WordPress.org

Making WordPress.org

Opened 8 weeks ago

Last modified 8 weeks ago

#5564 new enhancement

WordPress.org secret-key service output does not follow coding standards

Reported by: johnpgreen Owned by:
Milestone: Priority: normal
Component: API Keywords: close
Cc:

Description

The output generated by the WordPress.org secret-key service (https://api.wordpress.org/secret-key/1.1/salt/) outputs PHP that doesn't conform to the WordPress PHP Coding Standards.

Specifically, "[u]nless otherwise specified, parentheses should have spaces inside of them." (https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/#space-usage)

Change History (4)

#1 @dd32
8 weeks ago

  • Component changed from General to API
  • Keywords close added

IMHO: The salt API should never be used directly, but it exists for legacy reasons. It's primarily only used by those who create a wp-config.php file manually, and even then I question how many actually use it.

Unfortunately the output cannot be changed, as WordPress expects it to be in the current format: https://core.trac.wordpress.org/browser/trunk/src/wp-admin/setup-config.php?marks=348-351#L335

Actually, I guess I could fix the API output.. but it would require violating a different coding standards rule, SECURE_AUTH_SALT would have to live without having a space after the comma in the define().

While I could bump the version to 1.2 it doesn't seem to serve much purpose in doing so, as it should be rare that the API is needed anymore.

#2 follow-up: @johnpgreen
8 weeks ago

Ok, I think I may be confused.

If this only exists for legacy reasons, why is it still referenced in wp-config-sample.php in the WordPress download?

What is the modern alternative to the API?

#3 in reply to: ↑ 2 @dd32
8 weeks ago

Replying to johnpgreen:

What is the modern alternative to the API?

Using wp-admin/setup-config.php :)

It still exists within wp-config-sample.php for those who setup their wp-config files manually. Ideally, one would not rely upon a remote API to generate these keys though, and would simply replace put your unique phrase here with "random junk" dlfksghjarsel524w09e80e9d u30jqc3iw3a-ds0c3j9m9-cj (a keyboard mash) which is arguably as secure, if not more so, than using the remote API.

#4 @johnpgreen
8 weeks ago

Gotcha. Thanks, Dion!

Note: See TracTickets for help on using tickets.