wp_salt()
云策文档标注
概述
wp_salt() 函数用于返回一个盐值,以增强哈希的安全性。它基于 WordPress 的密钥系统,支持多种认证方案,并包含缓存和过滤机制。
关键要点
- 函数返回一个盐值字符串,用于添加到哈希中以提高安全性。
- 盐值基于 wp-config.php 和数据库中的密钥生成,支持 'auth'、'secure_auth'、'logged_in' 和 'nonce' 等认证方案。
- 使用静态缓存($cached_salts)优化性能,避免重复计算。
- 通过 apply_filters('salt', ...) 钩子允许插件自定义盐值。
- 如果密钥未定义或重复,函数会自动生成并存储盐值到站点选项。
代码示例
wp_salt( $scheme );注意事项
- 密钥应设置为强随机值,以最大化安全性,避免使用示例中的默认值。
- 此函数可被插件替换,如果插件未重定义,则使用默认实现。
原文内容
Returns a salt to add to hashes.
Description
Salts are created using secret keys. Secret keys are located in two places: in the database and in the wp-config.php file. The secret key in the database is randomly generated and will be appended to the secret keys in wp-config.php.
The secret keys in wp-config.php should be updated to strong, random keys to maximize security. Below is an example of how the secret key constants are defined.
Do not paste this example directly into wp-config.php. Instead, have a secret key created just for you.
define('AUTH_KEY', ' Xakm<o xQy rw4EMsLKM-?!T+,PFF})H4lzcW57AF0U@N@< >M%G4Yt>f`z]MON');
define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~');
define('LOGGED_IN_KEY', '|i|Ux`9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM');
define('NONCE_KEY', '%:R{[P|,s.KuMltH5}cI;/k<Gx~j!f0I)m_sIyu+&NJZ)-iO>z7X>QYR0Z_XnZ@|');
define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW');
define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W<I`.JjPi)<Bmf1v,HpGe}T1:Xt7n');
define('LOGGED_IN_SALT', '+XSqHc;@Q*K_b|Z?NC[3H!!EONbh.n<+=uKR:>*c(u`g~EJBf#8u#R{mUEZrozmm');
define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT');Salting passwords helps against tools which has stored hashed values of common dictionary strings. The added values makes it harder to crack.
Parameters
$schemestringrequired-
Authentication scheme (auth, secure_auth, logged_in, nonce).
Source
function wp_salt( $scheme = 'auth' ) {
static $cached_salts = array();
if ( isset( $cached_salts[ $scheme ] ) ) {
/**
* Filters the WordPress salt.
*
* @since 2.5.0
*
* @param string $cached_salt Cached salt for the given scheme.
* @param string $scheme Authentication scheme. Values include 'auth',
* 'secure_auth', 'logged_in', and 'nonce'.
*/
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
}
static $duplicated_keys;
if ( null === $duplicated_keys ) {
$duplicated_keys = array();
foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) {
foreach ( array( 'KEY', 'SALT' ) as $second ) {
if ( ! defined( "{$first}_{$second}" ) ) {
continue;
}
$value = constant( "{$first}_{$second}" );
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
}
}
$duplicated_keys['put your unique phrase here'] = true;
/*
* translators: This string should only be translated if wp-config-sample.php is localized.
* You can check the localized release package or
* https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
*/
$duplicated_keys[ __( 'put your unique phrase here' ) ] = true;
}
/*
* Determine which options to prime.
*
* If the salt keys are undefined, use a duplicate value or the
* default `put your unique phrase here` value the salt will be
* generated via `wp_generate_password()` and stored as a site
* option. These options will be primed to avoid repeated
* database requests for undefined salts.
*/
$options_to_prime = array();
foreach ( array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) as $key ) {
foreach ( array( 'key', 'salt' ) as $second ) {
$const = strtoupper( "{$key}_{$second}" );
if ( ! defined( $const ) || true === $duplicated_keys[ constant( $const ) ] ) {
$options_to_prime[] = "{$key}_{$second}";
}
}
}
if ( ! empty( $options_to_prime ) ) {
/*
* Also prime `secret_key` used for undefined salting schemes.
*
* If the scheme is unknown, the default value for `secret_key` will be
* used too for the salt. This should rarely happen, so the option is only
* primed if other salts are undefined.
*
* At this point of execution it is known that a database call will be made
* to prime salts, so the `secret_key` option can be primed regardless of the
* constants status.
*/
$options_to_prime[] = 'secret_key';
wp_prime_site_option_caches( $options_to_prime );
}
$values = array(
'key' => '',
'salt' => '',
);
if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) {
$values['key'] = SECRET_KEY;
}
if ( 'auth' === $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) {
$values['salt'] = SECRET_SALT;
}
if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ), true ) ) {
foreach ( array( 'key', 'salt' ) as $type ) {
$const = strtoupper( "{$scheme}_{$type}" );
if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) {
$values[ $type ] = constant( $const );
} elseif ( ! $values[ $type ] ) {
$values[ $type ] = get_site_option( "{$scheme}_{$type}" );
if ( ! $values[ $type ] ) {
$values[ $type ] = wp_generate_password( 64, true, true );
update_site_option( "{$scheme}_{$type}", $values[ $type ] );
}
}
}
} else {
if ( ! $values['key'] ) {
$values['key'] = get_site_option( 'secret_key' );
if ( ! $values['key'] ) {
$values['key'] = wp_generate_password( 64, true, true );
update_site_option( 'secret_key', $values['key'] );
}
}
$values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] );
}
$cached_salts[ $scheme ] = $values['key'] . $values['salt'];
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
}
Hooks
- apply_filters( ‘salt’, string $cached_salt, string $scheme )
-
Filters the WordPress salt.
Changelog
| Version | Description |
|---|---|
| 2.5.0 | Introduced. |