Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a Hacker gain access to my database if i've left the default authentication key value in place in my wp-config.php?

Silly question, right? alas, i need a definite answer,

Here's the sitch:

We Built a site for a client who was using DreamHost as their provider, against our better judgement and advisement. The client used DreamHosts One-Button-Install of WordPress, 3.0 I believe.

In the rush to get the site done, the Authentication Keys and Salts in the wp-config.php were left as the default phrase, 'put your unique phrase here' or whatever.

It's my current understanding as per the WP Codex that these keys are used to add security to the users cookies.

Nevertheless, in about a month, for whatever reason the site's database just emptied. not the information_schema, just the entire WP tables. Also strange was that the DreamHost backups for that database were all empty as well.

The client called, we looked into it, but you can't call DreamHost, then the client found the default Auth Keys in place, and began sharpening pitchforks / lighting torches, etc.

So my Question is this, is it even possible to gain access to the database if you know that an authorization key is left at the default phrase?

I've conducted a thorough search, but alas uncovered nothing that explicitly states otherwise.

Thanks again Stack Overflow, for keeping me off the burning pyre.

like image 522
joelrnorris Avatar asked May 13 '11 15:05

joelrnorris


People also ask

Which configuration items are stored in WP-config php?

wp-config. php is one of the core WordPress files. It contains information about the database, including the name, host (typically localhost), username, and password.

How do I access WordPress WP-config php?

The wp-config. php file is usually located in the root folder of your website with other folders like /wp-content/. Once you have downloaded the wp-config. php file, you can make the appropriate changes then re-upload it to your web server.


1 Answers

They'd need to know the user and password of the database, and even then I'm pretty sure the Wordpress config default auth strings aren't human readable like 'put your unique phrase here' as in your example (from memory, I think that appears commented out on the line above), but are actually GUIDs. Therefore, unless Wordpress uses the same default GUIDs in every zip package, I wouldn't presume that is the culprit.

like image 145
chrisfrancis27 Avatar answered Oct 07 '22 21:10

chrisfrancis27