Opened 4 years ago
Closed 3 years ago
#5564 closed enhancement (wontfix)
WordPress.org secret-key service output does not follow coding standards
Reported by: | johnpgreen | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | API | Keywords: | close |
Cc: |
Description
The output generated by the WordPress.org secret-key service (https://api.wordpress.org/secret-key/1.1/salt/) outputs PHP that doesn't conform to the WordPress PHP Coding Standards.
Specifically, "[u]nless otherwise specified, parentheses should have spaces inside of them." (https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/#space-usage)
Change History (5)
#2
follow-up:
↓ 3
@
4 years ago
Ok, I think I may be confused.
If this only exists for legacy reasons, why is it still referenced in wp-config-sample.php
in the WordPress download?
What is the modern alternative to the API?
#3
in reply to:
↑ 2
@
4 years ago
Replying to johnpgreen:
What is the modern alternative to the API?
Using wp-admin/setup-config.php
:)
It still exists within wp-config-sample.php for those who setup their wp-config files manually. Ideally, one would not rely upon a remote API to generate these keys though, and would simply replace put your unique phrase here
with "random junk" dlfksghjarsel524w09e80e9d u30jqc3iw3a-ds0c3j9m9-cj
(a keyboard mash) which is arguably as secure, if not more so, than using the remote API.
IMHO: The salt API should never be used directly, but it exists for legacy reasons. It's primarily only used by those who create a
wp-config.php
file manually, and even then I question how many actually use it.Unfortunately the output cannot be changed, as WordPress expects it to be in the current format: https://core.trac.wordpress.org/browser/trunk/src/wp-admin/setup-config.php?marks=348-351#L335
Actually, I guess I could fix the API output.. but it would require violating a different coding standards rule,
SECURE_AUTH_SALT
would have to live without having a space after the comma in thedefine()
.While I could bump the version to
1.2
it doesn't seem to serve much purpose in doing so, as it should be rare that the API is needed anymore.