Where the COOKIEHASH comes from ?
-
I saw in my wp-config.php a COOKIEHASH which suppose to be (if I understood well) a md5 of siteurl
the one generated in my wp-config is not a md5 valid
I means it contain invalid characters such as g-z
example:define( 'COOKIEHASH', md5('iNhg1WZsm5nYEHY9OYsKyhFJ7yo4B53s') ); -
@JOduMonT said in Where the COOKIEHASH comes from ?:
so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?
Yes, we added it in the package. I installed a whole bunch of security plugins like WP Fence, SecuPress and what not and ran all the scans. One of the scan suggested that this be set to a more random value than the default for more security. Currently, this is only set for new installations.
-
There are best practices but the COOKIEHASH can be anything. I see 3 potential reasons for changing it:
• Block bot attempted Logins with the custom cookie constant
• Two installations can potentially (but unlikely) have a conflict in the login (cannot be logged into both at once in the same browser instance). This solves that!
• Security through obscurity as this is one less thing to identify your site as run by Wordpress
That’s all I’ve got. I never customized mine, but after writing about it I think I will. Thanks for bringing this up!
-
-
@JOduMonT said in Where the COOKIEHASH comes from ?:
so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?
Yes, we added it in the package. I installed a whole bunch of security plugins like WP Fence, SecuPress and what not and ran all the scans. One of the scan suggested that this be set to a more random value than the default for more security. Currently, this is only set for new installations.
️