Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


SOLVED Where the COOKIEHASH comes from ?


  • I saw in my wp-config.php a COOKIEHASH which suppose to be (if I understood well) a md5 of siteurl

    the one generated in my wp-config is not a md5 valid
    I means it contain invalid characters such as g-z
    example: define( 'COOKIEHASH', md5('iNhg1WZsm5nYEHY9OYsKyhFJ7yo4B53s') );

  • Staff

    @JOduMonT said in Where the COOKIEHASH comes from ?:

    so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?

    Yes, we added it in the package. I installed a whole bunch of security plugins like WP Fence, SecuPress and what not and ran all the scans. One of the scan suggested that this be set to a more random value than the default for more security. Currently, this is only set for new installations.


  • There are best practices but the COOKIEHASH can be anything. I see 3 potential reasons for changing it:

    • Block bot attempted Logins with the custom cookie constant

    • Two installations can potentially (but unlikely) have a conflict in the login (cannot be logged into both at once in the same browser instance). This solves that!

    • Security through obscurity as this is one less thing to identify your site as run by Wordpress

    That’s all I’ve got. I never customized mine, but after writing about it I think I will. Thanks for bringing this up!


  • @Lonk thanks for the clarification
    so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?


  • @JOduMonT I have the Developer Edition and it’s not in mine?

  • Staff

    @JOduMonT said in Where the COOKIEHASH comes from ?:

    so this code is not generated by the WordPress installation and it is a parameter Cloudron added for more security ?

    Yes, we added it in the package. I installed a whole bunch of security plugins like WP Fence, SecuPress and what not and ran all the scans. One of the scan suggested that this be set to a more random value than the default for more security. Currently, this is only set for new installations.


  • @girish That makes sense why it wasn’t in mine. I’m planning to reinstall anyway for LDAP support so I’ll let your install script add the custom COOKIEHASH for me. ☺