Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    SOLVED Where the COOKIEHASH comes from ?

    WordPress (Developer)
    3
    6
    147
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JOduMonT
      JOduMonT last edited by

      I saw in my wp-config.php a COOKIEHASH which suppose to be (if I understood well) a md5 of siteurl

      the one generated in my wp-config is not a md5 valid
      I means it contain invalid characters such as g-z
      example: define( 'COOKIEHASH', md5('iNhg1WZsm5nYEHY9OYsKyhFJ7yo4B53s') );

      1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @JOduMonT last edited by

        @JOduMonT said in Where the COOKIEHASH comes from ?:

        so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?

        Yes, we added it in the package. I installed a whole bunch of security plugins like WP Fence, SecuPress and what not and ran all the scans. One of the scan suggested that this be set to a more random value than the default for more security. Currently, this is only set for new installations.

        Lonkle 1 Reply Last reply Reply Quote 1
        • Lonkle
          Lonkle last edited by

          There are best practices but the COOKIEHASH can be anything. I see 3 potential reasons for changing it:

          • Block bot attempted Logins with the custom cookie constant

          • Two installations can potentially (but unlikely) have a conflict in the login (cannot be logged into both at once in the same browser instance). This solves that!

          • Security through obscurity as this is one less thing to identify your site as run by Wordpress

          That’s all I’ve got. I never customized mine, but after writing about it I think I will. Thanks for bringing this up!

          JOduMonT 1 Reply Last reply Reply Quote 0
          • JOduMonT
            JOduMonT @Lonkle last edited by

            @Lonk thanks for the clarification
            so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?

            Lonkle girish 2 Replies Last reply Reply Quote 0
            • Lonkle
              Lonkle @JOduMonT last edited by

              @JOduMonT I have the Developer Edition and it’s not in mine?

              1 Reply Last reply Reply Quote 0
              • girish
                girish Staff @JOduMonT last edited by

                @JOduMonT said in Where the COOKIEHASH comes from ?:

                so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?

                Yes, we added it in the package. I installed a whole bunch of security plugins like WP Fence, SecuPress and what not and ran all the scans. One of the scan suggested that this be set to a more random value than the default for more security. Currently, this is only set for new installations.

                Lonkle 1 Reply Last reply Reply Quote 1
                • Lonkle
                  Lonkle @girish last edited by

                  @girish That makes sense why it wasn’t in mine. I’m planning to reinstall anyway for LDAP support so I’ll let your install script add the custom COOKIEHASH for me. ☺️

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Powered by NodeBB