Can a Hacker gain access to my database if i've left the default authentication key value in place in my wp-config.php?

Question

Silly question, right? alas, i need a definite answer,

Here's the sitch:

We Built a site for a client who was using DreamHost as their provider, against our better judgement and advisement. The client used DreamHosts One-Button-Install of WordPress, 3.0 I believe.

In the rush to get the site done, the Authentication Keys and Salts in the wp-config.php were left as the default phrase, 'put your unique phrase here' or whatever.

It's my current understanding as per the WP Codex that these keys are used to add security to the users cookies.

Nevertheless, in about a month, for whatever reason the site's database just emptied. not the information_schema, just the entire WP tables. Also strange was that the DreamHost backups for that database were all empty as well.

The client called, we looked into it, but you can't call DreamHost, then the client found the default Auth Keys in place, and began sharpening pitchforks / lighting torches, etc.

So my Question is this, is it even possible to gain access to the database if you know that an authorization key is left at the default phrase?

I've conducted a thorough search, but alas uncovered nothing that explicitly states otherwise.

Thanks again Stack Overflow, for keeping me off the burning pyre.

Answer 1

They'd need to know the user and password of the database, and even then I'm pretty sure the Wordpress config default auth strings aren't human readable like 'put your unique phrase here' as in your example (from memory, I think that appears commented out on the line above), but are actually GUIDs. Therefore, unless Wordpress uses the same default GUIDs in every zip package, I wouldn't presume that is the culprit.