . Cross-posting here for the API side of the request.

Currently, the WordPress.org secret-key service

https://api.wordpress.org/secret-key/1.1/salt/

generates AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT and NONCE_SALT.

It would be helpful if it also generated WP_CACHE_KEY_SALT. That way, people who install the object-cache.php drop-in would be less likely to experience unexpected behaviour.

See also: ​https://github.com/Automattic/wp-memcached/issues/31

[obenland]

I think I agree with ​Otto's comment here. If someone is qualified enough for a drop-in, I think it's reasonable to expect them to also define that constant.

[paulschreiber]

I think I agree with Otto's comment here. If someone is qualified enough for a drop-in, I think it's reasonable to expect them to also define that constant.

This argument is like saying "real programmers don't use syntax coloring." No purity tests, please.

I had to update 20 sites today ... by hand ... because the salts API (and therefore wp cli, which uses it) still doesn't support WP_CACHE_KEY_SALT.

[nickchomey]

I'd also love to see this

[dd32]

Just confirming we won't be adding support for WP_CACHE_KEY_SALT here.

The API is designed for Cores use, and does not add constants required by 3rd party items.

Specifically regarding WP_CACHE_KEY_SALT though, you really want to ensure it's a short string (and not a purely random string) as in many cache backends there's a key length limit.

[paulschreiber]

Can you at least make WP_CACHE_KEY_SALT available via a query parameter?

Memcached is only barely a "third-party" item -- it's made by Automattic!

[dd32]

No, the API isn't the place for it.

Memcached is only barely a "third-party" item -- it's made by Automattic!

Automattic doesn't get preferential treatment from WordPress.org. (despite being my employer, and sponsoring multiple people to work on WordPress.org and related projects)

[dd32]

Also noting for others in the future, you can set it automatically via WP-CLI something similar to this:

wp config set WP_CACHE_KEY_SALT `cat /dev/urandom | tr -dc 'a-z0-9' | head -c10`

(That was the first command to get a short random string I saw on Google, replace it with something that makes sense for your environment)

[nickchomey]

Replying to dd32:

Specifically regarding WP_CACHE_KEY_SALT though, you really want to ensure it's a short string (and not a purely random string) as in many cache backends there's a key length limit.

Yeah, on further consideration I already decided to just use the site's domain as the key salt - makes it easy to set as well as navigate the redis database. Best to leave this closed, sorry for raising the dead.